Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 00:34

General

  • Target

    5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe

  • Size

    2.3MB

  • MD5

    5ea10818a7aa9cb88ac1f17cc5e86989

  • SHA1

    d253771029ab507d7c64642f6586831305a62a2c

  • SHA256

    5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27

  • SHA512

    e3c942832460f6f6ddfe3d0a0a7afa903193bf4b07a3c702d52e7314769f72839bb3096c9dff68bdd26a9cf5c195f49e6f08c468f6499e6de1d784893db8ba3f

  • SSDEEP

    49152:UbA30uCU+RsTSd6BGz+ASnjx3xUPJyP9nTuD:UbBvuxwzxSjLS3D

Malware Config

Signatures

  • DcRat 6 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe
    "C:\Users\Admin\AppData\Local\Temp\5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\driverruntime\g3T3MhMW2xzvlh0A.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\driverruntime\MdhUpHLszPTunt5Up4v.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\driverruntime\driverruntimereviewwinbroker.exe
          "C:\driverruntime\driverruntimereviewwinbroker.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ejbDvd7gM2.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1664
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:932
              • C:\Windows\System32\wbem\dimsroam\unsecapp.exe
                "C:\Windows\System32\wbem\dimsroam\unsecapp.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\TrustedSignalCredProv\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\dimsroam\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\inseng\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ejbDvd7gM2.bat

      Filesize

      210B

      MD5

      17a6e1b210c4c3cf297ac1293b93a3e7

      SHA1

      51baa5e5f6b77ca03dc5290db8b1d9a4384a6f61

      SHA256

      b5cfd897b3aa374f1967e10834e480182e31c79adce426358e8f5b2bc28c89bd

      SHA512

      3967bc028561c50dec5835a8c48fa80c7d8260614a51a5acd08aea33f62b1cc3680b7bdab9741ede2751a75cdf10acfed77c94094aecdf41f5fdaeeee66a91cc

    • C:\driverruntime\MdhUpHLszPTunt5Up4v.bat

      Filesize

      51B

      MD5

      eaa874ab241fd40826c737c1a3b0f3df

      SHA1

      f2f41d0951603bf869076eae8c0d98a11a44c297

      SHA256

      3f0b3977d065cc7ec8939745001b7dc67cfc3f34b7e87e1d54478e6e213fa82f

      SHA512

      4956b8bb8baa3f64ca0436a6974f719e656afb1b520dcd40eb6242eaba52d4031fe50e1eaf24db51925d28aaad4e52f3b61c2969d356703b1729c2be72b50913

    • C:\driverruntime\driverruntimereviewwinbroker.exe

      Filesize

      2.0MB

      MD5

      a0e3c525ca39f040503976ed5e2400f2

      SHA1

      bfe9da78b0643b51193b8710d15d1bd5ea1386a4

      SHA256

      cf7c599a186ce0aef6b817e0134c129f5672b325064c0e742b742f792fd4991b

      SHA512

      96404838178ec94bb3dde32765961d1ce52a6f9d30765dbf3274d35371263848e10e9aaffdfd740077d60c769594ba92011ff2541599b7a67f0178fa93949e28

    • C:\driverruntime\g3T3MhMW2xzvlh0A.vbe

      Filesize

      209B

      MD5

      e4e82fb77d90ca4a807612b8f64fe0fe

      SHA1

      13735e175978dc40037eb7e9de54d403730ceecf

      SHA256

      aaee0f50f9f20338e6bbf9eeea524283d5149505e9def2a9b26172f8f4f8136e

      SHA512

      9853dccc0b32ed12f17a21b3fe76fd3f8297ce6d9798b59a31defc9643793c1ad9363928dec74f2c9eca917ff1a32430e673887db5e42d3d4defee1b3f578638

    • memory/4412-34-0x00000000014B0000-0x00000000014BC000-memory.dmp

      Filesize

      48KB

    • memory/4412-35-0x00000000014D0000-0x00000000014DC000-memory.dmp

      Filesize

      48KB

    • memory/4412-36-0x0000000002EE0000-0x0000000002F36000-memory.dmp

      Filesize

      344KB

    • memory/4412-37-0x00000000014C0000-0x00000000014CA000-memory.dmp

      Filesize

      40KB

    • memory/5076-12-0x00007FFA69883000-0x00007FFA69885000-memory.dmp

      Filesize

      8KB

    • memory/5076-13-0x0000000000480000-0x000000000068C000-memory.dmp

      Filesize

      2.0MB