Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

AnyDesk.exe.exe

windows7-x64

10

AnyDesk.exe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AnyDesk.exe.exe

  • Size

    1.1MB

  • MD5

    3f3906f8ced4518fe1f773cc8539c00a

  • SHA1

    5910cb6fac241a38403053e54091c1260ac99b76

  • SHA256

    77c5f17e97ac13be2f3b9f632d2a1cea5a17b598b533840d2996985d218445fe

  • SHA512

    4e5e3750cf93f3f46b2916b8aa9ddd9cc5c1098d003875f48a5fa20cc963a6ffb4a297c008679b38cc8d2512009bf34c9f802fc0ace22dc0d32dd2abd5bdc2ec

  • SSDEEP

    12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbG8xAWZvo/WmZmzoCALJRWNutN4C99ZxzNxiTd:U2G/nvxW3Ww0tzZvo/EzouCRxq55R

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ServerSaves\xEkSKuT.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ServerSaves\9utlu4N9jMYY.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\ServerSaves\Perfdhcp.exe
          "C:\ServerSaves\Perfdhcp.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2120
          • C:\Program Files (x86)\Windows Portable Devices\explorer.exe
            "C:\Program Files (x86)\Windows Portable Devices\explorer.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2368
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2404
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2356
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2964
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "PerfdhcpP" /sc MINUTE /mo 13 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Perfdhcp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1492
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Perfdhcp" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Perfdhcp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "PerfdhcpP" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Perfdhcp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2692
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\ServerSaves\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2348
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\ServerSaves\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\ServerSaves\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2688
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ServerSaves\9utlu4N9jMYY.bat
    Filesize

    29B

    MD5

    e7df233b682d7f6e42b14eb701f9a9e7

    SHA1

    37b15dd8d912859ad04fb2b211b61aedb8467a96

    SHA256

    c1d207f5f0ae71cf9842d7ed133a6ecde862459423a20d525a75e1745050b51f

    SHA512

    0b3151e241a8718e649c50a6c5f13c403689ea048a98d4f369e9db49f5a96576fdf3a1d80a9cbc4cafef217416bea71d3130adb707f204f32eef229da9362d7b

    Download Submit

  • C:\ServerSaves\Perfdhcp.exe
    Filesize

    827KB

    MD5

    af544acc9123c753c94da56296c6a1fc

    SHA1

    416f6f28bd3c92a9a9d78973104c203667896f3e

    SHA256

    7503e7b46f9c46b16c8598f647b1a9bb75e8d7b8e534fc7042c72693b1cbdc7f

    SHA512

    90db52192ad0b6e736f544754e07fea5f4836e70785949547929772a75a5d00ba686c0dc0db263948a9f79b5611c9d9202090ff44df78bd023931546d8a3e288

    Download Submit

  • C:\ServerSaves\xEkSKuT.vbe
    Filesize

    200B

    MD5

    3f3e10474645632811ac1e556e32c820

    SHA1

    afd8bcc7639a38454334c8b4a7cde9969205211e

    SHA256

    15fd3d8f2a1e798de4d2ee0aa77c91ff7bf63444e94cfbda07fca0b0636e3d4a

    SHA512

    e435ddd64862b10746c1a07d9658f6173f23cf92c573732731617112653395c647138cf75631739bc4050a421908863caceb8b547054ef9dfb4cb98b5ad4a7b6

    Download Submit

  • memory/1644-34-0x00000000010F0000-0x00000000011C6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2120-13-0x00000000003E0000-0x00000000004B6000-memory.dmp

    Filesize

    856KB

    Download