Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
84s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2023, 13:43
Behavioral task
behavioral1
Sample
bc77f8df8e1dcb58a4142ee74.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
bc77f8df8e1dcb58a4142ee74.exe
Resource
win10v2004-20230703-en
General
-
Target
bc77f8df8e1dcb58a4142ee74.exe
-
Size
828KB
-
MD5
bc77f8df8e1dcb58a4142ee740803de9
-
SHA1
c33ffa160a2d945b5c20dd0662a39ef666135e4c
-
SHA256
ae3aa6d645818c7b732fa7a70ad6bbd9b48be4f2a46ab60a9fc2169b6c8c141e
-
SHA512
e10cb92868bad8309a22b81fa421f8e8d90547800d64d594a2255238371c65c9a39ad8762960c9c4a9c85cab3db0551cd3893b62fe9bdcc0dbcd5d8b724447f5
-
SSDEEP
12288:YnpgQaO+4y7PlLKnE2MoY0lHUkdiKLExUbtZ2jt7:WWQaO+42PlLKnEXoY0lViKYxIMp7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 4692 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 4692 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 4692 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 4692 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 4692 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 4692 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 4692 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 4692 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 4692 schtasks.exe 85 -
resource yara_rule behavioral2/memory/4304-133-0x0000000000210000-0x00000000002E6000-memory.dmp dcrat behavioral2/files/0x0007000000023113-148.dat dcrat behavioral2/files/0x0007000000023113-149.dat dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation bc77f8df8e1dcb58a4142ee74.exe -
Executes dropped EXE 1 IoCs
pid Process 956 RuntimeBroker.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\es-ES\RuntimeBroker.exe bc77f8df8e1dcb58a4142ee74.exe File created C:\Windows\es-ES\9e8d7a4ca61bd9 bc77f8df8e1dcb58a4142ee74.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2304 schtasks.exe 4424 schtasks.exe 1680 schtasks.exe 1776 schtasks.exe 4704 schtasks.exe 4384 schtasks.exe 4932 schtasks.exe 2528 schtasks.exe 4184 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings bc77f8df8e1dcb58a4142ee74.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4304 bc77f8df8e1dcb58a4142ee74.exe 4304 bc77f8df8e1dcb58a4142ee74.exe 4304 bc77f8df8e1dcb58a4142ee74.exe 956 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4304 bc77f8df8e1dcb58a4142ee74.exe Token: SeDebugPrivilege 956 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4304 wrote to memory of 4876 4304 bc77f8df8e1dcb58a4142ee74.exe 95 PID 4304 wrote to memory of 4876 4304 bc77f8df8e1dcb58a4142ee74.exe 95 PID 4876 wrote to memory of 3188 4876 cmd.exe 97 PID 4876 wrote to memory of 3188 4876 cmd.exe 97 PID 4876 wrote to memory of 956 4876 cmd.exe 100 PID 4876 wrote to memory of 956 4876 cmd.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc77f8df8e1dcb58a4142ee74.exe"C:\Users\Admin\AppData\Local\Temp\bc77f8df8e1dcb58a4142ee74.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y8nE0hKGnf.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3188
-
-
C:\Windows\es-ES\RuntimeBroker.exe"C:\Windows\es-ES\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD56cb45317d1cd8135887a31c601a5e0d6
SHA145b9c1216b40ee6e3da6d7408c188636aef296a9
SHA256f271bd847bfc64a5a8f4b2aae7576e225b81c61aa27ba8a9b2b05d38d2e7ce93
SHA5120b8721a103063e2ffd4abc6a368f58b345daa9bd291f94dc370d194b72b68796a734fb0321a553ecf568309bec377887c68f4ad90df32ee5188cd94f2c7759fa
-
Filesize
828KB
MD5bc77f8df8e1dcb58a4142ee740803de9
SHA1c33ffa160a2d945b5c20dd0662a39ef666135e4c
SHA256ae3aa6d645818c7b732fa7a70ad6bbd9b48be4f2a46ab60a9fc2169b6c8c141e
SHA512e10cb92868bad8309a22b81fa421f8e8d90547800d64d594a2255238371c65c9a39ad8762960c9c4a9c85cab3db0551cd3893b62fe9bdcc0dbcd5d8b724447f5
-
Filesize
828KB
MD5bc77f8df8e1dcb58a4142ee740803de9
SHA1c33ffa160a2d945b5c20dd0662a39ef666135e4c
SHA256ae3aa6d645818c7b732fa7a70ad6bbd9b48be4f2a46ab60a9fc2169b6c8c141e
SHA512e10cb92868bad8309a22b81fa421f8e8d90547800d64d594a2255238371c65c9a39ad8762960c9c4a9c85cab3db0551cd3893b62fe9bdcc0dbcd5d8b724447f5