Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-01-2023 08:01
Static task
static1
Behavioral task
behavioral1
Sample
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
Resource
win10v2004-20220812-en
General
-
Target
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
-
Size
1.5MB
-
MD5
a56ceff4ed3d8f469e16324d0109e3c6
-
SHA1
0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f
-
SHA256
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55
-
SHA512
45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642
-
SSDEEP
24576:ewCXoM4MF0QizuJ7dhu+M9bvIpFeHb5APIYwXKhFuDTzz/UNR:72ojMYzuJHu/9bvIOCwf0uDz+R
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 3572 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 3572 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/3444-132-0x00000000001C0000-0x0000000000608000-memory.dmp dcrat behavioral2/memory/3444-133-0x00000000001C0000-0x0000000000608000-memory.dmp dcrat behavioral2/memory/3444-141-0x00000000001C0000-0x0000000000608000-memory.dmp dcrat behavioral2/memory/1344-143-0x0000000000F60000-0x00000000013A8000-memory.dmp dcrat behavioral2/memory/1344-144-0x0000000000F60000-0x00000000013A8000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
wininit.exepid process 1344 wininit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exewininit.exepid process 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe -
Drops file in Program Files directory 2 IoCs
Processes:
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exedescription ioc process File created C:\Program Files\Windows Security\wininit.exe da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe File created C:\Program Files\Windows Security\56085415360792 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4800 schtasks.exe 4792 schtasks.exe 1660 schtasks.exe 4140 schtasks.exe 5012 schtasks.exe 3432 schtasks.exe 1320 schtasks.exe 4116 schtasks.exe 3540 schtasks.exe 3340 schtasks.exe 1644 schtasks.exe 1512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exewininit.exepid process 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe 1344 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
wininit.exepid process 1344 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exewininit.exedescription pid process Token: SeDebugPrivilege 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe Token: SeDebugPrivilege 1344 wininit.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exewininit.exepid process 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe 1344 wininit.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exedescription pid process target process PID 3444 wrote to memory of 1344 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe wininit.exe PID 3444 wrote to memory of 1344 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe wininit.exe PID 3444 wrote to memory of 1344 3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe wininit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe"C:\Users\Admin\AppData\Local\Temp\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\odt\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows Security\wininit.exeFilesize
1.5MB
MD5a56ceff4ed3d8f469e16324d0109e3c6
SHA10052b50b6409c6983b6e81b7dce3eaa28dbe6f7f
SHA256da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55
SHA51245e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642
-
C:\Program Files\Windows Security\wininit.exeFilesize
1.5MB
MD5a56ceff4ed3d8f469e16324d0109e3c6
SHA10052b50b6409c6983b6e81b7dce3eaa28dbe6f7f
SHA256da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55
SHA51245e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642
-
memory/1344-146-0x0000000008EA0000-0x0000000008F32000-memory.dmpFilesize
584KB
-
memory/1344-145-0x0000000000F60000-0x00000000013A8000-memory.dmpFilesize
4.3MB
-
memory/1344-144-0x0000000000F60000-0x00000000013A8000-memory.dmpFilesize
4.3MB
-
memory/1344-143-0x0000000000F60000-0x00000000013A8000-memory.dmpFilesize
4.3MB
-
memory/1344-142-0x0000000000F60000-0x00000000013A8000-memory.dmpFilesize
4.3MB
-
memory/1344-138-0x0000000000000000-mapping.dmp
-
memory/3444-135-0x0000000005FD0000-0x0000000006020000-memory.dmpFilesize
320KB
-
memory/3444-141-0x00000000001C0000-0x0000000000608000-memory.dmpFilesize
4.3MB
-
memory/3444-137-0x00000000062A0000-0x0000000006306000-memory.dmpFilesize
408KB
-
memory/3444-136-0x0000000006E70000-0x000000000739C000-memory.dmpFilesize
5.2MB
-
memory/3444-132-0x00000000001C0000-0x0000000000608000-memory.dmpFilesize
4.3MB
-
memory/3444-134-0x0000000006390000-0x0000000006934000-memory.dmpFilesize
5.6MB
-
memory/3444-133-0x00000000001C0000-0x0000000000608000-memory.dmpFilesize
4.3MB