Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

5936b1537b...27.exe

windows7-x64

10

5936b1537b...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    01/09/2024, 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe

  • Size

    2.3MB

  • MD5

    5ea10818a7aa9cb88ac1f17cc5e86989

  • SHA1

    d253771029ab507d7c64642f6586831305a62a2c

  • SHA256

    5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27

  • SHA512

    e3c942832460f6f6ddfe3d0a0a7afa903193bf4b07a3c702d52e7314769f72839bb3096c9dff68bdd26a9cf5c195f49e6f08c468f6499e6de1d784893db8ba3f

  • SSDEEP

    49152:UbA30uCU+RsTSd6BGz+ASnjx3xUPJyP9nTuD:UbBvuxwzxSjLS3D

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 12 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 11 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe
    "C:\Users\Admin\AppData\Local\Temp\5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\driverruntime\g3T3MhMW2xzvlh0A.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\driverruntime\MdhUpHLszPTunt5Up4v.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\driverruntime\driverruntimereviewwinbroker.exe
          "C:\driverruntime\driverruntimereviewwinbroker.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2900
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ng2icMPyD8.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2148
              • C:\driverruntime\driverruntimereviewwinbroker.exe
                "C:\driverruntime\driverruntimereviewwinbroker.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2564
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oFtA6viZ4c.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:956
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1684
                    • C:\Windows\System32\wbem\lltdsvc\WmiPrvSE.exe
                      "C:\Windows\System32\wbem\lltdsvc\WmiPrvSE.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\KBDPASH\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2652
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\Robocopy\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2256
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\KMSVC\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2552
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Documents and Settings\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1168
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "driverruntimereviewwinbroker" /sc ONLOGON /tr "'C:\Windows\system\driverruntimereviewwinbroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\lltdsvc\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1992
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDHEPT\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2852

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\329bf01e4b0e4458370fd3022fe99861a5ba705170752275a81a34455c08959e974be109771822c5
        Filesize

        448B

        MD5

        efa43235f25c6ea5fae0f630942968a7

        SHA1

        f119eca30b02e588333a4bb35061b61c03c65d84

        SHA256

        19ddead6b4468b7f71097679d9f19828008ae41a9ddc3f99b3a0ee03efc05d35

        SHA512

        c0692dd7f24e955df908e0ed93dfaace900aac2b9c46b1ce58c486a63b0c78301cf02544a41101a6d961335fa58c86d2ee4839a3f91e796024e11912449dad29

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Ng2icMPyD8.bat
        Filesize

        213B

        MD5

        103d40275f06aeb159b96d538a383ee0

        SHA1

        8ae0242df1520079a787ca88a2829b2507f77d55

        SHA256

        495e6e99dd53329333ce3eb66d64aee619596231918afdd151789e08ee7aebc0

        SHA512

        75051447c44696a990d42b2a89a4067cb2fcf3f72a07f34200c32b2fc0e3688bbd4cea0fbd577d31fe19a2e4a1516858546aaa2f312b683d46fbd3f6968fb3f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\oFtA6viZ4c.bat
        Filesize

        209B

        MD5

        b0f52cc92405625104787cb0ec0d9f14

        SHA1

        b2c2a6ab5985d5d7aa17dff641a0c9195cdee6f3

        SHA256

        86995ea2375a5a4a966625fd956233f4031d2a9a1151a65f0b6eaa934a740b5a

        SHA512

        300d7f950b6ba6d96f006a16313b06d1f52c2e4fae088b7ec369f92ae67eccb9553ab1c14fb4936229d25e303400324832334e22a8316ba5f646d754434fd16b

        Download Submit

      • C:\driverruntime\MdhUpHLszPTunt5Up4v.bat
        Filesize

        51B

        MD5

        eaa874ab241fd40826c737c1a3b0f3df

        SHA1

        f2f41d0951603bf869076eae8c0d98a11a44c297

        SHA256

        3f0b3977d065cc7ec8939745001b7dc67cfc3f34b7e87e1d54478e6e213fa82f

        SHA512

        4956b8bb8baa3f64ca0436a6974f719e656afb1b520dcd40eb6242eaba52d4031fe50e1eaf24db51925d28aaad4e52f3b61c2969d356703b1729c2be72b50913

        Download Submit

      • C:\driverruntime\driverruntimereviewwinbroker.exe
        Filesize

        2.0MB

        MD5

        a0e3c525ca39f040503976ed5e2400f2

        SHA1

        bfe9da78b0643b51193b8710d15d1bd5ea1386a4

        SHA256

        cf7c599a186ce0aef6b817e0134c129f5672b325064c0e742b742f792fd4991b

        SHA512

        96404838178ec94bb3dde32765961d1ce52a6f9d30765dbf3274d35371263848e10e9aaffdfd740077d60c769594ba92011ff2541599b7a67f0178fa93949e28

        Download Submit

      • C:\driverruntime\g3T3MhMW2xzvlh0A.vbe
        Filesize

        209B

        MD5

        e4e82fb77d90ca4a807612b8f64fe0fe

        SHA1

        13735e175978dc40037eb7e9de54d403730ceecf

        SHA256

        aaee0f50f9f20338e6bbf9eeea524283d5149505e9def2a9b26172f8f4f8136e

        SHA512

        9853dccc0b32ed12f17a21b3fe76fd3f8297ce6d9798b59a31defc9643793c1ad9363928dec74f2c9eca917ff1a32430e673887db5e42d3d4defee1b3f578638

        Download Submit

      • memory/2064-54-0x00000000001C0000-0x00000000001CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2064-53-0x0000000000D00000-0x0000000000F0C000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2064-55-0x00000000001E0000-0x00000000001EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2064-56-0x00000000004C0000-0x0000000000516000-memory.dmp

        Filesize

        344KB

        Download

      • memory/2064-57-0x00000000003A0000-0x00000000003AA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2564-31-0x0000000001190000-0x000000000139C000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2900-13-0x0000000000F10000-0x000000000111C000-memory.dmp

        Filesize

        2.0MB

        Download