Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-01-2023 03:16
Static task
static1
Behavioral task
behavioral1
Sample
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Resource
win10v2004-20220812-en
General
-
Target
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
-
Size
1.9MB
-
MD5
3b15c55bae9fefd6585e43490f6bf231
-
SHA1
3e1815ec0f2fcc83c1aef7173baf749e4547f967
-
SHA256
7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6
-
SHA512
43b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc
-
SSDEEP
49152:Mb3eYn9rEj80t2CttDha8bCgXLQHkfX68lSurk9JWBKM:MlnmwWttPbC+R68l89r
Malware Config
Signatures
-
DcRat 14 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exe7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1008 schtasks.exe 1544 schtasks.exe 632 schtasks.exe 1508 schtasks.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cc11b995f2a76d 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe 1984 schtasks.exe 848 schtasks.exe 1104 schtasks.exe 1876 schtasks.exe 1880 schtasks.exe 868 schtasks.exe 1900 schtasks.exe 720 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\taskhost.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\WmiPrvSE.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 720 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2024 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2024 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1672-55-0x0000000001190000-0x0000000001698000-memory.dmp dcrat behavioral1/memory/1672-65-0x0000000001190000-0x0000000001698000-memory.dmp dcrat behavioral1/memory/1396-66-0x0000000000200000-0x0000000000708000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
WmiPrvSE.exepid process 1396 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
Processes:
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exepid process 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\WmiPrvSE.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\WmiPrvSE.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\taskhost.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\taskhost.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\"" 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeWmiPrvSE.exepid process 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe -
Drops file in Program Files directory 5 IoCs
Processes:
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exedescription ioc process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cc11b995f2a76d 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\taskhost.exe 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\b75386f1303e64 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 848 schtasks.exe 632 schtasks.exe 1104 schtasks.exe 1900 schtasks.exe 720 schtasks.exe 1508 schtasks.exe 1008 schtasks.exe 868 schtasks.exe 1880 schtasks.exe 1876 schtasks.exe 1984 schtasks.exe 1544 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeWmiPrvSE.exepid process 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe 1396 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeWmiPrvSE.exedescription pid process Token: SeDebugPrivilege 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe Token: SeDebugPrivilege 1396 WmiPrvSE.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeWmiPrvSE.exepid process 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe 1396 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exedescription pid process target process PID 1672 wrote to memory of 1396 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe WmiPrvSE.exe PID 1672 wrote to memory of 1396 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe WmiPrvSE.exe PID 1672 wrote to memory of 1396 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe WmiPrvSE.exe PID 1672 wrote to memory of 1396 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe WmiPrvSE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe"C:\Users\Admin\AppData\Local\Temp\7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe"C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exeFilesize
1.9MB
MD53b15c55bae9fefd6585e43490f6bf231
SHA13e1815ec0f2fcc83c1aef7173baf749e4547f967
SHA2567e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6
SHA51243b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc
-
\??\c:\recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wmiprvse.exeFilesize
1.9MB
MD53b15c55bae9fefd6585e43490f6bf231
SHA13e1815ec0f2fcc83c1aef7173baf749e4547f967
SHA2567e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6
SHA51243b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc
-
\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exeFilesize
1.9MB
MD53b15c55bae9fefd6585e43490f6bf231
SHA13e1815ec0f2fcc83c1aef7173baf749e4547f967
SHA2567e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6
SHA51243b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc
-
\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exeFilesize
1.9MB
MD53b15c55bae9fefd6585e43490f6bf231
SHA13e1815ec0f2fcc83c1aef7173baf749e4547f967
SHA2567e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6
SHA51243b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc
-
memory/1396-61-0x0000000000000000-mapping.dmp
-
memory/1396-66-0x0000000000200000-0x0000000000708000-memory.dmpFilesize
5.0MB
-
memory/1672-54-0x00000000753C1000-0x00000000753C3000-memory.dmpFilesize
8KB
-
memory/1672-55-0x0000000001190000-0x0000000001698000-memory.dmpFilesize
5.0MB
-
memory/1672-56-0x00000000004F0000-0x000000000050C000-memory.dmpFilesize
112KB
-
memory/1672-57-0x0000000000560000-0x0000000000576000-memory.dmpFilesize
88KB
-
memory/1672-58-0x0000000000A10000-0x0000000000A66000-memory.dmpFilesize
344KB
-
memory/1672-65-0x0000000001190000-0x0000000001698000-memory.dmpFilesize
5.0MB