Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

df448c9263...32.exe

windows7-x64

10

df448c9263...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df448c9263a19f8471ee6d897a339360d610a44b725e6c28f115ff4da7f70e32.exe

  • Size

    2.4MB

  • MD5

    62e601a986371d6a6ce17d5a78a0feba

  • SHA1

    24fc031ffd01e114fc3f78e1fc302ce3208b431c

  • SHA256

    df448c9263a19f8471ee6d897a339360d610a44b725e6c28f115ff4da7f70e32

  • SHA512

    19a4ab73a01b017a460844ddd7cd77c99452d78eb0e0e921bde6ee1946d4fa460f436a033232fa711c73971a8614c995e985fb9b17d4dadcf486b7d40ab9d02d

  • SSDEEP

    24576:zTbBv5rUNgz5PNmEetaAO6p1mTYhqIizNJ3wZK+Y/mtO/1uia2wf9GsVcoiJBRsd:tBmG5VivbqP3wZKZ/J/Zwf04k8FiGQ+

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\df448c9263a19f8471ee6d897a339360d610a44b725e6c28f115ff4da7f70e32.exe
    "C:\Users\Admin\AppData\Local\Temp\df448c9263a19f8471ee6d897a339360d610a44b725e6c28f115ff4da7f70e32.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\MsChainbrowserweb\IkYDd80xTTPifjZ0ql0Oju60y6xFKjrayyuJ6q3Lt.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\MsChainbrowserweb\VjHSX7CifHTZSyWiEP30gXg6skFL8ARMSgjExtHXuC5j.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4048
        • C:\MsChainbrowserweb\ComponentbrowserWebrefsvc.exe
          "C:\MsChainbrowserweb/ComponentbrowserWebrefsvc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3176
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fhesqyzu\fhesqyzu.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:4792
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD244.tmp" "c:\Windows\System32\CSC92B1CC5F6B55476C90F31986ABB0E0C1.TMP"
              6⤵
                PID:3960
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PT7y4aVDLh.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2264
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4436
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:1100
                  • C:\Program Files\Java\jdk-1.8\jre\bin\RuntimeBroker.exe
                    "C:\Program Files\Java\jdk-1.8\jre\bin\RuntimeBroker.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk-1.8\jre\bin\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\jre\bin\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1488
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\jre\bin\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4732
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4332
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4896
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3184
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MsChainbrowserweb\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4296
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MsChainbrowserweb\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MsChainbrowserweb\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5096
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ComponentbrowserWebrefsvcC" /sc MINUTE /mo 7 /tr "'C:\MsChainbrowserweb\ComponentbrowserWebrefsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4912
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ComponentbrowserWebrefsvc" /sc ONLOGON /tr "'C:\MsChainbrowserweb\ComponentbrowserWebrefsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ComponentbrowserWebrefsvcC" /sc MINUTE /mo 12 /tr "'C:\MsChainbrowserweb\ComponentbrowserWebrefsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3096

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MsChainbrowserweb\ComponentbrowserWebrefsvc.exe
          Filesize

          1.8MB

          MD5

          fb0f2e049db96d6e8d9e84bda3a08193

          SHA1

          2bb51ca4db5bcf877e68541189fe99e7c070b579

          SHA256

          912f7f6b2a8bc1932e3b02ead638de1fbb5875f947730cf587fa63f63060bae5

          SHA512

          47d7c47730e433bd46b955f65dc3aea00b736e4e3f90fa7cea644e31f16ec12c9254e6039490193426217405935f3309dc88c2bf24672b3d27837e69d5ca35db

          Download Submit

        • C:\MsChainbrowserweb\IkYDd80xTTPifjZ0ql0Oju60y6xFKjrayyuJ6q3Lt.vbe
          Filesize

          240B

          MD5

          93e993dbfd36957a2929c22bb21a8293

          SHA1

          55c48ebcf72e53ebb90108d050255deac4f388f8

          SHA256

          974506b2ad39a3ec0225b5cb3cbb8f774a032679d27ca1af3880ec1371498e19

          SHA512

          c47d40d530b42dfcbc3ef1c225aad7f0e1e18256459b579dd2b46b70ac354b02f6442564528a5991b3a966ab996423c91d863949a7d90b16541ccf9e40ac5a8b

          Download Submit

        • C:\MsChainbrowserweb\VjHSX7CifHTZSyWiEP30gXg6skFL8ARMSgjExtHXuC5j.bat
          Filesize

          101B

          MD5

          b203c0ee33eade47ff78546bd923f433

          SHA1

          7928af76541c7b0e8ba5c32757f44d9954febcde

          SHA256

          5a367b756472a10df4a315e3b98f738f39706d1b57ae90c22dd69518b9b14430

          SHA512

          40e80f6f75061b50d513136ae710a34b584cc3151db3728ba4ad4eeaa12a369b35ed33d242823801d667a838e428f035d1c866940530f9ba8fea6d53e5d56b75

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\PT7y4aVDLh.bat
          Filesize

          231B

          MD5

          b5d022a5ff488499475350adadff3413

          SHA1

          d027675e1c0a1386dec7a239282c89c3c958ad2e

          SHA256

          98fd4fae73eab055a1f2bcb75abcaf23ef0308f18490dcd73053a8a8f918402f

          SHA512

          52c25fca082c3aba6e37a83697b36b8b34727d9d5737437c8ff1376b0c7ced00a41563541a7532631ea9d2c51ed06d88f89a3a87d63c5c8311700083995fb15f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESD244.tmp
          Filesize

          1KB

          MD5

          a9935eee576f0e70476530d5076ed0a6

          SHA1

          61ba48696ee7bb49b4fd8f411ab13dd3bde71583

          SHA256

          df66e710b69c0ba059d1991f7fbb3d7a9dac9c3cc47c00c03fc9a01f92057433

          SHA512

          bbaa7b2b69ac4d85f9e7b427d304769cfe7a6b8897199d2c4495a8d1eff122e8e97c69291fd3d93674815e3b04214eb3c3d74f2d98ce92397e625dd830bb19fb

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\fhesqyzu\fhesqyzu.0.cs
          Filesize

          387B

          MD5

          8d91de5dd3202f91279dc1b2133eeb1f

          SHA1

          c034aff73bc2898665b5faa57db170c2052bef3e

          SHA256

          e789d2d51ef81837788936308b0ec42746e2f10bcf753e6709ee75d04ac9c7c6

          SHA512

          fb15154a371293f24f392d8eff43d5232df95368a8b69ce66f6fed85592faea5c0ed4bc359ce67decf779dec20f6805791e9ce413573d4830751e6f7bf9b38fe

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\fhesqyzu\fhesqyzu.cmdline
          Filesize

          235B

          MD5

          ab2ff7d828c9b34985c648dea110318c

          SHA1

          4d90845ebedf0c3b877e32c57618c8ef22e44b22

          SHA256

          e8f34852125ee651dff25452c2e469636f2f57497f7ddfcc6d24be8ccf6a6cbb

          SHA512

          d394450dd4e47854f5c625d4b4932aeca690e51b19b000313c0cec91bc019ced600bb9611aadb085611bd3c33cce4d0f775a3699d0388d9f511ca408acc17fe8

          Download Submit

        • \??\c:\Windows\System32\CSC92B1CC5F6B55476C90F31986ABB0E0C1.TMP
          Filesize

          1KB

          MD5

          75e32610d8ef6143201c7c28465fcda9

          SHA1

          b2bae99fade2dda07aecbe1659d184be0fc4e7a6

          SHA256

          97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

          SHA512

          b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

          Download Submit

        • memory/3176-17-0x0000000000EB0000-0x0000000000ECC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3176-22-0x0000000000E90000-0x0000000000E9C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3176-20-0x0000000000ED0000-0x0000000000EE8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3176-18-0x0000000000F20000-0x0000000000F70000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3176-15-0x0000000000E20000-0x0000000000E2E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3176-13-0x0000000000450000-0x000000000062A000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3176-12-0x00007FF9021C3000-0x00007FF9021C5000-memory.dmp

          Filesize

          8KB

          Download