Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2024, 00:34
Behavioral task
behavioral1
Sample
5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe
Resource
win10v2004-20240802-en
General
-
Target
5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe
-
Size
2.3MB
-
MD5
5ea10818a7aa9cb88ac1f17cc5e86989
-
SHA1
d253771029ab507d7c64642f6586831305a62a2c
-
SHA256
5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27
-
SHA512
e3c942832460f6f6ddfe3d0a0a7afa903193bf4b07a3c702d52e7314769f72839bb3096c9dff68bdd26a9cf5c195f49e6f08c468f6499e6de1d784893db8ba3f
-
SSDEEP
49152:UbA30uCU+RsTSd6BGz+ASnjx3xUPJyP9nTuD:UbBvuxwzxSjLS3D
Malware Config
Signatures
-
DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3164 schtasks.exe 2340 schtasks.exe 4560 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe 1432 schtasks.exe 2064 schtasks.exe -
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 224 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 224 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 224 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 224 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 224 schtasks.exe 92 -
resource yara_rule behavioral2/files/0x0007000000023436-10.dat dcrat behavioral2/memory/5076-13-0x0000000000480000-0x000000000068C000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation driverruntimereviewwinbroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 5076 driverruntimereviewwinbroker.exe 4412 unsecapp.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration\\OfficeClickToRun.exe\"" driverruntimereviewwinbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Speech_OneCore\\Engines\\TTS\\RuntimeBroker.exe\"" driverruntimereviewwinbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\TrustedSignalCredProv\\lsass.exe\"" driverruntimereviewwinbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\dimsroam\\unsecapp.exe\"" driverruntimereviewwinbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\inseng\\fontdrvhost.exe\"" driverruntimereviewwinbroker.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\System32\TrustedSignalCredProv\lsass.exe driverruntimereviewwinbroker.exe File created C:\Windows\System32\TrustedSignalCredProv\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 driverruntimereviewwinbroker.exe File created C:\Windows\System32\wbem\dimsroam\unsecapp.exe driverruntimereviewwinbroker.exe File created C:\Windows\System32\wbem\dimsroam\29c1c3cc0f76855c7e7456076a4ffc27e4947119 driverruntimereviewwinbroker.exe File created C:\Windows\System32\inseng\fontdrvhost.exe driverruntimereviewwinbroker.exe File created C:\Windows\System32\inseng\5b884080fd4f94e2695da25c503f9e33b9605b83 driverruntimereviewwinbroker.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\OfficeClickToRun.exe driverruntimereviewwinbroker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\OfficeClickToRun.exe driverruntimereviewwinbroker.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\e6c9b481da804f07baff8eff543b0a1441069b5d driverruntimereviewwinbroker.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe driverruntimereviewwinbroker.exe File created C:\Windows\Speech_OneCore\Engines\TTS\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d driverruntimereviewwinbroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings 5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings driverruntimereviewwinbroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1432 schtasks.exe 2064 schtasks.exe 3164 schtasks.exe 2340 schtasks.exe 4560 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5076 driverruntimereviewwinbroker.exe 4412 unsecapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5076 driverruntimereviewwinbroker.exe Token: SeDebugPrivilege 4412 unsecapp.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4048 wrote to memory of 2676 4048 5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe 86 PID 4048 wrote to memory of 2676 4048 5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe 86 PID 4048 wrote to memory of 2676 4048 5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe 86 PID 2676 wrote to memory of 4388 2676 WScript.exe 93 PID 2676 wrote to memory of 4388 2676 WScript.exe 93 PID 2676 wrote to memory of 4388 2676 WScript.exe 93 PID 4388 wrote to memory of 5076 4388 cmd.exe 95 PID 4388 wrote to memory of 5076 4388 cmd.exe 95 PID 5076 wrote to memory of 1664 5076 driverruntimereviewwinbroker.exe 101 PID 5076 wrote to memory of 1664 5076 driverruntimereviewwinbroker.exe 101 PID 1664 wrote to memory of 932 1664 cmd.exe 103 PID 1664 wrote to memory of 932 1664 cmd.exe 103 PID 1664 wrote to memory of 4412 1664 cmd.exe 107 PID 1664 wrote to memory of 4412 1664 cmd.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe"C:\Users\Admin\AppData\Local\Temp\5936b1537b180e8f610f37000936fe1c8979d63616c3131ad1afe33a2c096a27.exe"1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driverruntime\g3T3MhMW2xzvlh0A.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\driverruntime\MdhUpHLszPTunt5Up4v.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\driverruntime\driverruntimereviewwinbroker.exe"C:\driverruntime\driverruntimereviewwinbroker.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ejbDvd7gM2.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:932
-
-
C:\Windows\System32\wbem\dimsroam\unsecapp.exe"C:\Windows\System32\wbem\dimsroam\unsecapp.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\TrustedSignalCredProv\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\dimsroam\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\inseng\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD517a6e1b210c4c3cf297ac1293b93a3e7
SHA151baa5e5f6b77ca03dc5290db8b1d9a4384a6f61
SHA256b5cfd897b3aa374f1967e10834e480182e31c79adce426358e8f5b2bc28c89bd
SHA5123967bc028561c50dec5835a8c48fa80c7d8260614a51a5acd08aea33f62b1cc3680b7bdab9741ede2751a75cdf10acfed77c94094aecdf41f5fdaeeee66a91cc
-
Filesize
51B
MD5eaa874ab241fd40826c737c1a3b0f3df
SHA1f2f41d0951603bf869076eae8c0d98a11a44c297
SHA2563f0b3977d065cc7ec8939745001b7dc67cfc3f34b7e87e1d54478e6e213fa82f
SHA5124956b8bb8baa3f64ca0436a6974f719e656afb1b520dcd40eb6242eaba52d4031fe50e1eaf24db51925d28aaad4e52f3b61c2969d356703b1729c2be72b50913
-
Filesize
2.0MB
MD5a0e3c525ca39f040503976ed5e2400f2
SHA1bfe9da78b0643b51193b8710d15d1bd5ea1386a4
SHA256cf7c599a186ce0aef6b817e0134c129f5672b325064c0e742b742f792fd4991b
SHA51296404838178ec94bb3dde32765961d1ce52a6f9d30765dbf3274d35371263848e10e9aaffdfd740077d60c769594ba92011ff2541599b7a67f0178fa93949e28
-
Filesize
209B
MD5e4e82fb77d90ca4a807612b8f64fe0fe
SHA113735e175978dc40037eb7e9de54d403730ceecf
SHA256aaee0f50f9f20338e6bbf9eeea524283d5149505e9def2a9b26172f8f4f8136e
SHA5129853dccc0b32ed12f17a21b3fe76fd3f8297ce6d9798b59a31defc9643793c1ad9363928dec74f2c9eca917ff1a32430e673887db5e42d3d4defee1b3f578638