Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

incognito.exe

windows7-x64

10

incognito.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/06/2024, 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    incognito.exe

  • Size

    1.4MB

  • MD5

    b0e8a9d9dfa09406a6d2a60f52938c70

  • SHA1

    75b046eb99a92ccaa61adb3e3a5367ce32553750

  • SHA256

    b46875a8a1001af973be5f2b9f8ea9eccc3c87fa8cc85d8a2b4e7b93bdb79dd4

  • SHA512

    0887b62285f5939ce639f1168573e457408252d99124c372573bbd41a861039c13fdf5ae4942d463b4c91341f68c2461667a43cf0ba119d4a5db7c6f42cf41ed

  • SSDEEP

    24576:U2G/nvxW3Ww0tZpGpmEq8NW+MjYTJm4FR9StJ4g7N/M2D3C1X1X:UbA30ZpGpmEkINHMJ4Ielt

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\incognito.exe
    "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\browserreviewSavesruntimecommon\sALjCX2DJ1FjfO.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\browserreviewSavesruntimecommon\jt4LBgBNIUJsIGJZrjCIK93Fg0t.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\browserreviewSavesruntimecommon\HyperBrokercommon.exe
          "C:\browserreviewSavesruntimecommon\HyperBrokercommon.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1396
          • C:\Recovery\WindowsRE\dllhost.exe
            "C:\Recovery\WindowsRE\dllhost.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:3300
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1240
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3416
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\browserreviewSavesruntimecommon\HyperBrokercommon.exe
    Filesize

    1.1MB

    MD5

    02006b9d56f2799d5fd9ad8a3e9c698d

    SHA1

    89ba4cba2ede6543a8c3a943e51d05af666ba3b4

    SHA256

    1e502065aa16df514c741ddc34e5857d16baaf7d352c088dbfb239a955430517

    SHA512

    47efbd1b4b4bc5f6cf2ac17650d1a5bb4af256989ce05ea3e38bdb5eb3f7009784cf34a1a539fbc1ec9c39cf5f0cd10cba746dc117a3c71cab102f2e20dfc2c9

    Download Submit

  • C:\browserreviewSavesruntimecommon\jt4LBgBNIUJsIGJZrjCIK93Fg0t.bat
    Filesize

    58B

    MD5

    4c037bd86379e42fb1367ad486900857

    SHA1

    1c12566e86fc161508cdc1fe77e1fa57682d8782

    SHA256

    4e815d481c421f6285580f0d77190113a5f21292ac2c69e3a0d62a0797e4fb65

    SHA512

    04188af986d5bb7ecbc53f1ef83d7673c8f31b3b187d2e3f0281aa3affec3cda56dfe50b19959dd8ef57aad3af6ddf00f9cf1fd5c48d057f0808769f841ceaf1

    Download Submit

  • C:\browserreviewSavesruntimecommon\sALjCX2DJ1FjfO.vbe
    Filesize

    235B

    MD5

    5b4c9d21a4263bd3310afbeb618f42e8

    SHA1

    eae0a7615464b86cb86ba6110dd96d78583d5f3c

    SHA256

    87ced7720839bd67e4843c2bb8eaac2de03c608f1a2ee66068f551a3c74ef40f

    SHA512

    c2d275195169c7ed9746d2ad0741da073b84903c1c0831adf954f1221faa465a5d31a3885b33303858f66fa82fdb69e4efb058f8e7c36b06eefef900900fefb0

    Download Submit

  • memory/1396-12-0x00007FFDAA9F3000-0x00007FFDAA9F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1396-13-0x0000000000320000-0x0000000000444000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1396-14-0x0000000002680000-0x000000000269C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1396-15-0x000000001AFF0000-0x000000001B040000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1396-16-0x0000000000D80000-0x0000000000D8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1396-17-0x00000000026A0000-0x00000000026AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1396-18-0x00000000026B0000-0x00000000026BC000-memory.dmp

    Filesize

    48KB

    Download