Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 23:08
Behavioral task
behavioral1
Sample
4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe
Resource
win10-20220901-en
General
-
Target
4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe
-
Size
1.3MB
-
MD5
520e77f53f92ef7e28948e1939f94651
-
SHA1
0f72452004ae38b62defec4e9a27525a1ce85ea7
-
SHA256
4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b
-
SHA512
c95375b082d27ad7995c80be71a1695804631deb62a5a68910b0def008079646afa7652736793d5a08b914973b9053134f2f40987ec7fe9efb4575c1ecec1c7c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 3348 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 3348 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 3348 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4392 3348 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 3348 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 3348 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4684 3348 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 3348 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 3348 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000900000001abba-284.dat dcrat behavioral1/files/0x000900000001abba-285.dat dcrat behavioral1/memory/4256-286-0x0000000000EA0000-0x0000000000FB0000-memory.dmp dcrat behavioral1/files/0x000600000001abcb-306.dat dcrat behavioral1/files/0x000600000001abcb-305.dat dcrat -
Executes dropped EXE 2 IoCs
pid Process 4256 DllCommonsvc.exe 3936 spoolsv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\9e8d7a4ca61bd9 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Resources\Maps\font\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Resources\Maps\font\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5076 schtasks.exe 3164 schtasks.exe 4604 schtasks.exe 4684 schtasks.exe 4940 schtasks.exe 2780 schtasks.exe 4392 schtasks.exe 4232 schtasks.exe 4424 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings 4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 2880 powershell.exe 4500 powershell.exe 4544 powershell.exe 4476 powershell.exe 4500 powershell.exe 3936 spoolsv.exe 2880 powershell.exe 4544 powershell.exe 4476 powershell.exe 4500 powershell.exe 2880 powershell.exe 4544 powershell.exe 4476 powershell.exe 3936 spoolsv.exe 3936 spoolsv.exe 3936 spoolsv.exe 3936 spoolsv.exe 3936 spoolsv.exe 3936 spoolsv.exe 3936 spoolsv.exe 3936 spoolsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3936 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4256 DllCommonsvc.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 3936 spoolsv.exe Token: SeDebugPrivilege 4476 powershell.exe Token: SeIncreaseQuotaPrivilege 4500 powershell.exe Token: SeSecurityPrivilege 4500 powershell.exe Token: SeTakeOwnershipPrivilege 4500 powershell.exe Token: SeLoadDriverPrivilege 4500 powershell.exe Token: SeSystemProfilePrivilege 4500 powershell.exe Token: SeSystemtimePrivilege 4500 powershell.exe Token: SeProfSingleProcessPrivilege 4500 powershell.exe Token: SeIncBasePriorityPrivilege 4500 powershell.exe Token: SeCreatePagefilePrivilege 4500 powershell.exe Token: SeBackupPrivilege 4500 powershell.exe Token: SeRestorePrivilege 4500 powershell.exe Token: SeShutdownPrivilege 4500 powershell.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeSystemEnvironmentPrivilege 4500 powershell.exe Token: SeRemoteShutdownPrivilege 4500 powershell.exe Token: SeUndockPrivilege 4500 powershell.exe Token: SeManageVolumePrivilege 4500 powershell.exe Token: 33 4500 powershell.exe Token: 34 4500 powershell.exe Token: 35 4500 powershell.exe Token: 36 4500 powershell.exe Token: SeIncreaseQuotaPrivilege 2880 powershell.exe Token: SeSecurityPrivilege 2880 powershell.exe Token: SeTakeOwnershipPrivilege 2880 powershell.exe Token: SeLoadDriverPrivilege 2880 powershell.exe Token: SeSystemProfilePrivilege 2880 powershell.exe Token: SeSystemtimePrivilege 2880 powershell.exe Token: SeProfSingleProcessPrivilege 2880 powershell.exe Token: SeIncBasePriorityPrivilege 2880 powershell.exe Token: SeCreatePagefilePrivilege 2880 powershell.exe Token: SeBackupPrivilege 2880 powershell.exe Token: SeRestorePrivilege 2880 powershell.exe Token: SeShutdownPrivilege 2880 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeSystemEnvironmentPrivilege 2880 powershell.exe Token: SeRemoteShutdownPrivilege 2880 powershell.exe Token: SeUndockPrivilege 2880 powershell.exe Token: SeManageVolumePrivilege 2880 powershell.exe Token: 33 2880 powershell.exe Token: 34 2880 powershell.exe Token: 35 2880 powershell.exe Token: 36 2880 powershell.exe Token: SeIncreaseQuotaPrivilege 4544 powershell.exe Token: SeSecurityPrivilege 4544 powershell.exe Token: SeTakeOwnershipPrivilege 4544 powershell.exe Token: SeLoadDriverPrivilege 4544 powershell.exe Token: SeSystemProfilePrivilege 4544 powershell.exe Token: SeSystemtimePrivilege 4544 powershell.exe Token: SeProfSingleProcessPrivilege 4544 powershell.exe Token: SeIncBasePriorityPrivilege 4544 powershell.exe Token: SeCreatePagefilePrivilege 4544 powershell.exe Token: SeBackupPrivilege 4544 powershell.exe Token: SeRestorePrivilege 4544 powershell.exe Token: SeShutdownPrivilege 4544 powershell.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeSystemEnvironmentPrivilege 4544 powershell.exe Token: SeRemoteShutdownPrivilege 4544 powershell.exe Token: SeUndockPrivilege 4544 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 520 wrote to memory of 1192 520 4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe 66 PID 520 wrote to memory of 1192 520 4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe 66 PID 520 wrote to memory of 1192 520 4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe 66 PID 1192 wrote to memory of 3308 1192 WScript.exe 67 PID 1192 wrote to memory of 3308 1192 WScript.exe 67 PID 1192 wrote to memory of 3308 1192 WScript.exe 67 PID 3308 wrote to memory of 4256 3308 cmd.exe 69 PID 3308 wrote to memory of 4256 3308 cmd.exe 69 PID 4256 wrote to memory of 2880 4256 DllCommonsvc.exe 80 PID 4256 wrote to memory of 2880 4256 DllCommonsvc.exe 80 PID 4256 wrote to memory of 4500 4256 DllCommonsvc.exe 87 PID 4256 wrote to memory of 4500 4256 DllCommonsvc.exe 87 PID 4256 wrote to memory of 4544 4256 DllCommonsvc.exe 81 PID 4256 wrote to memory of 4544 4256 DllCommonsvc.exe 81 PID 4256 wrote to memory of 4476 4256 DllCommonsvc.exe 82 PID 4256 wrote to memory of 4476 4256 DllCommonsvc.exe 82 PID 4256 wrote to memory of 3936 4256 DllCommonsvc.exe 88 PID 4256 wrote to memory of 3936 4256 DllCommonsvc.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe"C:\Users\Admin\AppData\Local\Temp\4a3ba8b0a6481dfd117378412914189acf521eaa18abfaa8df534194b522752b.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Maps\font\spoolsv.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Windows\Resources\Maps\font\spoolsv.exe"C:\Windows\Resources\Maps\font\spoolsv.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Maps\font\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Resources\Maps\font\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Maps\font\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5cf984b340a13d94e95974a870964cb5d
SHA13b12d93122209011b2979c9b3696f8ec39be0930
SHA2562ce32dff322ac329eedac074e4cd5fc2f57aa33698968e652b43f2914abaf4e8
SHA51217ef5e9a2e0e03d109ce0c67583bbdc93a1f6bf4bac5be49b02e2ff228973ddb37bdf1d910e6519aa79c9b71ae36ebebf00e80ae8e0fc9c260e6112a7aac9b77
-
Filesize
1KB
MD5754c29885a91889d54e37ff5501b2c64
SHA14dc3c40717cd0fae4a04f53e54a5bd80f3bfc319
SHA2562f6b1a2b6ce7d300327567e9e1f1247a7b7a5c180b2c9ae4a4a55d2104ef9f64
SHA512c754fd14dd55993c0ff29cb272a46b5c2b3168915c9a462da3c2fe2b99a9ae23c082f086ec5df95bc5f3b8a6f0db6a08414311b1c586e2d4b3e712298ff7057d
-
Filesize
1KB
MD5eee650941238a0417fa9adcd8e377f84
SHA1bf4c47612f3894a5b6de879331d82858b5280bb8
SHA2569047159f95dc8925676e00f9abbdadd65e19531850e4ceac8f752e2b8d918535
SHA5126e442f8466ffa3e0bcd29772e9e7f77ce18c22d26d5f1621e33f6132f3807f17c7a2ade1446277327381c7be05d440024097b65fabc143ba0d9db6621d95031e
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478