Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 21:26
Behavioral task
behavioral1
Sample
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Resource
win10v2004-20221111-en
General
-
Target
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
-
Size
365KB
-
MD5
1a67c22d93c15bdc6333358e2cdd29e7
-
SHA1
4b1824a168c97e13006fcc9b823f81d12cde9eca
-
SHA256
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22
-
SHA512
5bc1daf91b4a52b0f5e26d4c4f5ff4396e4fe090c6f383345487893bfb3a04ba424441a4f59d74ea0801e99f4a9b794d568caab967178dab1ce9738b9034143c
-
SSDEEP
6144:Mhg8RILtEndj8KoOnBCuHzNII/JeM5k7IBe5oXWM6BPuqqDL:MpndjJIuII/J5k7IBe506BTqn
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral1/memory/884-54-0x0000000001060000-0x00000000010C4000-memory.dmp dcrat C:\ProgramData\Microsoft Help\sppsvc.exe dcrat C:\ProgramData\Microsoft Help\sppsvc.exe dcrat behavioral1/memory/1880-62-0x0000000000310000-0x0000000000374000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
sppsvc.exepid process 1880 sppsvc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exedescription ioc process File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\explorer.exe d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1932 schtasks.exe 268 schtasks.exe 468 schtasks.exe 1364 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exesppsvc.exepid process 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe 1880 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exesppsvc.exedescription pid process Token: SeDebugPrivilege 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe Token: SeDebugPrivilege 1880 sppsvc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exedescription pid process target process PID 884 wrote to memory of 1364 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 1364 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 1364 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 1932 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 1932 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 1932 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 268 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 268 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 268 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 468 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 468 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 468 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe schtasks.exe PID 884 wrote to memory of 1880 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe sppsvc.exe PID 884 wrote to memory of 1880 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe sppsvc.exe PID 884 wrote to memory of 1880 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe sppsvc.exe PID 884 wrote to memory of 1880 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe sppsvc.exe PID 884 wrote to memory of 1880 884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe sppsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe"C:\Users\Admin\AppData\Local\Temp\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22" /sc ONLOGON /tr "'C:\Documents and Settings\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\explorer.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\sppsvc.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\ProgramData\Microsoft Help\sppsvc.exe"C:\ProgramData\Microsoft Help\sppsvc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft Help\sppsvc.exeFilesize
365KB
MD51a67c22d93c15bdc6333358e2cdd29e7
SHA14b1824a168c97e13006fcc9b823f81d12cde9eca
SHA256d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22
SHA5125bc1daf91b4a52b0f5e26d4c4f5ff4396e4fe090c6f383345487893bfb3a04ba424441a4f59d74ea0801e99f4a9b794d568caab967178dab1ce9738b9034143c
-
C:\ProgramData\Microsoft Help\sppsvc.exeFilesize
365KB
MD51a67c22d93c15bdc6333358e2cdd29e7
SHA14b1824a168c97e13006fcc9b823f81d12cde9eca
SHA256d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22
SHA5125bc1daf91b4a52b0f5e26d4c4f5ff4396e4fe090c6f383345487893bfb3a04ba424441a4f59d74ea0801e99f4a9b794d568caab967178dab1ce9738b9034143c
-
memory/268-57-0x0000000000000000-mapping.dmp
-
memory/468-58-0x0000000000000000-mapping.dmp
-
memory/884-54-0x0000000001060000-0x00000000010C4000-memory.dmpFilesize
400KB
-
memory/1364-55-0x0000000000000000-mapping.dmp
-
memory/1880-59-0x0000000000000000-mapping.dmp
-
memory/1880-62-0x0000000000310000-0x0000000000374000-memory.dmpFilesize
400KB
-
memory/1932-56-0x0000000000000000-mapping.dmp