Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 06:26
Behavioral task
behavioral1
Sample
2bac605e5583c13c10d4f1e0f0427c7e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2bac605e5583c13c10d4f1e0f0427c7e.exe
Resource
win10v2004-20231222-en
General
-
Target
2bac605e5583c13c10d4f1e0f0427c7e.exe
-
Size
1.6MB
-
MD5
2bac605e5583c13c10d4f1e0f0427c7e
-
SHA1
5cf030f522cfa4323026a65a1b92bb0df5189960
-
SHA256
4759bca33d28b3cf7d62e9a85d64dc7bbe2acf4993bb702c7016381bee8a0a29
-
SHA512
1b07a092d75cbf5c7050694ca1686726e825a0442defa1142191e1246ac4c42b9c3d42daeb8eb17a3a5009ba1ee995af9e3c2ea94ee1401323966df23ae14298
-
SSDEEP
24576:u2G/nvxW3WieCjPLoxXw1dpqthRHHyJVnZBAQcNDAjAQbCjO6F4//PeSh+45:ubA3jP1LqtaPZ5G2C6E4H0Y
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2372 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 2372 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2372 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2372 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2372 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 2372 schtasks.exe 95 -
resource yara_rule behavioral2/memory/4756-12-0x00000000006C0000-0x000000000081C000-memory.dmp dcrat behavioral2/files/0x000600000002321f-11.dat dcrat behavioral2/files/0x000600000002321f-10.dat dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 2bac605e5583c13c10d4f1e0f0427c7e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2236 schtasks.exe 1464 schtasks.exe 1692 schtasks.exe 4788 schtasks.exe 2168 schtasks.exe 2212 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 2bac605e5583c13c10d4f1e0f0427c7e.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4052 reg.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4492 wrote to memory of 1796 4492 2bac605e5583c13c10d4f1e0f0427c7e.exe 90 PID 4492 wrote to memory of 1796 4492 2bac605e5583c13c10d4f1e0f0427c7e.exe 90 PID 4492 wrote to memory of 1796 4492 2bac605e5583c13c10d4f1e0f0427c7e.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bac605e5583c13c10d4f1e0f0427c7e.exe"C:\Users\Admin\AppData\Local\Temp\2bac605e5583c13c10d4f1e0f0427c7e.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\refPerfMonitorNetdhcp\YrT2mnqpC.vbe"2⤵PID:1796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\refPerfMonitorNetdhcp\pjvczXU3I6biAnw1ZWy.bat" "3⤵PID:3972
-
C:\refPerfMonitorNetdhcp\refPerfMonitorNetdhcpintoCommon.exe"C:\refPerfMonitorNetdhcp\refPerfMonitorNetdhcpintoCommon.exe"4⤵PID:4756
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\22yfZaFRYU.bat"5⤵PID:1920
-
C:\Windows\SKB\LanguageModels\TextInputHost.exe"C:\Windows\SKB\LanguageModels\TextInputHost.exe"6⤵PID:4664
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:4052
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\diskmgmt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\PeerDist\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\osk\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:3560
-
C:\Windows\system32\chcp.comchcp 650011⤵PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\RDXService\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217B
MD554a006bff9a90d4ae0cc7738e0c0fbae
SHA119c97dfab3ba92ccea63f1500d7b5cf1f10f3ac1
SHA2566d8c8de2d8d86b210b5d2e1380602f8ec5720aaa03c71cd12333cb4902d04672
SHA5129774a74a2392525ca44378050d87f8c354ab9e69ba1dec4a8bdff0c4eb0f507cf6016dfa9766afb32587294104378e84eed9cdc7acbff7519f870d6f6a772978
-
Filesize
174B
MD52863934a7fb9a5ab3d75f48b2bcd6417
SHA11b78fca38767d2acfcf957a72f15f6620b69f35e
SHA25685e526fa80940b94bf667b307f55afcf70316b4cb7d56338d93f7a1e75b3a9b5
SHA51265930f83d6ad931c86986a9ecd3be6e33bf080a919251dd9f59fd16806323089e9673e553daaea1732dbed5428ffeb8a7bbe2d7391b155b160197ad5eb8cf81b
-
Filesize
894KB
MD530afe8cdd5f3fce9c15c6a6cf496e449
SHA14c2336caef78b4f9eb21002883f23d78d9a7fdf7
SHA256124b6afc6d8925fdc77a2b39691443e5eec9021f0566324984b72590ac421f36
SHA512e206e81f4c86efd81d08b74a3c49d328a94fffb6ed7d93b8f19fa5dc8d623ae87805ec66eb548dc9036cb1aba6efcf2303a43d5d286297f96802371499118215
-
Filesize
386KB
MD596feb0bfa8899a7e3110bc073501920f
SHA1571eb9886c5419df1f1d6920a3329a283cef66ed
SHA25655ddf0bd02db677eac7450bc1a2cc03dd820487f3c424c23ec85e54058efdfd1
SHA5127a67a09f6771f069ea9159a7439ce3e55c6e1423fd985a5c68741707e2b82267ca91060b4f8617eca98a5b6091cf004eb0ab713f6df2e3d740dba03ab37c098e