Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

agentbroke...ed.exe

windows7-x64

10

agentbroke...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    287s
  • max time network
    300s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2023, 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    agentbroker-cleaned.exe

  • Size

    324KB

  • MD5

    13574e140395ffcbedf91cfbe7a3cdaf

  • SHA1

    dcd4ce19754c56a5c0c65012fde8ac14c4932124

  • SHA256

    7b2a00a5aa73f0bb88c2d4751423d55a9c30d3cc665e05a9710db83723223a35

  • SHA512

    18b3e95aafaa0a55d29ac55ea54dc32b44d41f525407158c43b0cc18b2c58ed07b8db4f8cf9131a454145dbe79d35cd0197a70022c5125108176e3ff5a02ad03

  • SSDEEP

    6144:K71egH5NLdW7/foTziLGm//2VWhdi1HbXPk7Dbc/Qf:K5BZNZW7/b56C0

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\agentbroker-cleaned.exe
    "C:\Users\Admin\AppData\Local\Temp\agentbroker-cleaned.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\System.exe
      "C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\System.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      PID:1416
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaneda" /sc MINUTE /mo 7 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\agentbroker-cleaned.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1096
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaned" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\agentbroker-cleaned.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaneda" /sc MINUTE /mo 14 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\agentbroker-cleaned.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1192
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1544
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\WMIADAP.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Saved Games\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:812
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1364
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:836
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1880
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1240
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1160
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaneda" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\agentbroker-cleaned.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaned" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\agentbroker-cleaned.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaneda" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\agentbroker-cleaned.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:868
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1456
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:432
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaneda" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\agentbroker-cleaned.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaned" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\agentbroker-cleaned.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1968
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaneda" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\agentbroker-cleaned.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\ja-JP\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ehome\ja-JP\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\ja-JP\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1468
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Documents\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1972
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaneda" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\agentbroker-cleaned.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaned" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\agentbroker-cleaned.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "agentbroker-cleaneda" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\agentbroker-cleaned.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:380
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AD51B3F4-BA35-4F34-918C-280FE9448E4D} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Program Files (x86)\Windows Sidebar\agentbroker-cleaned.exe
      "C:\Program Files (x86)\Windows Sidebar\agentbroker-cleaned.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1472

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Windows Sidebar\agentbroker-cleaned.exe
    Filesize

    324KB

    MD5

    13574e140395ffcbedf91cfbe7a3cdaf

    SHA1

    dcd4ce19754c56a5c0c65012fde8ac14c4932124

    SHA256

    7b2a00a5aa73f0bb88c2d4751423d55a9c30d3cc665e05a9710db83723223a35

    SHA512

    18b3e95aafaa0a55d29ac55ea54dc32b44d41f525407158c43b0cc18b2c58ed07b8db4f8cf9131a454145dbe79d35cd0197a70022c5125108176e3ff5a02ad03

    Download Submit

  • C:\Program Files (x86)\Windows Sidebar\agentbroker-cleaned.exe
    Filesize

    324KB

    MD5

    13574e140395ffcbedf91cfbe7a3cdaf

    SHA1

    dcd4ce19754c56a5c0c65012fde8ac14c4932124

    SHA256

    7b2a00a5aa73f0bb88c2d4751423d55a9c30d3cc665e05a9710db83723223a35

    SHA512

    18b3e95aafaa0a55d29ac55ea54dc32b44d41f525407158c43b0cc18b2c58ed07b8db4f8cf9131a454145dbe79d35cd0197a70022c5125108176e3ff5a02ad03

    Download Submit

  • C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\System.exe
    Filesize

    324KB

    MD5

    13574e140395ffcbedf91cfbe7a3cdaf

    SHA1

    dcd4ce19754c56a5c0c65012fde8ac14c4932124

    SHA256

    7b2a00a5aa73f0bb88c2d4751423d55a9c30d3cc665e05a9710db83723223a35

    SHA512

    18b3e95aafaa0a55d29ac55ea54dc32b44d41f525407158c43b0cc18b2c58ed07b8db4f8cf9131a454145dbe79d35cd0197a70022c5125108176e3ff5a02ad03

    Download Submit

  • C:\Users\Admin\Saved Games\System.exe
    Filesize

    324KB

    MD5

    13574e140395ffcbedf91cfbe7a3cdaf

    SHA1

    dcd4ce19754c56a5c0c65012fde8ac14c4932124

    SHA256

    7b2a00a5aa73f0bb88c2d4751423d55a9c30d3cc665e05a9710db83723223a35

    SHA512

    18b3e95aafaa0a55d29ac55ea54dc32b44d41f525407158c43b0cc18b2c58ed07b8db4f8cf9131a454145dbe79d35cd0197a70022c5125108176e3ff5a02ad03

    Download Submit

  • memory/1472-97-0x0000000000860000-0x00000000008B8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1472-98-0x000000001B090000-0x000000001B110000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1984-54-0x0000000001370000-0x00000000013C8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1984-57-0x000000001AE50000-0x000000001AED0000-memory.dmp

    Filesize

    512KB

    Download