Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

90ed1454b8...38.exe

windows7-x64

10

90ed1454b8...38.exe

windows10-2004-x64

10

91570920da...cf.exe

windows7-x64

10

91570920da...cf.exe

windows10-2004-x64

7

915c452bf2...b6.exe

windows7-x64

10

915c452bf2...b6.exe

windows10-2004-x64

10

916cd92d3a...38.exe

windows7-x64

10

916cd92d3a...38.exe

windows10-2004-x64

10

916fbe67a7...e3.exe

windows7-x64

10

916fbe67a7...e3.exe

windows10-2004-x64

10

91cce1a9f4...6a.exe

windows7-x64

10

91cce1a9f4...6a.exe

windows10-2004-x64

10

91d2e3f758...f6.exe

windows7-x64

10

91d2e3f758...f6.exe

windows10-2004-x64

10

91d7fa8d89...52.exe

windows7-x64

10

91d7fa8d89...52.exe

windows10-2004-x64

10

91e6d47bd8...cc.exe

windows7-x64

7

91e6d47bd8...cc.exe

windows10-2004-x64

7

92105c7a3b...24.exe

windows7-x64

7

92105c7a3b...24.exe

windows10-2004-x64

7

921421b7f5...09.exe

windows7-x64

10

921421b7f5...09.exe

windows10-2004-x64

10

9221b9eea3...3c.exe

windows7-x64

1

9221b9eea3...3c.exe

windows10-2004-x64

10

92324d5776...05.exe

windows7-x64

1

92324d5776...05.exe

windows10-2004-x64

1

927cd0bd1a...b8.exe

windows7-x64

3

927cd0bd1a...b8.exe

windows10-2004-x64

3

92efd55895...78.exe

windows7-x64

10

92efd55895...78.exe

windows10-2004-x64

10

932a9096cd...eb.exe

windows7-x64

10

932a9096cd...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91d7fa8d891f603b35c77da7fcc4c552.exe

  • Size

    1.1MB

  • MD5

    91d7fa8d891f603b35c77da7fcc4c552

  • SHA1

    1b241b597c2d0b386e42f25e1e22372265ff06c6

  • SHA256

    2ff54b9f6860a5d362ef776360ed7a7f3c4da0f1dfce7493caa631e50c87722c

  • SHA512

    27cb44233fed4fd6aadd8f1100501ced417614a80a3e74bec5e3ff6d9c73bb7ed85b1885dc129a4f633738e489a85aac980b7238abef0ea10bdcb0df59d0a735

  • SSDEEP

    12288:Z49I/nL8TnKZPVHR3E/bS2vkRNJLXseJQdErvNKj6SKm+eAIhu181d6rsPH:ZngTKZ5RU/xG7zsEyEve6SZ+dIe8usv

Score
10/10
dcratdefense_evasionexecutioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 6 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\91d7fa8d891f603b35c77da7fcc4c552.exe
    "C:\Users\Admin\AppData\Local\Temp\91d7fa8d891f603b35c77da7fcc4c552.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\91d7fa8d891f603b35c77da7fcc4c552.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PhotoScreensaver\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\attachments\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\VBICodec\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:784
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4xHodhXOvU.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2536
        • C:\Windows\System32\PhotoScreensaver\wininit.exe
          "C:\Windows\System32\PhotoScreensaver\wininit.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:1516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\Admin\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\PhotoScreensaver\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\VBICodec\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2776

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\dllhost.exe
      Filesize

      1.1MB

      MD5

      91d7fa8d891f603b35c77da7fcc4c552

      SHA1

      1b241b597c2d0b386e42f25e1e22372265ff06c6

      SHA256

      2ff54b9f6860a5d362ef776360ed7a7f3c4da0f1dfce7493caa631e50c87722c

      SHA512

      27cb44233fed4fd6aadd8f1100501ced417614a80a3e74bec5e3ff6d9c73bb7ed85b1885dc129a4f633738e489a85aac980b7238abef0ea10bdcb0df59d0a735

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4xHodhXOvU.bat
      Filesize

      212B

      MD5

      7b09b1e60feec5c5212b86fc80ed81cc

      SHA1

      4c0d85e7e7f1f878c282c66a0f3aa5c8691a4512

      SHA256

      8d377f422781a03c9fa5c05e27d9194edd75780fcd5c723d4f61f0a77c91e798

      SHA512

      dd47651edf58a86a54b685ecfed5ed461a5706b8b3112c399441bb758c602a067af8f080979a82379e71e48df5819accc030d4595e4441a140920c62532a0080

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      c6663448a6518b82b3c46726f068f2d6

      SHA1

      604ae336fbe94b4f2aa8fa9cf342f86e77f4b3b3

      SHA256

      ddd96247f5fae1bf84d09f09fef3310d574346596f06d1db298d144ade390d9b

      SHA512

      eb78878707c9a7f368085b3e091e55fdfc8f777937c5d6b15d3ff437a46ee0e5f21bb6859d4df21f83fd770c51c1f0359f7c7ef7bb8f87dc01d5ef935114bfc6

      Download Submit

    • C:\Windows\System32\PhotoScreensaver\wininit.exe
      Filesize

      1.1MB

      MD5

      c9581eddfa6de15b27ba020b4da7b2ca

      SHA1

      4b93972617af567a4f16c6c30fa4796f8992500b

      SHA256

      bd82f89451dc5e0332144b993245dac3ed41bc6af686f3d09c9e2b07b7a94f0e

      SHA512

      22187d814eef3fe108b5fad70cb290022e374bdc95a2699e6b23f31b0c20b7b3c0ec797be327e5abd13971a3d7bf48c1bfd13620dd02e54d292b124feb82688a

      Download Submit

    • C:\Windows\Temp\Crashpad\attachments\wininit.exe
      Filesize

      1.1MB

      MD5

      04a4ed4d8500dfab64b52f9c10100ef2

      SHA1

      a86749dd1b8a7c34753241c84d864c21dbd5b78e

      SHA256

      05a139535b5d22f2d2e9f75ba2c5abf296ff01d60cd68ddefc4133673b80a6ee

      SHA512

      c841bb1292b7001377263b805955cfce0f500af20d8dbad03a4294b6f67c667dd6d9c0708895d3534c7da8497c12c2d0266ac1b94f6a6b1840894c25c645350e

      Download Submit

    • memory/1500-113-0x000000001B280000-0x000000001B562000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1516-117-0x0000000000C90000-0x0000000000DA6000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1936-114-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2824-5-0x0000000000260000-0x000000000026C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2824-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2824-1-0x0000000000BB0000-0x0000000000CC6000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2824-111-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2824-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2824-6-0x0000000000270000-0x0000000000278000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2824-7-0x0000000000290000-0x000000000029A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2824-4-0x0000000000250000-0x000000000025A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2824-3-0x0000000000240000-0x0000000000250000-memory.dmp

      Filesize

      64KB

      Download