Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

EC5FDACECC...64.exe

windows7-x64

10

EC5FDACECC...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EC5FDACECCEEE343335D6A686CE75864.exe

  • Size

    2.1MB

  • MD5

    ec5fdacecceee343335d6a686ce75864

  • SHA1

    965f210fa2eccd71a866908320cb92eb926b338d

  • SHA256

    d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad

  • SHA512

    533713c84dfcd9d23ffb338d9dd5c237ef6151315037ed8477f91bd89bad02639ee9e936cfc2ea5098f2bbff9e565115b14f71e287297d11328cf9c030512a4c

  • SSDEEP

    49152:IBJi/YtO8s26Kzc1OpFAuD86cmG96kZTRc:ycoxd6Yc1+rXG3Rc

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\EC5FDACECCEEE343335D6A686CE75864.exe
    "C:\Users\Admin\AppData\Local\Temp\EC5FDACECCEEE343335D6A686CE75864.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\WebWinBrokerDll\d7VV42fpHwMzBQMSzwM0QGomZi6nsu6X6fwca17SIFxI7SHNedkYCWqtFx6.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\WebWinBrokerDll\OH5MsEg2KeRkhqJt.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\WebWinBrokerDll\BridgeServerruntime.exe
          "C:\WebWinBrokerDll/BridgeServerruntime.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3308
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ytmjijja\ytmjijja.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3936
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF09A.tmp" "c:\Windows\System32\CSC640DA536398748EB8435C4027D22287.TMP"
              6⤵
                PID:1584
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Us7SiCACb.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4772
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4724
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:4316
                  • C:\Recovery\WindowsRE\Registry.exe
                    "C:\Recovery\WindowsRE\Registry.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4380
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2736
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1700
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3964
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4272
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3196
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4924
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3704
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2408
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BridgeServerruntimeB" /sc MINUTE /mo 13 /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BridgeServerruntime" /sc ONLOGON /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3076
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BridgeServerruntimeB" /sc MINUTE /mo 11 /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3048

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\5Us7SiCACb.bat
          Filesize

          210B

          MD5

          7e41dee55ab5e2f17c41c93defa4426e

          SHA1

          17bf179135a92ee80016e12d670571f5bcf37fb8

          SHA256

          4a2b976eeb2f650243882038ba6065d60725d7f7365018c6c8cf96cb419f5df7

          SHA512

          06ebdf4e731b393fbaf653cc60d2dbbefdf7f2d6140169977c2a07ce406c415f9a901993c1eb1d9bdc2aa7c1f6a7f7d87552b43fe260ce2b3d7ae86dd06b3eff

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESF09A.tmp
          Filesize

          1KB

          MD5

          b3e847e867b0c4ac9382d9dd22a42cab

          SHA1

          570dad8f8bc141754e48941188030b453f0fe66b

          SHA256

          8200fe0f25d5a06be87b52ff605e986673843757ba4b9a32e9dcabbc298a3de3

          SHA512

          2d5ecaa97c9da3bae82a3426b7077cc54df7319278802fd2947f20190a638cd74732e812f609d0952dc25921eeec3669bde5088882e26ca9d47b760c5af984b8

          Download Submit

        • C:\WebWinBrokerDll\BridgeServerruntime.exe
          Filesize

          1.8MB

          MD5

          56554dd4e4fb40b0b5e23cbac2632fda

          SHA1

          639002e98be388ecb14d2b973388531a124f2311

          SHA256

          e93b10e93c375f1e7a2ad0df4c213a1630d64cac96e6467dd0926b2d44dac295

          SHA512

          8bc6fb271d6459dcf0c27794dc9f90b83d606c100bc762ada33df238011d0518c85da3c64b37f451706a67030cc99f6a1194d65e2bc5a30ed1e5e029a3bb7288

          Download Submit

        • C:\WebWinBrokerDll\OH5MsEg2KeRkhqJt.bat
          Filesize

          107B

          MD5

          41c6e0e5b5a7be33fd9e1f2c02adcc1e

          SHA1

          1fb52df44fb4a90bcc7311238dedfc1b9ccc6b4f

          SHA256

          f873310a27b36240c42e0d93c877096e7163d2de480caf83fdce2ef1168376e9

          SHA512

          a1ca006a8d9300f3743350243bf90629522bb2f71c80a8f3a6cc41759a5746a9bbe932b69e4ca46de7de3c555d66fe2f86c13a717806cc9acdbc80f02525c0be

          Download Submit

        • C:\WebWinBrokerDll\d7VV42fpHwMzBQMSzwM0QGomZi6nsu6X6fwca17SIFxI7SHNedkYCWqtFx6.vbe
          Filesize

          210B

          MD5

          7f45c1ae3ffa088fd090281714ccd636

          SHA1

          e256ac2063feb5bbda9261ebd6941fe391fd5e62

          SHA256

          096a645b2d6d4d076b4ee48d1e88372c59f895ce7db2a31d8f8aa0132d7ea5bd

          SHA512

          cadcc93806689bf5b7c3679d160bc9000d6597fea1143f60fa98cc3bcc3107d0efeb2abf661d37ac80189d01fba1e43c533a0f0f31b006eda2175a2f558526b5

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\ytmjijja\ytmjijja.0.cs
          Filesize

          366B

          MD5

          53882f0e886941001b9b7eacf4378d3c

          SHA1

          4d1a26a3ea1d3c584565b0bc47927c2d9f2b4ecb

          SHA256

          9eb0612bcf992fa319ad1445db4e4f06b82a0a2b43a2e3057e59336a1b6f8f74

          SHA512

          2881d3d9c7a35cde9740a174907a99e50c12985c9ab58f6d3a6e18ca871a20c29032dcfadb9b7ae8c6eed91a92e9ec336af0e94fc44ddc7e664f543c10c6fcef

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\ytmjijja\ytmjijja.cmdline
          Filesize

          235B

          MD5

          33ffba94f10857e663add7bc6a2b2daa

          SHA1

          d6cd6479707f84877e039e63dcb7160868fbc47c

          SHA256

          61dcbb3b54d8c7861269f2812a002fe972de981af5391ec8180623f8b170f7e3

          SHA512

          5ab275f0174563e814e08d86f968418f4f6c94b8a1b2885c4d011e872f664de8c900080b8b253fc899552864069dd30085e1c76dddbf2a076ccf8784cdedbd1a

          Download Submit

        • \??\c:\Windows\System32\CSC640DA536398748EB8435C4027D22287.TMP
          Filesize

          1KB

          MD5

          634e281a00b7b9f516c3048badfa1530

          SHA1

          af6369715ce2fe9b99609e470d4f66698880a35a

          SHA256

          0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8

          SHA512

          1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

          Download Submit

        • memory/3308-12-0x00007FFFCC913000-0x00007FFFCC915000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3308-20-0x000000001C080000-0x000000001C098000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3308-18-0x000000001C0D0000-0x000000001C120000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3308-17-0x000000001C060000-0x000000001C07C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3308-15-0x000000001BCD0000-0x000000001BCDE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3308-13-0x0000000000F50000-0x0000000001120000-memory.dmp

          Filesize

          1.8MB

          Download