Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    103s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:13

General

  • Target

    89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe

  • Size

    2.1MB

  • MD5

    e5ab3ea88a2bc87c9e5b2dc45d2a4dd4

  • SHA1

    2f58fa70410dedf700982f8c7a63e599c98ecff1

  • SHA256

    89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b

  • SHA512

    d7c7cf4283f9a1d0b5fa0b077fb4e99d9285a8872e55f34c1e0b849d9a85c21148a9bcc8b357766e8d5967b0e2f1f42c45e299d3746a5b8c775658963b20cfb2

  • SSDEEP

    49152:6/PzW6Bg//wzCaq4UfvOGh3m1aQOsemlAT33zNgz1Sjcj4N1:wPzWDwG4U3hmcQO18bz1Sje4N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
    "C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5328
    • C:\Users\Admin\AppData\Local\Temp\312213.exe
      "C:\Users\Admin\AppData\Local\Temp\312213.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3332
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\Znb3Kfyp6V6O4bcQ.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\jQuUq4BxkQ7YPdkLPwU2V7M1bbhMug.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4480
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:624
          • C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\refNet.exe
            "C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost/refNet.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5JCVJhOvU.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4700
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:3404
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:5036
                • C:\ebea8a0c5b7ebb8dc5b60da7\upfc.exe
                  "C:\ebea8a0c5b7ebb8dc5b60da7\upfc.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4104
      • C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe
        "C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\312213.exe

      Filesize

      2.2MB

      MD5

      1213f4fc1eb5dca213df57f1f5034a1b

      SHA1

      e925aaf8a58c25e45a57cd6727e3de68fea1d267

      SHA256

      d587bb2da2148bb0fed00e3d8ce93e5bb8207a77d7acbe735078b2372e737340

      SHA512

      1886cb1fb166f44cc8a6aaa9dc0f07faf7bf9e14e1be908e4cee67c95c04151b3df921d9ac71e70a28c2ba9110117670b41d270000300434d9a84f1561ccc942

    • C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\Znb3Kfyp6V6O4bcQ.vbe

      Filesize

      234B

      MD5

      7453933cc2d2d8ad0040f4dcf0cf478b

      SHA1

      25a3fdd6e9194ba888c0ca50eb1494e645cad5b7

      SHA256

      23fc1f6b78cdac4e63ab8fabecea0a0b5016dbc312cf4a5562b1e0991ac64266

      SHA512

      db9c5997203971b7fab2977a753795193f978909a466af2a639104b5f43c0f2386a6c50be3f701aa3ca156345fe2bd5e1fbf71528254237dbd0214d0fb618427

    • C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\jQuUq4BxkQ7YPdkLPwU2V7M1bbhMug.bat

      Filesize

      189B

      MD5

      1d0a67c059050e768d731a6f5f308b53

      SHA1

      4b411281d7255b2512e0b56966f254260b010eb2

      SHA256

      4a8c1eb659ab57354d2255e6071d72f437e1535619b261e922fffb37aec4c145

      SHA512

      97c8f984091fd5a36384e20f00fb9aee5bc22aaf5673a7c0a4c307ecf687a5e6a068ab6b6be0e64be49c0c5679d3da0794fb80a429db5eace8a70389046c9ea5

    • C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\refNet.exe

      Filesize

      1.9MB

      MD5

      d2aaad4ccfc17fda2df263f515095e28

      SHA1

      9bfbdb3d4e5c724a4c45f72b4386cd4a9cacd219

      SHA256

      a85bef4cf91e1dc1940124c6d2576d486be7868d996e01dc981c11b8a0dc1b40

      SHA512

      6544effb5c43d28b0905dbf5bf7596197dd83b8bb1d8ade5fbdc7da85b2de9d6a02ac6f98297a04fdf997dde364c1a4a3c52360f6a495a2b57920c1b05c89b54

    • C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe

      Filesize

      569KB

      MD5

      a46f9a51a1e4926a077ddf9420394364

      SHA1

      2573735414873bb050f5b35a4fa637c005488c06

      SHA256

      b47c8f7c749732fc1d5c49f2f0dc830fc47fd19ddb10a8dea9717535e0d630ee

      SHA512

      e97ff39ffa2abb743dbaf739daae99535b18a5958acf5ed0e1338d25ebf131bb8fd6cd4c6801ebfec08bfb83a6412e526eee16d238879a41649d1556bd81543f

    • C:\Users\Admin\AppData\Local\Temp\p5JCVJhOvU.bat

      Filesize

      164B

      MD5

      e99ee3fbbecde4ebe29380080c1bfd5a

      SHA1

      4899310717529454ef1ae6b33a2ac7a4e46b435d

      SHA256

      cfbe2c313835016f9b65c0e2cdce7a5d779ab4c4f2002f093865670675088c2c

      SHA512

      8e2c8c833b20d57632ef122abc2e73d557bed9fd790ef7a79320952602eaef5344e979b2d5de45ab790e889eb3c4217881101e137e64d75e3fa70c430bfe1b43

    • memory/1632-42-0x00000000024D0000-0x0000000002520000-memory.dmp

      Filesize

      320KB

    • memory/1632-44-0x0000000002480000-0x0000000002498000-memory.dmp

      Filesize

      96KB

    • memory/1632-48-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

      Filesize

      48KB

    • memory/1632-46-0x0000000000C90000-0x0000000000C9E000-memory.dmp

      Filesize

      56KB

    • memory/1632-41-0x0000000002460000-0x000000000247C000-memory.dmp

      Filesize

      112KB

    • memory/1632-39-0x0000000000C80000-0x0000000000C8E000-memory.dmp

      Filesize

      56KB

    • memory/1632-37-0x0000000000150000-0x0000000000336000-memory.dmp

      Filesize

      1.9MB

    • memory/5328-3-0x00007FFAA3DF0000-0x00007FFAA48B1000-memory.dmp

      Filesize

      10.8MB

    • memory/5328-18-0x00007FFAA3DF0000-0x00007FFAA48B1000-memory.dmp

      Filesize

      10.8MB

    • memory/5328-0-0x00007FFAA3DF3000-0x00007FFAA3DF5000-memory.dmp

      Filesize

      8KB

    • memory/5328-1-0x00000000008F0000-0x0000000000B10000-memory.dmp

      Filesize

      2.1MB

    • memory/5856-22-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/5856-20-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/5856-23-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/5856-66-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB