Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 13:18
General
-
Target
ad7507c90821598ae3ed6e8b6c3fdb36.exe
-
Size
1.3MB
-
MD5
ad7507c90821598ae3ed6e8b6c3fdb36
-
SHA1
b94839035eb055acacef724166489e2c0cb60eaa
-
SHA256
785ebbdf0f15d1bb1fd3bbe1fb5a3486dead09dae463c91368653510c3814aee
-
SHA512
ca43450c10e387a95ad6763e2f888096d7f87dc274bdb3f6720e4bc7fa3d214af72bc10a47f7ac2f00b44823511709ed1ad0f86201122bae3707c23463dff179
Malware Config
Signatures
-
DcRat 12 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 10 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Drops file in System32 directory 17 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7507c90821598ae3ed6e8b6c3fdb36.exe"C:\Users\Admin\AppData\Local\Temp\ad7507c90821598ae3ed6e8b6c3fdb36.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriversavesRuntimecommon\OkPX18dWDtVLA0gJUAYq8tEymJIvb.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\DriversavesRuntimecommon\i8SeDW7.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exe"C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exe"4⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mCeKmEwry1.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\Program Files\Windows Mail\de-DE\conhost.exe"C:\Program Files\Windows Mail\de-DE\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriversavesRuntimecommon\file.vbs"2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\lpk\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\iassvcs\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDSOREX\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\cic\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\ScavengeSpace\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\networkexplorer\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\SensApi\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\comcat\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exeMD5
8daa2fddfdf7939d8f6af197a459086b
SHA1d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b
SHA256f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e
SHA5124c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5
-
C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exeMD5
8daa2fddfdf7939d8f6af197a459086b
SHA1d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b
SHA256f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e
SHA5124c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5
-
C:\DriversavesRuntimecommon\OkPX18dWDtVLA0gJUAYq8tEymJIvb.vbeMD5
d71998b7f7a50d7f82c3cb8240b75ef1
SHA1278f6bc21583b6258b248c34a6b65cfcc752b4be
SHA256bb473710e90bc6be56e175b4fdb382aad5cdfd77571b313235db621ede9e6c41
SHA512c89201101b21d62a3327ab0365edeeaf1379d4c7bf6fe3449ee211707e82e8f8a78132ba8777bd935bc450684d63d8353540811dad0da76ae532a565d2919b7e
-
C:\DriversavesRuntimecommon\file.vbsMD5
677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\DriversavesRuntimecommon\i8SeDW7.batMD5
39a43637ff068395e3f1cc29d619b61d
SHA17832b43422507b545276b0338362619529e7f964
SHA2566b74040331ca65b2959ced9dd6768cc93c7e22db31f603e9497ba88d1e5b0d79
SHA512b2a17cde1425cf59659fc941250134487f567b28a2ced716771a7152888739a2cbf61296625b9a9f21269fb2c81df3f2431d4239cb359c9bfea94685e4fb7dd7
-
C:\Program Files\Windows Mail\de-DE\conhost.exeMD5
8daa2fddfdf7939d8f6af197a459086b
SHA1d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b
SHA256f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e
SHA5124c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5
-
C:\Program Files\Windows Mail\de-DE\conhost.exeMD5
8daa2fddfdf7939d8f6af197a459086b
SHA1d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b
SHA256f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e
SHA5124c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5
-
C:\Users\Admin\AppData\Local\Temp\mCeKmEwry1.batMD5
6a0e63067c5e21d0392b4b1131b5336d
SHA159cc7ab3bc87004c355a140812a3769b53df589a
SHA2565bde71de601acc5808a8a77123b10de9b3717acd9083bbe0afb2145d91ef898e
SHA512962496ddb4d73e04ade2599ae48099dff866334fabee870fca010a1c599991defd5229d588dff389c429bba9262ccfa59db7e7115e0c97e1e8d7e00abb94a6d7
-
\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exeMD5
8daa2fddfdf7939d8f6af197a459086b
SHA1d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b
SHA256f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e
SHA5124c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5
-
\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exeMD5
8daa2fddfdf7939d8f6af197a459086b
SHA1d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b
SHA256f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e
SHA5124c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5
-
memory/428-72-0x0000000000E00000-0x0000000000EFE000-memory.dmpFilesize
1016KB
-
memory/428-73-0x0000000000240000-0x0000000000252000-memory.dmpFilesize
72KB
-
memory/428-74-0x000000001B300000-0x000000001B302000-memory.dmpFilesize
8KB
-
memory/1516-66-0x000000001B120000-0x000000001B122000-memory.dmpFilesize
8KB
-
memory/1516-67-0x0000000000240000-0x0000000000252000-memory.dmpFilesize
72KB
-
memory/1516-68-0x0000000000370000-0x0000000000378000-memory.dmpFilesize
32KB
-
memory/1516-65-0x0000000000250000-0x000000000034E000-memory.dmpFilesize
1016KB
-
memory/1568-55-0x0000000076371000-0x0000000076373000-memory.dmpFilesize
8KB