Analysis
-
max time kernel
50s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 21:26
Static task
static1
Behavioral task
behavioral1
Sample
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe
Resource
win10v2004-20220812-en
General
-
Target
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe
-
Size
433KB
-
MD5
2e421d1efddf596ee6487321df0ae484
-
SHA1
38cdf0bd60efdb86c0ea363cfb3c5fbd2ddf997b
-
SHA256
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca
-
SHA512
72a642acfccfc83f84ab7723c9e5f31c678233d8959c11a8afcdc8a1f8e98940d33865a77ea93a4ec477bb068a9310b8d427e14f6078668d5ad578acdf65b247
-
SSDEEP
12288:0Qnk3GDYKGcblwtX+t4Y8vd9CaOUG5Y+mh:IAOcZwXYO2J5zE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule \perfinto\crtwin.exe dcrat C:\perfinto\crtwin.exe dcrat C:\perfinto\crtwin.exe dcrat behavioral1/memory/1380-64-0x00000000000F0000-0x0000000000150000-memory.dmp dcrat C:\Windows\debug\WIA\csrss.exe dcrat C:\Windows\debug\WIA\csrss.exe dcrat behavioral1/memory/992-73-0x00000000008D0000-0x0000000000930000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
crtwin.execsrss.exepid process 1380 crtwin.exe 992 csrss.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1348 cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
crtwin.exedescription ioc process File created C:\Windows\debug\WIA\csrss.exe crtwin.exe File created C:\Windows\debug\WIA\886983d96e3d3e31032c679b2d4ea91b6c05afef crtwin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1848 schtasks.exe 896 schtasks.exe 568 schtasks.exe 836 schtasks.exe 1732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
crtwin.execsrss.exepid process 1380 crtwin.exe 992 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
crtwin.execsrss.exedescription pid process Token: SeDebugPrivilege 1380 crtwin.exe Token: SeDebugPrivilege 992 csrss.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exeWScript.execmd.execrtwin.exedescription pid process target process PID 1664 wrote to memory of 1972 1664 417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe WScript.exe PID 1664 wrote to memory of 1972 1664 417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe WScript.exe PID 1664 wrote to memory of 1972 1664 417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe WScript.exe PID 1664 wrote to memory of 1972 1664 417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe WScript.exe PID 1972 wrote to memory of 1348 1972 WScript.exe cmd.exe PID 1972 wrote to memory of 1348 1972 WScript.exe cmd.exe PID 1972 wrote to memory of 1348 1972 WScript.exe cmd.exe PID 1972 wrote to memory of 1348 1972 WScript.exe cmd.exe PID 1348 wrote to memory of 1380 1348 cmd.exe crtwin.exe PID 1348 wrote to memory of 1380 1348 cmd.exe crtwin.exe PID 1348 wrote to memory of 1380 1348 cmd.exe crtwin.exe PID 1348 wrote to memory of 1380 1348 cmd.exe crtwin.exe PID 1380 wrote to memory of 836 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 836 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 836 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 1732 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 1732 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 1732 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 1848 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 1848 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 1848 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 896 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 896 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 896 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 568 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 568 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 568 1380 crtwin.exe schtasks.exe PID 1380 wrote to memory of 992 1380 crtwin.exe csrss.exe PID 1380 wrote to memory of 992 1380 crtwin.exe csrss.exe PID 1380 wrote to memory of 992 1380 crtwin.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe"C:\Users\Admin\AppData\Local\Temp\417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\perfinto\i48JYD4oJA0cMfil2yKzMD37Ydu3jL.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\perfinto\ERovcdbkxlUoLK71txXW3cA964JSkD.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\perfinto\crtwin.exe"C:\perfinto\crtwin.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsass.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\perfinto\System.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\conhost.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\csrss.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\debug\WIA\csrss.exe"C:\Windows\debug\WIA\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\debug\WIA\csrss.exeFilesize
356KB
MD5922a77e55160186e8d3558c88f45f0fd
SHA197981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA25640a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA51204aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
-
C:\Windows\debug\WIA\csrss.exeFilesize
356KB
MD5922a77e55160186e8d3558c88f45f0fd
SHA197981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA25640a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA51204aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
-
C:\perfinto\ERovcdbkxlUoLK71txXW3cA964JSkD.batFilesize
24B
MD556e3a5d60991108ba8d984f67c27d59d
SHA1f0ca46ab72e8f9237660ee112d9077abe59dc71d
SHA2569be93ab4ea35cccd861162176e9e1cb49f753ff071f44bc8531885cf7b5171db
SHA512dfcb1b4742d0daa4c8b0de16249d7d44e7dc5f4d0befa696915846f1bbd0c145888b9db32cd4d07ca6e7b7974aec6b4125af759663065eeff8baf643248eb061
-
C:\perfinto\crtwin.exeFilesize
356KB
MD5922a77e55160186e8d3558c88f45f0fd
SHA197981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA25640a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA51204aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
-
C:\perfinto\crtwin.exeFilesize
356KB
MD5922a77e55160186e8d3558c88f45f0fd
SHA197981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA25640a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA51204aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
-
C:\perfinto\i48JYD4oJA0cMfil2yKzMD37Ydu3jL.vbeFilesize
220B
MD5224d54950cf34464d6cf812c3d6ac98b
SHA12861f8019ec27a520c0751cbe196e7d19e1e93a8
SHA2569890d7cd354a1444ca02970c09721238ff6223c305f8819cd2219bf8724627b2
SHA512ff8b1dff61f8dd8c68a57b5b43a3a4a5156fe5dd0704e9264e0fb71e6da5a4d3bbd114881a58ebc79d4e06d24abf21a42e027ee9a4824fb378e0299579a4b73f
-
\perfinto\crtwin.exeFilesize
356KB
MD5922a77e55160186e8d3558c88f45f0fd
SHA197981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA25640a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA51204aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
-
memory/568-69-0x0000000000000000-mapping.dmp
-
memory/836-65-0x0000000000000000-mapping.dmp
-
memory/896-68-0x0000000000000000-mapping.dmp
-
memory/992-73-0x00000000008D0000-0x0000000000930000-memory.dmpFilesize
384KB
-
memory/992-70-0x0000000000000000-mapping.dmp
-
memory/1348-59-0x0000000000000000-mapping.dmp
-
memory/1380-64-0x00000000000F0000-0x0000000000150000-memory.dmpFilesize
384KB
-
memory/1380-61-0x0000000000000000-mapping.dmp
-
memory/1664-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/1732-66-0x0000000000000000-mapping.dmp
-
memory/1848-67-0x0000000000000000-mapping.dmp
-
memory/1972-55-0x0000000000000000-mapping.dmp