Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2023, 12:58
Static task
static1
Behavioral task
behavioral1
Sample
85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe
Resource
win10v2004-20231023-en
General
-
Target
85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe
-
Size
2.0MB
-
MD5
30187293127241c047ea7582cb3ba925
-
SHA1
70e9d100311fcfd66e344f8a71bc1e019c3de94e
-
SHA256
85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867
-
SHA512
54f3a665d89e760f012847756ffdae0727af0617e67ae3aad59f76ce6e1e7c67ce20f52203237453a7d21f5f175f9c98281075fb182b29af4a1538312e3abd04
-
SSDEEP
49152:nILNq8KKtRL4wk8UGHZF1ljvfvQAzjsKMvojOCIoBEScdD:nxKtRL47iPljJfsKDN7aScl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
resource yara_rule behavioral2/memory/1404-11-0x0000000000400000-0x00000000004B6000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation 85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe -
Executes dropped EXE 1 IoCs
pid Process 4436 Yammi_Loader.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4436 set thread context of 1404 4436 Yammi_Loader.exe 109 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1404 AppLaunch.exe 1404 AppLaunch.exe 1404 AppLaunch.exe 1404 AppLaunch.exe 1404 AppLaunch.exe 1404 AppLaunch.exe 1404 AppLaunch.exe 1404 AppLaunch.exe 1404 AppLaunch.exe 1404 AppLaunch.exe 1404 AppLaunch.exe 1404 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1404 AppLaunch.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4228 wrote to memory of 4436 4228 85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe 91 PID 4228 wrote to memory of 4436 4228 85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe 91 PID 4228 wrote to memory of 4436 4228 85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe 91 PID 4436 wrote to memory of 1404 4436 Yammi_Loader.exe 109 PID 4436 wrote to memory of 1404 4436 Yammi_Loader.exe 109 PID 4436 wrote to memory of 1404 4436 Yammi_Loader.exe 109 PID 4436 wrote to memory of 1404 4436 Yammi_Loader.exe 109 PID 4436 wrote to memory of 1404 4436 Yammi_Loader.exe 109 PID 4436 wrote to memory of 1404 4436 Yammi_Loader.exe 109 PID 4436 wrote to memory of 1404 4436 Yammi_Loader.exe 109 PID 4436 wrote to memory of 1404 4436 Yammi_Loader.exe 109 PID 1404 wrote to memory of 2748 1404 AppLaunch.exe 111 PID 1404 wrote to memory of 2748 1404 AppLaunch.exe 111 PID 1404 wrote to memory of 2748 1404 AppLaunch.exe 111 PID 2748 wrote to memory of 4312 2748 cmd.exe 113 PID 2748 wrote to memory of 4312 2748 cmd.exe 113 PID 2748 wrote to memory of 4312 2748 cmd.exe 113 PID 4312 wrote to memory of 4964 4312 w32tm.exe 114 PID 4312 wrote to memory of 4964 4312 w32tm.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe"C:\Users\Admin\AppData\Local\Temp\85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Yammi_Loader.exe"C:\Yammi_Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQmJXtxcMW.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4964
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD5526df9a4c49c13cec115cd7fa6ebc1b1
SHA1035f0ef8d044066770fc028431a6e27ad17acd08
SHA2564a081a9b6ccbd4349954c2145a08cf7ff0ff07c267c3250e1c024150fc77258c
SHA512eb8c626af8559d083a223892c7b7d283a18f433737021bfbcc71e93944e9b736bd716540acdc6f84f98c950df59512e71857734560f8c76b14d7b80daba87790
-
Filesize
1.7MB
MD5c91f1703dc916f794558bf40b5eab38a
SHA1c020666495cb42db82515abae7cf35ca419636e9
SHA2567bb4158925b3b225dbc69d2befa9cd3f9afe5ef6cf71fb581879e9df5659c5b6
SHA512e345c1b4c4249cb8bc69d661564bfe9da8ee860f23e48d10d09256cd215483caf5b144040d490d43846d70e8e872b8b730dc134eda357a4e2a80991a435a6699
-
Filesize
1.7MB
MD5c91f1703dc916f794558bf40b5eab38a
SHA1c020666495cb42db82515abae7cf35ca419636e9
SHA2567bb4158925b3b225dbc69d2befa9cd3f9afe5ef6cf71fb581879e9df5659c5b6
SHA512e345c1b4c4249cb8bc69d661564bfe9da8ee860f23e48d10d09256cd215483caf5b144040d490d43846d70e8e872b8b730dc134eda357a4e2a80991a435a6699
-
Filesize
1.7MB
MD5c91f1703dc916f794558bf40b5eab38a
SHA1c020666495cb42db82515abae7cf35ca419636e9
SHA2567bb4158925b3b225dbc69d2befa9cd3f9afe5ef6cf71fb581879e9df5659c5b6
SHA512e345c1b4c4249cb8bc69d661564bfe9da8ee860f23e48d10d09256cd215483caf5b144040d490d43846d70e8e872b8b730dc134eda357a4e2a80991a435a6699