Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

1bafdc2e89...1N.exe

windows7-x64

10

1bafdc2e89...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/12/2024, 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe

  • Size

    952KB

  • MD5

    ea363f97b2eb4114d986a81633f21b20

  • SHA1

    5358a564395c004068ed9907cc6a0809801b8581

  • SHA256

    1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11

  • SHA512

    b40d208dea8daa1ada700aa93e2559f3ee2d11e8f59b38a288ef8d402a8a11eef3636dd3460d21b72bf3bca78bd2c8ebfc9690bc95e40dd79e427e1122be1096

  • SSDEEP

    24576:2+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:R8/KfRTK

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 20 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe
    "C:\Users\Admin\AppData\Local\Temp\1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:804
    • C:\Users\Admin\Saved Games\dwm.exe
      "C:\Users\Admin\Saved Games\dwm.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:452
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\C_860\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4572
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2660
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\C_936\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Cursors\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDBR\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\iprtrmgr\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4480
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\TAPI\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Google\Update\1.3.36.371\dllhost.exe
    Filesize

    952KB

    MD5

    ea363f97b2eb4114d986a81633f21b20

    SHA1

    5358a564395c004068ed9907cc6a0809801b8581

    SHA256

    1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11

    SHA512

    b40d208dea8daa1ada700aa93e2559f3ee2d11e8f59b38a288ef8d402a8a11eef3636dd3460d21b72bf3bca78bd2c8ebfc9690bc95e40dd79e427e1122be1096

    Download Submit

  • C:\Program Files (x86)\Google\Update\1.3.36.371\dllhost.exe
    Filesize

    952KB

    MD5

    5cf42ff03cf88b2f63827a0a05abb1b9

    SHA1

    81fd29f49d53c52db42c2713411cd85a5650b37f

    SHA256

    75489ccaf9487d5d9f96707ef97a0c4ccf7764d9b05d281ea55fd00c64589948

    SHA512

    b5db43de4f3b60a9662039b0d5f0aec07869bdb0e5a97255c57fb08974f26c1db2c6d81f98c19358ce28f612d767df4533c39199d9262f76489953b337a928b7

    Download Submit

  • C:\Users\Admin\Saved Games\dwm.exe
    Filesize

    952KB

    MD5

    04de5ec5e5ef5482f47a1938bc31a825

    SHA1

    86846e5e527df9a968742f432424e0f27274691c

    SHA256

    9d21f5f086d7b5cabb2f96d5b904e442e115e9a8b4e575907318e102fdd7ec6a

    SHA512

    3dc788702aef7012dd64625fffc2555afc274a966de9564fcb94de82c9b5a7700635c15a37ea5f25250a26f55f3c632ec5cfcabe0410907c77fb0f222b4a7a92

    Download Submit

  • C:\Windows\Cursors\RuntimeBroker.exe
    Filesize

    952KB

    MD5

    fa54ae1bdeb189a08b55b9c1d35add76

    SHA1

    453c8506375b9bca66d9e37051b187604daa8476

    SHA256

    93de58f91c81313f8e6700b1f65f450ea61c0facb16d91c2133df22ab4f36446

    SHA512

    8cfcb1395c6614c970b54158cc73ad1ae5b75596733e4ff66d9f2a47eddc0423fae45c4caa7032b270a94b9ae076b298c56e9f68f55f23ab243224894542f5ab

    Download Submit

  • C:\Windows\System32\C_936\SppExtComObj.exe
    Filesize

    952KB

    MD5

    53c530051a5b50a5c37530ca7abfe7fe

    SHA1

    78f1097ffb90d77b61e60a8f80d605c7ed855f3e

    SHA256

    9a001d0bc02c3e7ec58476408d52b97398d87c84d304e9964e0455a76a1a5b25

    SHA512

    cc81dbb0ddc0deb8c3cd27ef74b5c41791f482cb1822ad36b5741c8a61f4e1445b3681098fdf7d5cff3942d531a6a15a2789168d270ace628381070d5a1d9a26

    Download Submit

  • C:\Windows\System32\iprtrmgr\lsass.exe
    Filesize

    952KB

    MD5

    67cb4ddfd9a380160b24649eca6c6f80

    SHA1

    a7f28f4f24686cea8fe17818c12d0024feb50403

    SHA256

    55fa7cb16a401abf638ca06dfd49dae7050ba5c20ae0c3bb18592fab1cf7aee8

    SHA512

    eb810fb188a98370b448036c12fa1afe84371e8591f3aa2666c1daba44c632305014b2e2180f78c3fc82097a77038e0fce89e8b789dd5791cdf6cd2c46478408

    Download Submit

  • memory/452-134-0x0000000000290000-0x0000000000384000-memory.dmp

    Filesize

    976KB

    Download

  • memory/804-5-0x0000000000B10000-0x0000000000B1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/804-8-0x0000000002410000-0x0000000002418000-memory.dmp

    Filesize

    32KB

    Download

  • memory/804-10-0x0000000002430000-0x000000000243C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/804-11-0x0000000002440000-0x000000000244C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/804-9-0x0000000002420000-0x000000000242A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/804-7-0x0000000000B30000-0x0000000000B3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/804-6-0x0000000000B20000-0x0000000000B2C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/804-0-0x00007FFBC4243000-0x00007FFBC4245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/804-4-0x0000000000B00000-0x0000000000B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/804-3-0x0000000000AF0000-0x0000000000B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/804-2-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/804-133-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/804-1-0x0000000000240000-0x0000000000334000-memory.dmp

    Filesize

    976KB

    Download