Analysis
-
max time kernel
148s -
max time network
200s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-02-2022 03:36
General
-
Target
a77873bfea27896f94731478d64541a3.exe
-
Size
873KB
-
MD5
a77873bfea27896f94731478d64541a3
-
SHA1
9d9596b12d51e06dd1c509c3df0cb7432fb60156
-
SHA256
0c70ff796c9a6c8e20437dcd29e1be3951ac7dae8bc0e75bbbae5b710c6be70e
-
SHA512
34c94a9e432bb0d4e2154ca80d2a42bb47e4a3ff29a5ecb9d24eb4db235a3dfb7e6c532edb05bcb4a1e299c4b040e39d2c0eeeac8593e7b0babcdaf834e49a0e
Score
10/10
Malware Config
Signatures
-
DcRat 19 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 17 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 17 IoCs
-
Drops file in System32 directory 16 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 17 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\26eGvL4Yp3.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"3⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"4⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fe3bVRSd9I.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\Windows\Offline Web Pages\csrss.exe"C:\Windows\Offline Web Pages\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\ubpm\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\msdfmap\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Documents\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\cero\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\net1\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\security\audit\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\mssprxy\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\System32\wuaueng\schtasks.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\iprtrmgr\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\KBDINORI\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\26eGvL4Yp3.batMD5
78dd51129ebdea4ebb993dc9ca37a8ee
SHA1c601a95edfd9c0d4a91f6134414e6c41fe3f884f
SHA2568d5c459c46e5f2ecf887e2274f99d2c2e0de7c03c191bf84e40cb97bad850346
SHA51233667a67451439f0586060f750808d0e8f0d1d969874cca8805f7efecb67280c0dd0814e7ae6a9e9c5002ba889cd0348c9a4b8136221ded02a01e38a522b0e83
-
C:\Users\Admin\AppData\Local\Temp\fe3bVRSd9I.batMD5
badc7938dc950c667619db04d383bf32
SHA1c171dfd280baa23635583108026768f79e9633b6
SHA2569def1ad908b6170199f63b3fe290707678ef1fbe4dfcc2161078d22efa0028b2
SHA5121143621cbced6fe1d7989537a23f12a1e3350e7d2a25a4417b28072f1a87d32a3ea1c5919176f4170504588bb4bf0963ab55225571d5b9cff518bc6590dda4f2
-
C:\Windows\Offline Web Pages\csrss.exeMD5
a77873bfea27896f94731478d64541a3
SHA19d9596b12d51e06dd1c509c3df0cb7432fb60156
SHA2560c70ff796c9a6c8e20437dcd29e1be3951ac7dae8bc0e75bbbae5b710c6be70e
SHA51234c94a9e432bb0d4e2154ca80d2a42bb47e4a3ff29a5ecb9d24eb4db235a3dfb7e6c532edb05bcb4a1e299c4b040e39d2c0eeeac8593e7b0babcdaf834e49a0e
-
C:\Windows\Offline Web Pages\csrss.exeMD5
a77873bfea27896f94731478d64541a3
SHA19d9596b12d51e06dd1c509c3df0cb7432fb60156
SHA2560c70ff796c9a6c8e20437dcd29e1be3951ac7dae8bc0e75bbbae5b710c6be70e
SHA51234c94a9e432bb0d4e2154ca80d2a42bb47e4a3ff29a5ecb9d24eb4db235a3dfb7e6c532edb05bcb4a1e299c4b040e39d2c0eeeac8593e7b0babcdaf834e49a0e
-
memory/1616-56-0x000000001AFF0000-0x000000001AFF2000-memory.dmpFilesize
8KB
-
memory/1616-55-0x0000000000B90000-0x0000000000C72000-memory.dmpFilesize
904KB
-
memory/1616-54-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmpFilesize
4KB
-
memory/1620-61-0x000007FEF5313000-0x000007FEF5314000-memory.dmpFilesize
4KB
-
memory/1620-62-0x000000001AFA0000-0x000000001AFA2000-memory.dmpFilesize
8KB
-
memory/1896-59-0x000007FEF5313000-0x000007FEF5314000-memory.dmpFilesize
4KB
-
memory/1896-60-0x0000000000410000-0x0000000000412000-memory.dmpFilesize
8KB
-
memory/1896-58-0x0000000000D10000-0x0000000000DF2000-memory.dmpFilesize
904KB
-
memory/1984-66-0x00000000001A0000-0x0000000000282000-memory.dmpFilesize
904KB
-
memory/1984-68-0x000000001AF30000-0x000000001AF32000-memory.dmpFilesize
8KB
-
memory/1984-67-0x000007FEF5623000-0x000007FEF5624000-memory.dmpFilesize
4KB