Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

235d34c77d...b1.exe

windows7-x64

10

235d34c77d...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/08/2024, 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    235d34c77d2170ce99f718267547a1b1.exe

  • Size

    2.8MB

  • MD5

    235d34c77d2170ce99f718267547a1b1

  • SHA1

    d8802d67af489d34023046f84a8c6eeae7c9afd8

  • SHA256

    0f2c744c9325bd8c8874af73a82add70c6206e047afef3be951fb6ebfe8c5576

  • SHA512

    7c292e38783e56f63999cfe88a43758353de33622a6ff937af5e6252639530ee21ad036b0795e02ddb817e8d29c7fb2c8514f76627ea168fc274df9a21e8178e

  • SSDEEP

    49152:ubA3jvN1HwTxELJKORSmFPANX0M2EQX2YnbcqT9KD2EB7F1QetkmL6Hs44F+I6:ubaN1HwdEwmxGDDaYqTYDZ7ntkBHs44o

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 29 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
    persistence
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 18 IoCs
    persistence
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\235d34c77d2170ce99f718267547a1b1.exe
    "C:\Users\Admin\AppData\Local\Temp\235d34c77d2170ce99f718267547a1b1.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\surrogatewinhostsvc\nu5MrHdU8wRPsPg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\surrogatewinhostsvc\wBJ3JMG47SmseQ.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\surrogatewinhostsvc\blockportserver.exe
          "C:\surrogatewinhostsvc\blockportserver.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\51rR3AnFko.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2908
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2064
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\Idle.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\Idle.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\swidtag\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\swidtag\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\surrogatewinhostsvc\services.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\surrogatewinhostsvc\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\surrogatewinhostsvc\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\surrogatewinhostsvc\wininit.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\surrogatewinhostsvc\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\surrogatewinhostsvc\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1420
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\services.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Migration\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\Scenarios\dwm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\DiagTrack\Scenarios\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\Idle.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3248
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\51rR3AnFko.bat
      Filesize

      235B

      MD5

      476abf81ddca68cc30152368b58e85fc

      SHA1

      4107a1a99ff3b667aa265d0cba3b0b579200468e

      SHA256

      e50d3c4278719e42fa1ded19de16af85fcd9651f379f396c1b150a417f5f43f4

      SHA512

      39dc9f5db8f5490590f6b9330aade28e5b7610ae722b21374b59ed1132ea10245d89c762285ff167bbd244c53f1d36dd0f7beb75fb502d33ef6fcb23067f0299

      Download Submit

    • C:\surrogatewinhostsvc\blockportserver.exe
      Filesize

      2.5MB

      MD5

      20cb8781e072c5c355b82dbb35fe7d53

      SHA1

      0bcc2e15d5ad8b869aae6f3fbe4caec027da245a

      SHA256

      847c3eec06cef11c67133a2bf6263a5051691745f23c58731712d8ec58800028

      SHA512

      72011df2b391c8ea7edaf5b52d25c5a7df10f9c7bba38143c4ac6e55d6b10b84b4fa1d82b10ceb9bd3428253e6965567d4943f548dbe7229dba2bd72c758c027

      Download Submit

    • C:\surrogatewinhostsvc\nu5MrHdU8wRPsPg.vbe
      Filesize

      210B

      MD5

      a79158e3b1d9ed9598b1ca48083d2c14

      SHA1

      cbe5a2189f5438be85e08e66bf920b0a09710549

      SHA256

      0cb22cafd03369625e2a4d2a984ee44b40da9552c605a93b228ee92123655f03

      SHA512

      29795d38d5bfae787e763f3797718c8a025ffd94d992d9ec161007a2d26ad333b311b0e832457982e53db7f4a5e52854e4899dac3ad0f91370837bd044dd1984

      Download Submit

    • C:\surrogatewinhostsvc\wBJ3JMG47SmseQ.bat
      Filesize

      44B

      MD5

      cb20cf3cd0b69520d6609862850432fd

      SHA1

      0067ca01f3768a78667d6ad08246ff3bf6c3d276

      SHA256

      0f2839791a1a576337466fd847893e1cbe8f0376a54f4291e4d57afdaf2cd252

      SHA512

      64034329bf6af43e56df14f8bc02e8dd5ef495d5bb8e41d5d12bff9088143f3acda89a549d3e4a20ba3ecd5ba643539c1a02974e6cb3771b6375626c6fa2b9ae

      Download Submit

    • memory/5076-17-0x000000001C2B0000-0x000000001C2C6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/5076-14-0x0000000001A20000-0x0000000001A2E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5076-15-0x0000000003250000-0x000000000326C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/5076-16-0x000000001C300000-0x000000001C350000-memory.dmp

      Filesize

      320KB

      Download

    • memory/5076-13-0x0000000000ED0000-0x0000000001150000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/5076-18-0x0000000001A30000-0x0000000001A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5076-19-0x000000001C350000-0x000000001C3A6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/5076-20-0x0000000003280000-0x000000000328C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/5076-21-0x000000001C2D0000-0x000000001C2D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5076-22-0x000000001C2E0000-0x000000001C2EC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/5076-23-0x000000001C2F0000-0x000000001C2FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5076-24-0x000000001C3A0000-0x000000001C3AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5076-12-0x00007FF90E4C3000-0x00007FF90E4C5000-memory.dmp

      Filesize

      8KB

      Download