Analysis
-
max time kernel
122s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 15:13
Behavioral task
behavioral1
Sample
ba5dc0fc7d1677527cf809bfca28e2b6.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ba5dc0fc7d1677527cf809bfca28e2b6.exe
Resource
win10v20210408
General
-
Target
ba5dc0fc7d1677527cf809bfca28e2b6.exe
-
Size
1.1MB
-
MD5
ba5dc0fc7d1677527cf809bfca28e2b6
-
SHA1
df8452d50e4fa2171379bfd499132a08dd725368
-
SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
-
SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 1552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 1552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 1552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 1552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 1552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 1552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 1552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 1552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 1552 schtasks.exe -
Processes:
resource yara_rule C:\Documents and Settings\spoolsv.exe dcrat C:\Users\spoolsv.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
spoolsv.exepid process 1376 spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\sscore\\spoolsv.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Idle.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba5dc0fc7d1677527cf809bfca28e2b6 = "\"C:\\ProgramData\\Microsoft Help\\ba5dc0fc7d1677527cf809bfca28e2b6.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba5dc0fc7d1677527cf809bfca28e2b6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2ba67d42-8a01-4556-b51e-6d2a52d9fd26\\ba5dc0fc7d1677527cf809bfca28e2b6.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\mfc110kor\\spoolsv.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\Links\\explorer.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Documents and Settings\\spoolsv.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\wsock32\\wininit.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Drops file in System32 directory 6 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process File created C:\Windows\System32\sscore\spoolsv.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\sscore\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\wsock32\wininit.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\wsock32\560854153607923c4c5f107085a7db67be01f252 ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\mfc110kor\spoolsv.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\mfc110kor\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 516 schtasks.exe 896 schtasks.exe 1508 schtasks.exe 112 schtasks.exe 1604 schtasks.exe 1876 schtasks.exe 1752 schtasks.exe 1120 schtasks.exe 1108 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exespoolsv.exepid process 1232 ba5dc0fc7d1677527cf809bfca28e2b6.exe 1376 spoolsv.exe 1376 spoolsv.exe 1376 spoolsv.exe 1376 spoolsv.exe 1376 spoolsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
spoolsv.exepid process 1376 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exespoolsv.exedescription pid process Token: SeDebugPrivilege 1232 ba5dc0fc7d1677527cf809bfca28e2b6.exe Token: SeDebugPrivilege 1376 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.execmd.exedescription pid process target process PID 1232 wrote to memory of 304 1232 ba5dc0fc7d1677527cf809bfca28e2b6.exe cmd.exe PID 1232 wrote to memory of 304 1232 ba5dc0fc7d1677527cf809bfca28e2b6.exe cmd.exe PID 1232 wrote to memory of 304 1232 ba5dc0fc7d1677527cf809bfca28e2b6.exe cmd.exe PID 304 wrote to memory of 852 304 cmd.exe chcp.com PID 304 wrote to memory of 852 304 cmd.exe chcp.com PID 304 wrote to memory of 852 304 cmd.exe chcp.com PID 304 wrote to memory of 1888 304 cmd.exe w32tm.exe PID 304 wrote to memory of 1888 304 cmd.exe w32tm.exe PID 304 wrote to memory of 1888 304 cmd.exe w32tm.exe PID 304 wrote to memory of 1376 304 cmd.exe spoolsv.exe PID 304 wrote to memory of 1376 304 cmd.exe spoolsv.exe PID 304 wrote to memory of 1376 304 cmd.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UGvHu4zmyf.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Documents and Settings\spoolsv.exe"C:\Documents and Settings\spoolsv.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ba5dc0fc7d1677527cf809bfca28e2b6" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2ba67d42-8a01-4556-b51e-6d2a52d9fd26\ba5dc0fc7d1677527cf809bfca28e2b6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\mfc110kor\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\sscore\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Documents and Settings\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\wsock32\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Links\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ba5dc0fc7d1677527cf809bfca28e2b6" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\ba5dc0fc7d1677527cf809bfca28e2b6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings\spoolsv.exeMD5
ba5dc0fc7d1677527cf809bfca28e2b6
SHA1df8452d50e4fa2171379bfd499132a08dd725368
SHA256b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
-
C:\Users\Admin\AppData\Local\Temp\UGvHu4zmyf.batMD5
c924c76b207a8391217662af598973a9
SHA1f70e59b2523efbde85ca9f33625a65dd993cd37a
SHA256006b80c3820a9f19fd851b0ac168e7af91f44556c34e5f9902c01b24b4ecb24e
SHA5126cad305c2c7e1d413ac0980ec7b6cc3cdf5fadf31f9ccb00a992d25e41dc6a0f16bfb03c428edfe9c524312ec4919d0d425f80607c7ff51fdd15b303e6b87327
-
C:\Users\spoolsv.exeMD5
ba5dc0fc7d1677527cf809bfca28e2b6
SHA1df8452d50e4fa2171379bfd499132a08dd725368
SHA256b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
-
memory/304-56-0x0000000000000000-mapping.dmp
-
memory/852-58-0x0000000000000000-mapping.dmp
-
memory/1232-53-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/1232-55-0x000000001B0F0000-0x000000001B0F2000-memory.dmpFilesize
8KB
-
memory/1376-61-0x0000000000000000-mapping.dmp
-
memory/1376-63-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/1376-65-0x000000001AE10000-0x000000001AE12000-memory.dmpFilesize
8KB
-
memory/1888-59-0x0000000000000000-mapping.dmp