Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
273s -
max time network
303s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2023, 08:29
Behavioral task
behavioral1
Sample
agentbroker-cleaned.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
agentbroker-cleaned.exe
Resource
win10v2004-20230220-en
General
-
Target
agentbroker-cleaned.exe
-
Size
324KB
-
MD5
13574e140395ffcbedf91cfbe7a3cdaf
-
SHA1
dcd4ce19754c56a5c0c65012fde8ac14c4932124
-
SHA256
7b2a00a5aa73f0bb88c2d4751423d55a9c30d3cc665e05a9710db83723223a35
-
SHA512
18b3e95aafaa0a55d29ac55ea54dc32b44d41f525407158c43b0cc18b2c58ed07b8db4f8cf9131a454145dbe79d35cd0197a70022c5125108176e3ff5a02ad03
-
SSDEEP
6144:K71egH5NLdW7/foTziLGm//2VWhdi1HbXPk7Dbc/Qf:K5BZNZW7/b56C0
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 576 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 576 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 576 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 576 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 576 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 576 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3428 576 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 576 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 576 schtasks.exe 31 -
resource yara_rule behavioral2/memory/4740-136-0x00000000007F0000-0x0000000000848000-memory.dmp dcrat behavioral2/files/0x0008000000021639-151.dat dcrat behavioral2/files/0x0008000000021639-152.dat dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation agentbroker-cleaned.exe -
Executes dropped EXE 1 IoCs
pid Process 5040 csrss.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ipinfo.io 25 ipinfo.io -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\addins\sppsvc.exe agentbroker-cleaned.exe File opened for modification C:\Windows\addins\sppsvc.exe agentbroker-cleaned.exe File created C:\Windows\addins\0a1fd5f707cd16 agentbroker-cleaned.exe File created C:\Windows\SoftwareDistribution\DataStore\Logs\csrss.exe agentbroker-cleaned.exe File created C:\Windows\SoftwareDistribution\DataStore\Logs\886983d96e3d3e agentbroker-cleaned.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4400 schtasks.exe 3428 schtasks.exe 2820 schtasks.exe 1760 schtasks.exe 2044 schtasks.exe 3108 schtasks.exe 3532 schtasks.exe 4944 schtasks.exe 2180 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings agentbroker-cleaned.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4740 agentbroker-cleaned.exe 4740 agentbroker-cleaned.exe 4740 agentbroker-cleaned.exe 4740 agentbroker-cleaned.exe 4740 agentbroker-cleaned.exe 4740 agentbroker-cleaned.exe 4740 agentbroker-cleaned.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5040 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4740 agentbroker-cleaned.exe Token: SeDebugPrivilege 5040 csrss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4740 wrote to memory of 692 4740 agentbroker-cleaned.exe 91 PID 4740 wrote to memory of 692 4740 agentbroker-cleaned.exe 91 PID 692 wrote to memory of 3944 692 cmd.exe 93 PID 692 wrote to memory of 3944 692 cmd.exe 93 PID 692 wrote to memory of 5040 692 cmd.exe 98 PID 692 wrote to memory of 5040 692 cmd.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\agentbroker-cleaned.exe"C:\Users\Admin\AppData\Local\Temp\agentbroker-cleaned.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSpv0pCWHk.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3944
-
-
C:\Windows\SoftwareDistribution\DataStore\Logs\csrss.exe"C:\Windows\SoftwareDistribution\DataStore\Logs\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\odt\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221B
MD5b496879bdf1f04ab88502323f05b2282
SHA10fe5fa98c3eb9c8881679c963fa769ecaa345c71
SHA2561189bd9b2b52dd3a0bdd82b26e99c68f24b85e39bdc43a251490406b6dc4675a
SHA512a59eb22cc569d40ca65cb4f504928dea94c7e2b7cd701a0b5a4b12d5c51d353797decddceca32929f1f90ed2985263cc95d5dea44b2cd70ff46c4f7bb38b0b97
-
Filesize
324KB
MD513574e140395ffcbedf91cfbe7a3cdaf
SHA1dcd4ce19754c56a5c0c65012fde8ac14c4932124
SHA2567b2a00a5aa73f0bb88c2d4751423d55a9c30d3cc665e05a9710db83723223a35
SHA51218b3e95aafaa0a55d29ac55ea54dc32b44d41f525407158c43b0cc18b2c58ed07b8db4f8cf9131a454145dbe79d35cd0197a70022c5125108176e3ff5a02ad03
-
Filesize
324KB
MD513574e140395ffcbedf91cfbe7a3cdaf
SHA1dcd4ce19754c56a5c0c65012fde8ac14c4932124
SHA2567b2a00a5aa73f0bb88c2d4751423d55a9c30d3cc665e05a9710db83723223a35
SHA51218b3e95aafaa0a55d29ac55ea54dc32b44d41f525407158c43b0cc18b2c58ed07b8db4f8cf9131a454145dbe79d35cd0197a70022c5125108176e3ff5a02ad03