Analysis
-
max time kernel
123s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 07:54
Static task
static1
Behavioral task
behavioral1
Sample
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
Resource
win7-20220414-en
General
-
Target
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
-
Size
3.9MB
-
MD5
84c119baf2964e44d504f6172d89f593
-
SHA1
d74042f52d0a2d5cd4543b6c4a8e31b8a4c5bee4
-
SHA256
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409
-
SHA512
3dcac82230c278b8a1c4e063d79bd308c8e8ee65e71d8e0b371ac8520049fd2a863bc0b9b910989a5e310534aea6fe1274c2774e755ca701b977f8bc983bef6b
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral1/memory/1580-59-0x0000000000C10000-0x0000000001682000-memory.dmp dcrat behavioral1/memory/1580-60-0x0000000000C10000-0x0000000001682000-memory.dmp dcrat behavioral1/memory/1580-69-0x0000000000C10000-0x0000000001682000-memory.dmp dcrat behavioral1/memory/1984-75-0x00000000011A0000-0x0000000001C12000-memory.dmp dcrat behavioral1/memory/1984-76-0x00000000011A0000-0x0000000001C12000-memory.dmp dcrat behavioral1/memory/1984-77-0x00000000011A0000-0x0000000001C12000-memory.dmp dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WmiPrvSE.exe -
Executes dropped EXE 1 IoCs
Processes:
WmiPrvSE.exepid process 1984 WmiPrvSE.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WmiPrvSE.exe -
Loads dropped DLL 1 IoCs
Processes:
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exepid process 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe -
Processes:
resource yara_rule behavioral1/memory/1580-59-0x0000000000C10000-0x0000000001682000-memory.dmp themida behavioral1/memory/1580-60-0x0000000000C10000-0x0000000001682000-memory.dmp themida \Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe themida C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe themida behavioral1/memory/1580-69-0x0000000000C10000-0x0000000001682000-memory.dmp themida behavioral1/memory/1984-75-0x00000000011A0000-0x0000000001C12000-memory.dmp themida behavioral1/memory/1984-76-0x00000000011A0000-0x0000000001C12000-memory.dmp themida behavioral1/memory/1984-77-0x00000000011A0000-0x0000000001C12000-memory.dmp themida -
Processes:
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exepid process 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe 1984 WmiPrvSE.exe -
Drops file in Program Files directory 6 IoCs
Processes:
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\24dbde2999530ef5fd907494bc374d663924116c a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe File opened for modification C:\Program Files\Windows Journal\en-US\explorer.exe a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe File created C:\Program Files\Windows Journal\en-US\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe File opened for modification C:\Program Files\Microsoft Office\Office14\csrss.exe a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe File created C:\Program Files\Microsoft Office\Office14\886983d96e3d3e31032c679b2d4ea91b6c05afef a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe -
Drops file in Windows directory 3 IoCs
Processes:
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exedescription ioc process File created C:\Windows\BitLockerDiscoveryVolumeContents\886983d96e3d3e31032c679b2d4ea91b6c05afef a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..installer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_148db478a63514af\spoolsv.exe a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2004 schtasks.exe 1768 schtasks.exe 1052 schtasks.exe 680 schtasks.exe 1332 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exepid process 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe 1984 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exedescription pid process Token: SeDebugPrivilege 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe Token: SeDebugPrivilege 1984 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exedescription pid process target process PID 1580 wrote to memory of 2004 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 2004 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 2004 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 2004 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1768 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1768 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1768 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1768 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1052 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1052 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1052 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1052 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 680 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 680 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 680 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 680 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1332 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1332 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1332 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1332 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe schtasks.exe PID 1580 wrote to memory of 1984 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe WmiPrvSE.exe PID 1580 wrote to memory of 1984 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe WmiPrvSE.exe PID 1580 wrote to memory of 1984 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe WmiPrvSE.exe PID 1580 wrote to memory of 1984 1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe WmiPrvSE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe"C:\Users\Admin\AppData\Local\Temp\a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\619fcb42-bc70-11ec-bd6f-84e31b84a9f2\smss.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\explorer.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exeFilesize
3.9MB
MD584c119baf2964e44d504f6172d89f593
SHA1d74042f52d0a2d5cd4543b6c4a8e31b8a4c5bee4
SHA256a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409
SHA5123dcac82230c278b8a1c4e063d79bd308c8e8ee65e71d8e0b371ac8520049fd2a863bc0b9b910989a5e310534aea6fe1274c2774e755ca701b977f8bc983bef6b
-
\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exeFilesize
3.9MB
MD584c119baf2964e44d504f6172d89f593
SHA1d74042f52d0a2d5cd4543b6c4a8e31b8a4c5bee4
SHA256a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409
SHA5123dcac82230c278b8a1c4e063d79bd308c8e8ee65e71d8e0b371ac8520049fd2a863bc0b9b910989a5e310534aea6fe1274c2774e755ca701b977f8bc983bef6b
-
memory/680-64-0x0000000000000000-mapping.dmp
-
memory/1052-63-0x0000000000000000-mapping.dmp
-
memory/1332-65-0x0000000000000000-mapping.dmp
-
memory/1580-71-0x0000000077860000-0x00000000779E0000-memory.dmpFilesize
1.5MB
-
memory/1580-55-0x0000000000C10000-0x0000000001682000-memory.dmpFilesize
10.4MB
-
memory/1580-54-0x0000000076811000-0x0000000076813000-memory.dmpFilesize
8KB
-
memory/1580-60-0x0000000000C10000-0x0000000001682000-memory.dmpFilesize
10.4MB
-
memory/1580-59-0x0000000000C10000-0x0000000001682000-memory.dmpFilesize
10.4MB
-
memory/1580-56-0x0000000077860000-0x00000000779E0000-memory.dmpFilesize
1.5MB
-
memory/1580-70-0x0000000006380000-0x0000000006DF2000-memory.dmpFilesize
10.4MB
-
memory/1580-69-0x0000000000C10000-0x0000000001682000-memory.dmpFilesize
10.4MB
-
memory/1768-62-0x0000000000000000-mapping.dmp
-
memory/1984-67-0x0000000000000000-mapping.dmp
-
memory/1984-75-0x00000000011A0000-0x0000000001C12000-memory.dmpFilesize
10.4MB
-
memory/1984-76-0x00000000011A0000-0x0000000001C12000-memory.dmpFilesize
10.4MB
-
memory/1984-77-0x00000000011A0000-0x0000000001C12000-memory.dmpFilesize
10.4MB
-
memory/1984-78-0x0000000077860000-0x00000000779E0000-memory.dmpFilesize
1.5MB
-
memory/2004-61-0x0000000000000000-mapping.dmp