Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

AnyDesk.exe.exe

windows7-x64

10

AnyDesk.exe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AnyDesk.exe.exe

  • Size

    1.1MB

  • MD5

    3f3906f8ced4518fe1f773cc8539c00a

  • SHA1

    5910cb6fac241a38403053e54091c1260ac99b76

  • SHA256

    77c5f17e97ac13be2f3b9f632d2a1cea5a17b598b533840d2996985d218445fe

  • SHA512

    4e5e3750cf93f3f46b2916b8aa9ddd9cc5c1098d003875f48a5fa20cc963a6ffb4a297c008679b38cc8d2512009bf34c9f802fc0ace22dc0d32dd2abd5bdc2ec

  • SSDEEP

    12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbG8xAWZvo/WmZmzoCALJRWNutN4C99ZxzNxiTd:U2G/nvxW3Ww0tzZvo/EzouCRxq55R

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ServerSaves\xEkSKuT.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ServerSaves\9utlu4N9jMYY.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1012
        • C:\ServerSaves\Perfdhcp.exe
          "C:\ServerSaves\Perfdhcp.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2016
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTs8TvT32m.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4896
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3968
              • C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe
                "C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4460
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4420
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1244
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ServerSaves\9utlu4N9jMYY.bat
      Filesize

      29B

      MD5

      e7df233b682d7f6e42b14eb701f9a9e7

      SHA1

      37b15dd8d912859ad04fb2b211b61aedb8467a96

      SHA256

      c1d207f5f0ae71cf9842d7ed133a6ecde862459423a20d525a75e1745050b51f

      SHA512

      0b3151e241a8718e649c50a6c5f13c403689ea048a98d4f369e9db49f5a96576fdf3a1d80a9cbc4cafef217416bea71d3130adb707f204f32eef229da9362d7b

      Download Submit

    • C:\ServerSaves\Perfdhcp.exe
      Filesize

      827KB

      MD5

      af544acc9123c753c94da56296c6a1fc

      SHA1

      416f6f28bd3c92a9a9d78973104c203667896f3e

      SHA256

      7503e7b46f9c46b16c8598f647b1a9bb75e8d7b8e534fc7042c72693b1cbdc7f

      SHA512

      90db52192ad0b6e736f544754e07fea5f4836e70785949547929772a75a5d00ba686c0dc0db263948a9f79b5611c9d9202090ff44df78bd023931546d8a3e288

      Download Submit

    • C:\ServerSaves\xEkSKuT.vbe
      Filesize

      200B

      MD5

      3f3e10474645632811ac1e556e32c820

      SHA1

      afd8bcc7639a38454334c8b4a7cde9969205211e

      SHA256

      15fd3d8f2a1e798de4d2ee0aa77c91ff7bf63444e94cfbda07fca0b0636e3d4a

      SHA512

      e435ddd64862b10746c1a07d9658f6173f23cf92c573732731617112653395c647138cf75631739bc4050a421908863caceb8b547054ef9dfb4cb98b5ad4a7b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aTs8TvT32m.bat
      Filesize

      235B

      MD5

      fb3560c8eed824ead0adf5453ab5270f

      SHA1

      c550e1069d706c46d6f84bed8f4a44b0bd868e25

      SHA256

      9b0de1cc6ad2004c6fbccc5992564c29df50710255dc08699f6bbcf1ff88334e

      SHA512

      f82062b5281e279b0a7b3164f5b6029483bdde1c45767fb962f56a7c9b0321cf6a3017855187918097ee0e25e1f89de80017342590e3797eec37e2e767dc7f8c

      Download Submit

    • memory/2016-13-0x00007FFE55CD3000-0x00007FFE55CD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2016-12-0x0000000000610000-0x00000000006E6000-memory.dmp

      Filesize

      856KB

      Download