Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    99s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 11:29

General

  • Target

    8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe

  • Size

    952KB

  • MD5

    41ccbb9f4e1b3b8acbe42f57842a6ab9

  • SHA1

    777288aa34f632b9279a0ef0ef571ed8c32f6ede

  • SHA256

    8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88

  • SHA512

    b1030ff32bea991d7d1ce92fb6eebdeefb2637cc808becc73ff511112c8079cc7228891ab217d51953b22b768c339eaafe6052a6ba1b3b74fb78c6997d8c27e9

  • SSDEEP

    24576:W+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXe:x8/KfRTKQ

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 16 IoCs
  • Process spawned unexpected child process 16 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 32 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Drops file in System32 directory 20 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe
    "C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe
      "C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3888
      • C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe
        "C:\Users\Admin\AppData\Local\Temp\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4844
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e0hKMR8rXX.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3732
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            5⤵
              PID:2984
            • C:\Windows\System32\msxml6r\dllhost.exe
              "C:\Windows\System32\msxml6r\dllhost.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:4316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\dtsh\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\sysmon\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\settings\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\wiaaut\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\wimgapi\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\msxml6r\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\SystemSupportInfo\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\HelpPane\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default\Pictures\TrustedInstaller.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4192

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe

      Filesize

      952KB

      MD5

      2b18fa2331e7384237799d480b482cc8

      SHA1

      ec6b378f43a468e600668b6556545f6d0344e8de

      SHA256

      94cfe19c17e06ba5fd4ba2ab354036dcb41433908cb114688709c24813619d0d

      SHA512

      d9da31bccb6e0ded5355333c0cfa571931322feb6db1e22fefff99c9ec02c303db3c88a3a658aeabdf14f785effd71475e836a785ba8ce43be896fd674b749ab

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88.exe.log

      Filesize

      1KB

      MD5

      7f3c0ae41f0d9ae10a8985a2c327b8fb

      SHA1

      d58622bf6b5071beacf3b35bb505bde2000983e3

      SHA256

      519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

      SHA512

      8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

    • C:\Users\Admin\AppData\Local\Temp\e0hKMR8rXX.bat

      Filesize

      203B

      MD5

      7561861a3b011bdaf75f800d929df2cf

      SHA1

      16f6b11a5f94c09d40675baae6efbb4681d2d2c5

      SHA256

      3418fcf87c308cc413692a468833b191459d7665d1c80b0e4ab04d68c91833f3

      SHA512

      902476043a8f124210aba5139bd58f221e5e557a9188ea4eb0b00a59426525d1b8877cf5bb700110ee5e3674f2acd87e42e7bd9da82fc4ccf3aa1e63d1e0fcd7

    • C:\Users\services.exe

      Filesize

      952KB

      MD5

      b39877034a1b442c2c2011fc0e7622c9

      SHA1

      4a7af69610839f93306a3c9864393a08cb07f0c0

      SHA256

      7186d7fd6a306bf00048322bcfb0b57a3c4592436880712e87f3fe9fbcdfdd7c

      SHA512

      739afe5f03d0506615e959f739f9becbb7ca90a7531eb13413c37cded444a7e5df1a6c4e4ad8de54d0e665a7fb4d88a82b2b773197572eadea42cc372df1c696

    • C:\Windows\sysmon\explorer.exe

      Filesize

      952KB

      MD5

      41ccbb9f4e1b3b8acbe42f57842a6ab9

      SHA1

      777288aa34f632b9279a0ef0ef571ed8c32f6ede

      SHA256

      8437c6899352c57f314716d1c297418831b42ff83833669e4aed0192a5edca88

      SHA512

      b1030ff32bea991d7d1ce92fb6eebdeefb2637cc808becc73ff511112c8079cc7228891ab217d51953b22b768c339eaafe6052a6ba1b3b74fb78c6997d8c27e9

    • C:\Windows\sysmon\explorer.exe

      Filesize

      952KB

      MD5

      7a5d7a8a7908fb824c5d6dae7159e0a7

      SHA1

      6d909ea93d92d04aa9a2e7c220320479da886380

      SHA256

      1742a2487d0a2ed20d55afac0c5c4761c01a083b87aaacddb36988d197abd086

      SHA512

      3915800e172bfd426560bf6ccc15cfce879452067a1920f99b50d9654f6ecf56823e3722d54979783db7fe8e93a518f2b58f577b5505b785058251303cb18eb5

    • memory/2396-4-0x0000000001350000-0x0000000001360000-memory.dmp

      Filesize

      64KB

    • memory/2396-7-0x0000000002D50000-0x0000000002D5A000-memory.dmp

      Filesize

      40KB

    • memory/2396-9-0x0000000002D80000-0x0000000002D8A000-memory.dmp

      Filesize

      40KB

    • memory/2396-8-0x0000000002D60000-0x0000000002D68000-memory.dmp

      Filesize

      32KB

    • memory/2396-10-0x0000000002D90000-0x0000000002D9C000-memory.dmp

      Filesize

      48KB

    • memory/2396-11-0x0000000002DC0000-0x0000000002DCC000-memory.dmp

      Filesize

      48KB

    • memory/2396-5-0x0000000002D30000-0x0000000002D3A000-memory.dmp

      Filesize

      40KB

    • memory/2396-6-0x0000000001360000-0x000000000136C000-memory.dmp

      Filesize

      48KB

    • memory/2396-0-0x00007FFF66363000-0x00007FFF66365000-memory.dmp

      Filesize

      8KB

    • memory/2396-3-0x0000000001340000-0x0000000001350000-memory.dmp

      Filesize

      64KB

    • memory/2396-2-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp

      Filesize

      10.8MB

    • memory/2396-102-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp

      Filesize

      10.8MB

    • memory/2396-1-0x0000000000AA0000-0x0000000000B94000-memory.dmp

      Filesize

      976KB