Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 22:31

General

  • Target

    0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe

  • Size

    1.7MB

  • MD5

    e28689bf7ea24c8051fd6e910fd259d4

  • SHA1

    fd55b3eb6123754cdb8dcc1d42f8d9aefa429758

  • SHA256

    0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1

  • SHA512

    32d8d58c0c9178980c6ca8e202cbaa51cba951a4bcee19bf0022d657dbf50012d12e52f77b8f6c0c69a34f0c2ffce883fd9a629f9b3b026ce9039bac73e015aa

  • SSDEEP

    24576:U2G/nvxW3Ww0tpaKkjLB0zOyM6/aAUIFGAqo2mSNgaMhYYSJvL87:UbA308Kk+ze2GAdSNzYSNLQ

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe
    "C:\Users\Admin\AppData\Local\Temp\0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\v9suh58e6JIt2jtxqqX6.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\IZ3MUeW4JZESEvbk.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
          "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\Registry.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\browserwinsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4368
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2136
          • C:\Recovery\WindowsRE\browserwinsvc.exe
            "C:\Recovery\WindowsRE\browserwinsvc.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\Registry.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\AppReadiness\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2208
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4292
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "browserwinsvcb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\browserwinsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4184
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "browserwinsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\browserwinsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2716
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "browserwinsvcb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\browserwinsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2132
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5080
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Surrogateprovidercomponentsessionmonitor\IZ3MUeW4JZESEvbk.bat

    Filesize

    63B

    MD5

    6de687cf7ca366429c953cb49905b70a

    SHA1

    58e2c1823c038d8da8a2f042672027184066279e

    SHA256

    80d02a1cb8e68ffbc609a6c4914600604153ce929d46994200f837d354a5a611

    SHA512

    6bfa7a07d6adf167458cece0ba3a110479ee7677feb58c0ae9ba5c8913bcdda13664060ce0261abc1668c18831d5c73f6bc570be8595323d46704b810fc024ef

  • C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe

    Filesize

    1.4MB

    MD5

    841209ab771bde66b25dfd03ff84c68a

    SHA1

    3c23b1e5d84698723316059a0458350c0a67fb91

    SHA256

    d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4

    SHA512

    99039987c13b7092ef15fabc7f2a49ea08b41882c41bb27fa776cd13d3cefc7a104e6777530151fbf43e232eba127b29dc6bc5ac9c51f86320800f868a59d160

  • C:\Surrogateprovidercomponentsessionmonitor\v9suh58e6JIt2jtxqqX6.vbe

    Filesize

    233B

    MD5

    a43d6dd506db81004ed806f215426812

    SHA1

    64393ef16431d921a0b0a4c2e827c4cb31001706

    SHA256

    146e72957d4b362943fef3010cf3fffa001bdebd71700cdd5086ab89a7991e8d

    SHA512

    042210ce96a57a688c25ea82fa3caa5ce44fab23d5edc01ee4df478b7a607da3b4c04336c5e695555eb1930b9f310841fe752b87448c02c2da3a4e63de127818

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    2e907f77659a6601fcc408274894da2e

    SHA1

    9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

    SHA256

    385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

    SHA512

    34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    6d3e9c29fe44e90aae6ed30ccf799ca8

    SHA1

    c7974ef72264bbdf13a2793ccf1aed11bc565dce

    SHA256

    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

    SHA512

    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    77d622bb1a5b250869a3238b9bc1402b

    SHA1

    d47f4003c2554b9dfc4c16f22460b331886b191b

    SHA256

    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

    SHA512

    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rw4pk3tj.btb.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/4488-41-0x000002291ED80000-0x000002291EDA2000-memory.dmp

    Filesize

    136KB

  • memory/4580-17-0x0000000000960000-0x0000000000968000-memory.dmp

    Filesize

    32KB

  • memory/4580-19-0x00000000023C0000-0x00000000023D0000-memory.dmp

    Filesize

    64KB

  • memory/4580-21-0x00000000023E0000-0x00000000023EC000-memory.dmp

    Filesize

    48KB

  • memory/4580-20-0x00000000023D0000-0x00000000023DA000-memory.dmp

    Filesize

    40KB

  • memory/4580-16-0x0000000002410000-0x0000000002460000-memory.dmp

    Filesize

    320KB

  • memory/4580-18-0x00000000023A0000-0x00000000023B6000-memory.dmp

    Filesize

    88KB

  • memory/4580-15-0x0000000002380000-0x000000000239C000-memory.dmp

    Filesize

    112KB

  • memory/4580-14-0x00000000008F0000-0x00000000008FE000-memory.dmp

    Filesize

    56KB

  • memory/4580-13-0x00000000000C0000-0x0000000000222000-memory.dmp

    Filesize

    1.4MB

  • memory/4580-12-0x00007FFE5B0A3000-0x00007FFE5B0A5000-memory.dmp

    Filesize

    8KB