Analysis
-
max time kernel
144s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
22-11-2022 07:51
General
-
Target
7c00e76d200bb61ac4ad205703541d6d9e11898333759fb876bd5fef0d1fed70.exe
-
Size
1.3MB
-
MD5
e8ab7211bb9f1d8f7853a408c0c4237d
-
SHA1
b201acf68589dce527a2f64496933a524a2a828f
-
SHA256
7c00e76d200bb61ac4ad205703541d6d9e11898333759fb876bd5fef0d1fed70
-
SHA512
fe3b7e3a3b9008aa802d7660b11c1a2b7b953cd222c99287ad891792c35bea51e1523f267e7b1cb0fe80cd140985a52f238fdba835f702b18ac58a00b1cd9c27
-
SSDEEP
24576:U2G/nvxW3Ww0tiZJVZke3TAJ41sh2D0N6ZotQhiY3obwMGgp9FUQ:UbA30iDV6nJmTh3obXGgp9Fl
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c00e76d200bb61ac4ad205703541d6d9e11898333759fb876bd5fef0d1fed70.exe"C:\Users\Admin\AppData\Local\Temp\7c00e76d200bb61ac4ad205703541d6d9e11898333759fb876bd5fef0d1fed70.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\mPQTi.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\0VgGij1TsQ7fEUJcEhLUmBiDHo.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\fontmonitorcommon.exe"C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\fontmonitorcommon.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\is3mtUuvpQ.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\12a0d7a2-621a-11ed-bae9-5e34c4ab0fa3\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203B
MD521e515f05b043f75a92b771a4345d0b2
SHA13e9056689f8ddf9651571674a47630032dc7be54
SHA256b0d74639b6c8078e69de8b03c0a98148646643b8ae6e28b8df76acab990e106d
SHA512dae91b472df5fc36678639bb8f6f8e3d9692cc4ac7d0bcb966f84e4e79657006299941d65c27157a5c4dfaca2bf039ba8f5bb06a4a2b86ce384b2c0b11ccf103
-
Filesize
59B
MD589803afd00942423ddc4bd21ece57e63
SHA1525a07e5effd35533a75672123dbbf9da73c4d57
SHA256bd260c7f3f5b57e0fa4e12391887a58d2dd3aa9939941b86d98bf4e458f8a1a5
SHA51263b4331cc960837a9701ed80920ca9dfff98816f6c911bee9afc7f22c6f9b7932bcd865dd419704fbda404602535725632c06a97aabaa629b71e74f5dfb81d3e
-
Filesize
1.0MB
MD55d4bd5f30909e3553904956c07f575e8
SHA170c340703499a5ad54e9fe205330e3d295d81c38
SHA256af8557b923fca616c04d38072a1d280afaf868ebcce244aec6385f756fecbf8a
SHA512bbecba1ced46b83690e3f15f36898f8ebd5708991f0942fa92f04eae8c8f6fb5c0b745bdb4bcb898c28be287377b7b078b7f519fb6e4b9c58d95806aec5dec25
-
Filesize
1.0MB
MD55d4bd5f30909e3553904956c07f575e8
SHA170c340703499a5ad54e9fe205330e3d295d81c38
SHA256af8557b923fca616c04d38072a1d280afaf868ebcce244aec6385f756fecbf8a
SHA512bbecba1ced46b83690e3f15f36898f8ebd5708991f0942fa92f04eae8c8f6fb5c0b745bdb4bcb898c28be287377b7b078b7f519fb6e4b9c58d95806aec5dec25
-
Filesize
235B
MD5058e84411de105b1405e3c9f27a26d0c
SHA1e2fff2146a8d83f1c2a8f43f7e4be774a0966252
SHA2566919b7d4b838c5693b3c0e565aaf7fd16e941acc2abdf90348c808c4e9411b53
SHA512caa79323cb92408ad2dafd8c5a98cf9a31ecc092748106fbaf0d83432ab6ce59d56850e7b59224fe2b03e405b758626a6849a099a1bb0b211a24d732ad00bf0f
-
Filesize
1.0MB
MD55d4bd5f30909e3553904956c07f575e8
SHA170c340703499a5ad54e9fe205330e3d295d81c38
SHA256af8557b923fca616c04d38072a1d280afaf868ebcce244aec6385f756fecbf8a
SHA512bbecba1ced46b83690e3f15f36898f8ebd5708991f0942fa92f04eae8c8f6fb5c0b745bdb4bcb898c28be287377b7b078b7f519fb6e4b9c58d95806aec5dec25
-
Filesize
1.0MB
MD55d4bd5f30909e3553904956c07f575e8
SHA170c340703499a5ad54e9fe205330e3d295d81c38
SHA256af8557b923fca616c04d38072a1d280afaf868ebcce244aec6385f756fecbf8a
SHA512bbecba1ced46b83690e3f15f36898f8ebd5708991f0942fa92f04eae8c8f6fb5c0b745bdb4bcb898c28be287377b7b078b7f519fb6e4b9c58d95806aec5dec25
-
Filesize
1.0MB
-
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
-
Filesize
8KB
-
-
-