Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/01/2023, 11:56

General

  • Target

    HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe

  • Size

    768KB

  • MD5

    ca77b734327afb186e37d78d948034e8

  • SHA1

    73d0f64044802166bf6c3ca982a3f5ba5405c81e

  • SHA256

    b12fbaf6b6ba8add5b7d2f86c8dc9020e087a164b7a022c0058dd397754352f4

  • SHA512

    d03b22bca2262f4acd8054c419dac9af28f33b90950104bed89cf2e35419f373f0d306e8a08532eab2c99e2d11bec0093c38fd1040a78e063225948b4add7050

  • SSDEEP

    12288:kr9okJ1XGTNrrxqFcT7K2p+CMWOvE+LKxPSRwqTqHjgL2NdLwQmhJSGwHDkP:C9rqJS2AxZWp5Hj8oOFQD8

Score
10/10

Malware Config

Signatures

  • DcRat 17 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 16 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\Adobe_Premiere_Pro_2020.exe
      "C:\Users\Admin\AppData\Local\Temp\Adobe_Premiere_Pro_2020.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\FUJZXaGbfikh3OCtrxlc1i.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\HrklzIU7CdwrqnHUZC.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\Users\Admin\AppData\Roaming\Adobe\security.exe
            "C:\Users\Admin\AppData\Roaming\Adobe\security.exe"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Mirage.Internal\SppExtComObj.exe'" /rl HIGHEST /f
              6⤵
              • DcRat
              • Creates scheduled task(s)
              PID:4980
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\srrstr\fontdrvhost.exe'" /rl HIGHEST /f
              6⤵
              • DcRat
              • Creates scheduled task(s)
              PID:2980
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f
              6⤵
              • DcRat
              • Creates scheduled task(s)
              PID:1148
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Windows.Web\cmd.exe'" /rl HIGHEST /f
              6⤵
              • DcRat
              • Creates scheduled task(s)
              PID:4420
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDTURME\fontdrvhost.exe'" /rl HIGHEST /f
              6⤵
              • DcRat
              • Creates scheduled task(s)
              PID:372
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeBroker.exe'" /rl HIGHEST /f
              6⤵
              • DcRat
              • Creates scheduled task(s)
              PID:4284
            • C:\Users\Admin\AppData\Roaming\Adobe\security.exe
              "C:\Users\Admin\AppData\Roaming\Adobe\security.exe"
              6⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3704
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\mapstoasttask\spoolsv.exe'" /rl HIGHEST /f
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:1884
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\winlogon.exe'" /rl HIGHEST /f
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:4788
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:5064
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\WinOpcIrmProtector\lsass.exe'" /rl HIGHEST /f
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:4176
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Downloads\dwm.exe'" /rl HIGHEST /f
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:5096
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "upfc" /sc ONLOGON /tr "'C:\Documents and Settings\upfc.exe'" /rl HIGHEST /f
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:8
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\PnPUnattend\RuntimeBroker.exe'" /rl HIGHEST /f
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:4684
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:4032
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\taskhostw.exe'" /rl HIGHEST /f
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:3352
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:3508
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7LaJCF5Wk3.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3404
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:2092
                  • C:\Windows\system32\PING.EXE
                    ping -n 5 localhost
                    8⤵
                    • Runs ping.exe
                    PID:4360
                  • C:\Windows\System32\WinOpcIrmProtector\lsass.exe
                    "C:\Windows\System32\WinOpcIrmProtector\lsass.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2336

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\security.exe.log

      Filesize

      1KB

      MD5

      29901c9eca42ea66eacb5b816d7dc106

      SHA1

      69683b3029b7b086002e3cbecced9bf64f031e01

      SHA256

      96c09cd40aca8463fd210b8b66856d3e38c0a0f7ca54a8b797f97ebca3d4ea63

      SHA512

      e7e17297f9b14b3dae0aa8abf01cffe4353a65fb73b851ced178efb29df858bbacdcf5e75642b9806b4b09dc2eba337cfe28459694911b2f1c4dfdeabab13e0b

    • C:\Users\Admin\AppData\Local\Temp\7LaJCF5Wk3.bat

      Filesize

      214B

      MD5

      a4009de1172a678024b1f7f6bf8c7fed

      SHA1

      5765d8b09684bb9d0fef62595bb98a9c00fdc954

      SHA256

      2461b846afc817bc425b15a3e470d994fb3296971d914e9ab039df6fdd6b92bd

      SHA512

      f3d446e866dc0ad2d8f5674d438db40774bfa8e0e3f752825501b33fe7f2e88379384d10fc229ef72893e9e47ee7ab5d764636b7e8864a19bf4ff9e628bc1712

    • C:\Users\Admin\AppData\Local\Temp\Adobe_Premiere_Pro_2020.exe

      Filesize

      1.4MB

      MD5

      153febc7dc9b8e2841a3a4c0c3ac3205

      SHA1

      38528c2c7e19b1246f4f9a420f05d8be3477876e

      SHA256

      cba167b92f87576189504d235e3681496e01fe2a1f090e071a932fda99cb6a5c

      SHA512

      022a6e7c0adeccace5b87ca7d87ba9b695903c5e9a754b9f493991a6c23de1e284c14137fbf266b2a8a50a667025b10b2c4288d6a4d43a064ff006d6984cfbc3

    • C:\Users\Admin\AppData\Local\Temp\Adobe_Premiere_Pro_2020.exe

      Filesize

      1.4MB

      MD5

      153febc7dc9b8e2841a3a4c0c3ac3205

      SHA1

      38528c2c7e19b1246f4f9a420f05d8be3477876e

      SHA256

      cba167b92f87576189504d235e3681496e01fe2a1f090e071a932fda99cb6a5c

      SHA512

      022a6e7c0adeccace5b87ca7d87ba9b695903c5e9a754b9f493991a6c23de1e284c14137fbf266b2a8a50a667025b10b2c4288d6a4d43a064ff006d6984cfbc3

    • C:\Users\Admin\AppData\Roaming\Adobe\FUJZXaGbfikh3OCtrxlc1i.vbe

      Filesize

      207B

      MD5

      a2902a89edcfaefd1cf9464f23264397

      SHA1

      4e452cd28c8b743d0b927f6d8103fed171a549d5

      SHA256

      abd9ed2ebc502da8269778d3b45dd29d2c4ef78fcc5e3e8dd232905cb9625c68

      SHA512

      0db2e9d21164cdb4e824686f39cb4850fdbc8f72dcfd3f3bf73353074e4694a70c04356ce9ffea21e37381388c07943cd489c49a23738ae9a32e4473884dcd55

    • C:\Users\Admin\AppData\Roaming\Adobe\HrklzIU7CdwrqnHUZC.bat

      Filesize

      30B

      MD5

      987b91a43f4d58b9931af8a8d2d60532

      SHA1

      290b57275dc95a8244d3aab2e76ef5944e64c5d6

      SHA256

      2dafbed48a9bd344ee01d84d4ed7c5e9bc6e271f616e6b16aa0e858ef551472c

      SHA512

      a217b91040d8f1eb67c3092292a6db5da21214b04b8e2d2d5bd13677f84d5552b4fc42710a40915f71db54983b33d83d74e4e1144c6a60cf56d08391c351ceb1

    • C:\Users\Admin\AppData\Roaming\Adobe\security.exe

      Filesize

      1.1MB

      MD5

      1fe77d2dfb4e5fa383357b76151e6863

      SHA1

      f4d111e26144d496f75ed22139a65513112b125c

      SHA256

      7bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2

      SHA512

      a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac

    • C:\Users\Admin\AppData\Roaming\Adobe\security.exe

      Filesize

      1.1MB

      MD5

      1fe77d2dfb4e5fa383357b76151e6863

      SHA1

      f4d111e26144d496f75ed22139a65513112b125c

      SHA256

      7bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2

      SHA512

      a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac

    • C:\Users\Admin\AppData\Roaming\Adobe\security.exe

      Filesize

      1.1MB

      MD5

      1fe77d2dfb4e5fa383357b76151e6863

      SHA1

      f4d111e26144d496f75ed22139a65513112b125c

      SHA256

      7bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2

      SHA512

      a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac

    • C:\Windows\System32\WinOpcIrmProtector\lsass.exe

      Filesize

      1.1MB

      MD5

      1fe77d2dfb4e5fa383357b76151e6863

      SHA1

      f4d111e26144d496f75ed22139a65513112b125c

      SHA256

      7bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2

      SHA512

      a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac

    • C:\Windows\System32\WinOpcIrmProtector\lsass.exe

      Filesize

      1.1MB

      MD5

      1fe77d2dfb4e5fa383357b76151e6863

      SHA1

      f4d111e26144d496f75ed22139a65513112b125c

      SHA256

      7bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2

      SHA512

      a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac

    • memory/2336-177-0x00007FF84F630000-0x00007FF8500F1000-memory.dmp

      Filesize

      10.8MB

    • memory/2336-176-0x00007FF84F630000-0x00007FF8500F1000-memory.dmp

      Filesize

      10.8MB

    • memory/2580-145-0x0000000000B50000-0x0000000000C70000-memory.dmp

      Filesize

      1.1MB

    • memory/2580-146-0x00007FF84F760000-0x00007FF850221000-memory.dmp

      Filesize

      10.8MB

    • memory/2580-156-0x00007FF84F760000-0x00007FF850221000-memory.dmp

      Filesize

      10.8MB

    • memory/2876-136-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

      Filesize

      10.8MB

    • memory/2876-133-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

      Filesize

      10.8MB

    • memory/2876-132-0x00000000009B0000-0x0000000000A76000-memory.dmp

      Filesize

      792KB

    • memory/3704-172-0x00007FF84F760000-0x00007FF850221000-memory.dmp

      Filesize

      10.8MB

    • memory/3704-157-0x00007FF84F760000-0x00007FF850221000-memory.dmp

      Filesize

      10.8MB