Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1088bc7b6a62...00.exe
windows7-x64
788bc7b6a62...00.exe
windows10-2004-x64
788cdf3a075...59.exe
windows7-x64
1088cdf3a075...59.exe
windows10-2004-x64
1089000a0d00...5b.exe
windows7-x64
1089000a0d00...5b.exe
windows10-2004-x64
1089270d6b49...b4.exe
windows7-x64
189270d6b49...b4.exe
windows10-2004-x64
1892ac0ac36...51.exe
windows7-x64
8892ac0ac36...51.exe
windows10-2004-x64
8894b900bb7...92.exe
windows7-x64
8894b900bb7...92.exe
windows10-2004-x64
8896493118e...17.exe
windows7-x64
10896493118e...17.exe
windows10-2004-x64
1089652cefa9...84.exe
windows7-x64
389652cefa9...84.exe
windows10-2004-x64
10897255af35...03.exe
windows7-x64
10897255af35...03.exe
windows10-2004-x64
10897b60be56...d4.exe
windows7-x64
6897b60be56...d4.exe
windows10-2004-x64
689a1a21003...9d.exe
windows7-x64
389a1a21003...9d.exe
windows10-2004-x64
389ed231ad6...9a.exe
windows7-x64
1089ed231ad6...9a.exe
windows10-2004-x64
108a4e1b5c29...83.exe
windows7-x64
108a4e1b5c29...83.exe
windows10-2004-x64
108a7ce080bb...ba.exe
windows7-x64
108a7ce080bb...ba.exe
windows10-2004-x64
108aa071d8cc...3d.exe
windows7-x64
78aa071d8cc...3d.exe
windows10-2004-x64
78acb86332d...4c.exe
windows7-x64
108acb86332d...4c.exe
windows10-2004-x64
10Analysis
-
max time kernel
103s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:13
Behavioral task
behavioral1
Sample
88bc7b6a627017c4f048d13e756f27b0adc94dc25d0b53c42a2cbdac36177600.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
88bc7b6a627017c4f048d13e756f27b0adc94dc25d0b53c42a2cbdac36177600.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
88cdf3a075a9f38022db50379cd5771e1992a58af68f516812b40c8320dabc59.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
88cdf3a075a9f38022db50379cd5771e1992a58af68f516812b40c8320dabc59.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral7
Sample
89270d6b49877a5303ff4416c74830b4.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
89270d6b49877a5303ff4416c74830b4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
892ac0ac36d3e692e581bde711ae2651.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
892ac0ac36d3e692e581bde711ae2651.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
894b900bb7817bc5ddd0e3ad48eb9c6fbe4ad9ad7741358d311bafe03b988a92.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
894b900bb7817bc5ddd0e3ad48eb9c6fbe4ad9ad7741358d311bafe03b988a92.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Resource
win7-20250207-en
Behavioral task
behavioral14
Sample
896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
89652cefa9366ca2d97d0e0b49525984.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
89652cefa9366ca2d97d0e0b49525984.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
897255af3577597d102569ae36e4a05af7c024eaaaf4b26d4515002d2b257303.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
897255af3577597d102569ae36e4a05af7c024eaaaf4b26d4515002d2b257303.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
897b60be5611091a83c5ceb48f7d2bd4.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
897b60be5611091a83c5ceb48f7d2bd4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
89a1a21003baf78498607da9565222de2ca042713740ff1005123e24f6b2449d.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
89a1a21003baf78498607da9565222de2ca042713740ff1005123e24f6b2449d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
8a4e1b5c2998360f622e0279dee68fb7e7130c4a0fa23749b404f70c10dfcd83.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
8a4e1b5c2998360f622e0279dee68fb7e7130c4a0fa23749b404f70c10dfcd83.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
8a7ce080bb43fc3edf2ddf3b300355ba.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
8a7ce080bb43fc3edf2ddf3b300355ba.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
8aa071d8cc2dd74176f041bba8762b3d.exe
Resource
win7-20250207-en
Behavioral task
behavioral30
Sample
8aa071d8cc2dd74176f041bba8762b3d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
8acb86332d3165ca0750e27ecd4b4948ab35ade98d43820de667e14ff849c64c.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
8acb86332d3165ca0750e27ecd4b4948ab35ade98d43820de667e14ff849c64c.exe
Resource
win10v2004-20250314-en
General
-
Target
89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
-
Size
2.1MB
-
MD5
e5ab3ea88a2bc87c9e5b2dc45d2a4dd4
-
SHA1
2f58fa70410dedf700982f8c7a63e599c98ecff1
-
SHA256
89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b
-
SHA512
d7c7cf4283f9a1d0b5fa0b077fb4e99d9285a8872e55f34c1e0b849d9a85c21148a9bcc8b357766e8d5967b0e2f1f42c45e299d3746a5b8c775658963b20cfb2
-
SSDEEP
49152:6/PzW6Bg//wzCaq4UfvOGh3m1aQOsemlAT33zNgz1Sjcj4N1:wPzWDwG4U3hmcQO18bz1Sje4N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation 312213.exe Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation refNet.exe -
Executes dropped EXE 4 IoCs
pid Process 3332 312213.exe 2984 cGlzeWFwb3_crypted_LAB.exe 1632 refNet.exe 4104 upfc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2984 set thread context of 5856 2984 cGlzeWFwb3_crypted_LAB.exe 91 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\edge_BITS_4388_1241950146\services.exe refNet.exe File created C:\Program Files\edge_BITS_4388_1241950146\c5b4cb5e9653cc refNet.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\AppReadiness\f3b6ecef712a24 refNet.exe File created C:\Windows\SchCache\System.exe refNet.exe File created C:\Windows\SchCache\27d1bcfc3c54e0 refNet.exe File created C:\Windows\AppReadiness\spoolsv.exe refNet.exe File opened for modification C:\Windows\AppReadiness\spoolsv.exe refNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 312213.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5036 PING.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings refNet.exe Key created \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings 312213.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 624 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5036 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe 1632 refNet.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1632 refNet.exe Token: SeDebugPrivilege 4104 upfc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 5328 wrote to memory of 3332 5328 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 88 PID 5328 wrote to memory of 3332 5328 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 88 PID 5328 wrote to memory of 3332 5328 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 88 PID 5328 wrote to memory of 2984 5328 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 89 PID 5328 wrote to memory of 2984 5328 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 89 PID 2984 wrote to memory of 5856 2984 cGlzeWFwb3_crypted_LAB.exe 91 PID 2984 wrote to memory of 5856 2984 cGlzeWFwb3_crypted_LAB.exe 91 PID 2984 wrote to memory of 5856 2984 cGlzeWFwb3_crypted_LAB.exe 91 PID 2984 wrote to memory of 5856 2984 cGlzeWFwb3_crypted_LAB.exe 91 PID 2984 wrote to memory of 5856 2984 cGlzeWFwb3_crypted_LAB.exe 91 PID 2984 wrote to memory of 5856 2984 cGlzeWFwb3_crypted_LAB.exe 91 PID 2984 wrote to memory of 5856 2984 cGlzeWFwb3_crypted_LAB.exe 91 PID 2984 wrote to memory of 5856 2984 cGlzeWFwb3_crypted_LAB.exe 91 PID 2984 wrote to memory of 5856 2984 cGlzeWFwb3_crypted_LAB.exe 91 PID 3332 wrote to memory of 4532 3332 312213.exe 92 PID 3332 wrote to memory of 4532 3332 312213.exe 92 PID 3332 wrote to memory of 4532 3332 312213.exe 92 PID 4532 wrote to memory of 4480 4532 WScript.exe 93 PID 4532 wrote to memory of 4480 4532 WScript.exe 93 PID 4532 wrote to memory of 4480 4532 WScript.exe 93 PID 4480 wrote to memory of 624 4480 cmd.exe 95 PID 4480 wrote to memory of 624 4480 cmd.exe 95 PID 4480 wrote to memory of 624 4480 cmd.exe 95 PID 4480 wrote to memory of 1632 4480 cmd.exe 96 PID 4480 wrote to memory of 1632 4480 cmd.exe 96 PID 1632 wrote to memory of 4700 1632 refNet.exe 97 PID 1632 wrote to memory of 4700 1632 refNet.exe 97 PID 4700 wrote to memory of 3404 4700 cmd.exe 99 PID 4700 wrote to memory of 3404 4700 cmd.exe 99 PID 4700 wrote to memory of 5036 4700 cmd.exe 100 PID 4700 wrote to memory of 5036 4700 cmd.exe 100 PID 4700 wrote to memory of 4104 4700 cmd.exe 102 PID 4700 wrote to memory of 4104 4700 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe"C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5328 -
C:\Users\Admin\AppData\Local\Temp\312213.exe"C:\Users\Admin\AppData\Local\Temp\312213.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\Znb3Kfyp6V6O4bcQ.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\jQuUq4BxkQ7YPdkLPwU2V7M1bbhMug.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:624
-
-
C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\refNet.exe"C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost/refNet.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5JCVJhOvU.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:3404
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5036
-
-
C:\ebea8a0c5b7ebb8dc5b60da7\upfc.exe"C:\ebea8a0c5b7ebb8dc5b60da7\upfc.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe"C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5856
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD51213f4fc1eb5dca213df57f1f5034a1b
SHA1e925aaf8a58c25e45a57cd6727e3de68fea1d267
SHA256d587bb2da2148bb0fed00e3d8ce93e5bb8207a77d7acbe735078b2372e737340
SHA5121886cb1fb166f44cc8a6aaa9dc0f07faf7bf9e14e1be908e4cee67c95c04151b3df921d9ac71e70a28c2ba9110117670b41d270000300434d9a84f1561ccc942
-
Filesize
234B
MD57453933cc2d2d8ad0040f4dcf0cf478b
SHA125a3fdd6e9194ba888c0ca50eb1494e645cad5b7
SHA25623fc1f6b78cdac4e63ab8fabecea0a0b5016dbc312cf4a5562b1e0991ac64266
SHA512db9c5997203971b7fab2977a753795193f978909a466af2a639104b5f43c0f2386a6c50be3f701aa3ca156345fe2bd5e1fbf71528254237dbd0214d0fb618427
-
Filesize
189B
MD51d0a67c059050e768d731a6f5f308b53
SHA14b411281d7255b2512e0b56966f254260b010eb2
SHA2564a8c1eb659ab57354d2255e6071d72f437e1535619b261e922fffb37aec4c145
SHA51297c8f984091fd5a36384e20f00fb9aee5bc22aaf5673a7c0a4c307ecf687a5e6a068ab6b6be0e64be49c0c5679d3da0794fb80a429db5eace8a70389046c9ea5
-
Filesize
1.9MB
MD5d2aaad4ccfc17fda2df263f515095e28
SHA19bfbdb3d4e5c724a4c45f72b4386cd4a9cacd219
SHA256a85bef4cf91e1dc1940124c6d2576d486be7868d996e01dc981c11b8a0dc1b40
SHA5126544effb5c43d28b0905dbf5bf7596197dd83b8bb1d8ade5fbdc7da85b2de9d6a02ac6f98297a04fdf997dde364c1a4a3c52360f6a495a2b57920c1b05c89b54
-
Filesize
569KB
MD5a46f9a51a1e4926a077ddf9420394364
SHA12573735414873bb050f5b35a4fa637c005488c06
SHA256b47c8f7c749732fc1d5c49f2f0dc830fc47fd19ddb10a8dea9717535e0d630ee
SHA512e97ff39ffa2abb743dbaf739daae99535b18a5958acf5ed0e1338d25ebf131bb8fd6cd4c6801ebfec08bfb83a6412e526eee16d238879a41649d1556bd81543f
-
Filesize
164B
MD5e99ee3fbbecde4ebe29380080c1bfd5a
SHA14899310717529454ef1ae6b33a2ac7a4e46b435d
SHA256cfbe2c313835016f9b65c0e2cdce7a5d779ab4c4f2002f093865670675088c2c
SHA5128e2c8c833b20d57632ef122abc2e73d557bed9fd790ef7a79320952602eaef5344e979b2d5de45ab790e889eb3c4217881101e137e64d75e3fa70c430bfe1b43