Analysis
-
max time kernel
52s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 22:01
Behavioral task
behavioral1
Sample
23726a41d7c42dfbec508e8203659e41.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
23726a41d7c42dfbec508e8203659e41.exe
Resource
win10v2004-20230220-en
General
-
Target
23726a41d7c42dfbec508e8203659e41.exe
-
Size
2.5MB
-
MD5
23726a41d7c42dfbec508e8203659e41
-
SHA1
f17e7dd847cbdff1743301b15a567116e5a56cb0
-
SHA256
1fd9be727b7e58a9bb3fce45e8bd8925d471725ca2a86e102e2adb44da28e5c7
-
SHA512
80dd3c1bb73b350d78c3638a5e970430fd5fcd1a05023b089c1097ca5593e32dddcc749f96f48b5576d2441d423c5e8aa8a1a575dd5a15c2db2b748c9fd78eff
-
SSDEEP
49152:tWMazWNh42R1Wtm+DEGZHFUNxD16rtlqsC0btgzPZ+hT7cG:tWMaiNpnsJSjDAhb2zPZSIG
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 1664 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 1664 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 1664 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 1664 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 1664 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 1664 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 1664 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 1664 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 1664 schtasks.exe -
Processes:
resource yara_rule C:\componentRuntimeHostDhcp\portcomponentcrt.exe dcrat \componentRuntimeHostDhcp\portcomponentcrt.exe dcrat C:\componentRuntimeHostDhcp\portcomponentcrt.exe dcrat \componentRuntimeHostDhcp\portcomponentcrt.exe dcrat behavioral1/memory/1856-73-0x00000000008B0000-0x0000000000A02000-memory.dmp dcrat C:\componentRuntimeHostDhcp\explorer.exe dcrat C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe dcrat C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe dcrat behavioral1/memory/1696-93-0x0000000001170000-0x00000000012C2000-memory.dmp dcrat behavioral1/memory/1696-94-0x000000001B1E0000-0x000000001B260000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
portcomponentcrt.exespoolsv.exepid process 1856 portcomponentcrt.exe 1696 spoolsv.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1524 cmd.exe 1524 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
23726a41d7c42dfbec508e8203659e41.exepid process 1204 23726a41d7c42dfbec508e8203659e41.exe 1204 23726a41d7c42dfbec508e8203659e41.exe -
Drops file in Windows directory 3 IoCs
Processes:
portcomponentcrt.exedescription ioc process File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe portcomponentcrt.exe File opened for modification C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe portcomponentcrt.exe File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\f3b6ecef712a24 portcomponentcrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1484 schtasks.exe 1652 schtasks.exe 1832 schtasks.exe 428 schtasks.exe 1464 schtasks.exe 1620 schtasks.exe 836 schtasks.exe 1752 schtasks.exe 920 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
portcomponentcrt.exespoolsv.exepid process 1856 portcomponentcrt.exe 1696 spoolsv.exe 1696 spoolsv.exe 1696 spoolsv.exe 1696 spoolsv.exe 1696 spoolsv.exe 1696 spoolsv.exe 1696 spoolsv.exe 1696 spoolsv.exe 1696 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
portcomponentcrt.exespoolsv.exedescription pid process Token: SeDebugPrivilege 1856 portcomponentcrt.exe Token: SeDebugPrivilege 1696 spoolsv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
23726a41d7c42dfbec508e8203659e41.exepid process 1204 23726a41d7c42dfbec508e8203659e41.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
23726a41d7c42dfbec508e8203659e41.exeWScript.execmd.exeportcomponentcrt.execmd.exedescription pid process target process PID 1204 wrote to memory of 268 1204 23726a41d7c42dfbec508e8203659e41.exe WScript.exe PID 1204 wrote to memory of 268 1204 23726a41d7c42dfbec508e8203659e41.exe WScript.exe PID 1204 wrote to memory of 268 1204 23726a41d7c42dfbec508e8203659e41.exe WScript.exe PID 1204 wrote to memory of 268 1204 23726a41d7c42dfbec508e8203659e41.exe WScript.exe PID 1204 wrote to memory of 1680 1204 23726a41d7c42dfbec508e8203659e41.exe WScript.exe PID 1204 wrote to memory of 1680 1204 23726a41d7c42dfbec508e8203659e41.exe WScript.exe PID 1204 wrote to memory of 1680 1204 23726a41d7c42dfbec508e8203659e41.exe WScript.exe PID 1204 wrote to memory of 1680 1204 23726a41d7c42dfbec508e8203659e41.exe WScript.exe PID 268 wrote to memory of 1524 268 WScript.exe cmd.exe PID 268 wrote to memory of 1524 268 WScript.exe cmd.exe PID 268 wrote to memory of 1524 268 WScript.exe cmd.exe PID 268 wrote to memory of 1524 268 WScript.exe cmd.exe PID 1524 wrote to memory of 1856 1524 cmd.exe portcomponentcrt.exe PID 1524 wrote to memory of 1856 1524 cmd.exe portcomponentcrt.exe PID 1524 wrote to memory of 1856 1524 cmd.exe portcomponentcrt.exe PID 1524 wrote to memory of 1856 1524 cmd.exe portcomponentcrt.exe PID 1856 wrote to memory of 1808 1856 portcomponentcrt.exe cmd.exe PID 1856 wrote to memory of 1808 1856 portcomponentcrt.exe cmd.exe PID 1856 wrote to memory of 1808 1856 portcomponentcrt.exe cmd.exe PID 1808 wrote to memory of 1556 1808 cmd.exe w32tm.exe PID 1808 wrote to memory of 1556 1808 cmd.exe w32tm.exe PID 1808 wrote to memory of 1556 1808 cmd.exe w32tm.exe PID 1808 wrote to memory of 1696 1808 cmd.exe spoolsv.exe PID 1808 wrote to memory of 1696 1808 cmd.exe spoolsv.exe PID 1808 wrote to memory of 1696 1808 cmd.exe spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\23726a41d7c42dfbec508e8203659e41.exe"C:\Users\Admin\AppData\Local\Temp\23726a41d7c42dfbec508e8203659e41.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\componentRuntimeHostDhcp\lpjLL7oMJP803Xm.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\componentRuntimeHostDhcp\hr44gNf16S.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\componentRuntimeHostDhcp\portcomponentcrt.exe"C:\componentRuntimeHostDhcp\portcomponentcrt.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph3I12I76T.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe"C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\componentRuntimeHostDhcp\file.vbs"2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\componentRuntimeHostDhcp\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\componentRuntimeHostDhcp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\componentRuntimeHostDhcp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ph3I12I76T.batFilesize
224B
MD5ac0cafebc6a6a513ec71060878c6bd7d
SHA16c2283b34f3794b0b38ad9beea13961bd9d84e8a
SHA25687f184a0232d8acc669b32cb0a79a99a144781bf491ba6feba5c1d0370545af4
SHA5126306cf6bd862c0e31f827ccf596f9e1f85557d5d957ddd375fff973506d03070a01faa242ce26c488c0f0470cdd8c0ba10599972386a824a79b6908ea3652397
-
C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exeFilesize
1.3MB
MD54cd6be6be55f6d3056c27a359d6b9204
SHA1d98fd7fba7ac4796567ed69606affd9c188ded75
SHA2566d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af
SHA512e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28
-
C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exeFilesize
1.3MB
MD54cd6be6be55f6d3056c27a359d6b9204
SHA1d98fd7fba7ac4796567ed69606affd9c188ded75
SHA2566d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af
SHA512e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28
-
C:\componentRuntimeHostDhcp\explorer.exeFilesize
1.3MB
MD54cd6be6be55f6d3056c27a359d6b9204
SHA1d98fd7fba7ac4796567ed69606affd9c188ded75
SHA2566d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af
SHA512e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28
-
C:\componentRuntimeHostDhcp\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\componentRuntimeHostDhcp\hr44gNf16S.batFilesize
50B
MD5292670bfc4df6c8cf94113a795b130a0
SHA1286ae057e8f0e6e4135c4990bb7f0d004f59eb33
SHA256ffa0397c92b4feeb89622cf62d14fc2cb1e689916c4311a559290a30fb538377
SHA5127b772ee73bfc014939f617a4c1bdd87e07dcdd3a8db548627eadd3615955346f15d9538f061b4f840796de6f06d0f04aa4bf2b09848ed8b6ff5c631149032c71
-
C:\componentRuntimeHostDhcp\lpjLL7oMJP803Xm.vbeFilesize
211B
MD511aeb580adb4f6f0aad02aa48bf2c120
SHA1470c2c2ff8339c3d696d9864f67874c766e90043
SHA256bf79d01327c2d1770ea923d6f3bb3cdb55a37ac3556781f0d9c1a83409653092
SHA51214a6c92a07b4a77980946b3168543065fb9094b4d119d9b56462949de9ac3781ee0d218d1b49310abfcb0df4766179f0b8ef396107eef40dfb4cb83bdae7666e
-
C:\componentRuntimeHostDhcp\portcomponentcrt.exeFilesize
1.3MB
MD54cd6be6be55f6d3056c27a359d6b9204
SHA1d98fd7fba7ac4796567ed69606affd9c188ded75
SHA2566d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af
SHA512e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28
-
C:\componentRuntimeHostDhcp\portcomponentcrt.exeFilesize
1.3MB
MD54cd6be6be55f6d3056c27a359d6b9204
SHA1d98fd7fba7ac4796567ed69606affd9c188ded75
SHA2566d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af
SHA512e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28
-
\componentRuntimeHostDhcp\portcomponentcrt.exeFilesize
1.3MB
MD54cd6be6be55f6d3056c27a359d6b9204
SHA1d98fd7fba7ac4796567ed69606affd9c188ded75
SHA2566d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af
SHA512e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28
-
\componentRuntimeHostDhcp\portcomponentcrt.exeFilesize
1.3MB
MD54cd6be6be55f6d3056c27a359d6b9204
SHA1d98fd7fba7ac4796567ed69606affd9c188ded75
SHA2566d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af
SHA512e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28
-
memory/1204-65-0x0000000000940000-0x0000000000D25000-memory.dmpFilesize
3.9MB
-
memory/1696-93-0x0000000001170000-0x00000000012C2000-memory.dmpFilesize
1.3MB
-
memory/1696-94-0x000000001B1E0000-0x000000001B260000-memory.dmpFilesize
512KB
-
memory/1696-95-0x000000001B1E0000-0x000000001B260000-memory.dmpFilesize
512KB
-
memory/1856-76-0x0000000000150000-0x0000000000162000-memory.dmpFilesize
72KB
-
memory/1856-77-0x0000000000340000-0x000000000034E000-memory.dmpFilesize
56KB
-
memory/1856-78-0x0000000000510000-0x0000000000518000-memory.dmpFilesize
32KB
-
memory/1856-83-0x000000001B1B0000-0x000000001B230000-memory.dmpFilesize
512KB
-
memory/1856-75-0x00000000004F0000-0x0000000000506000-memory.dmpFilesize
88KB
-
memory/1856-74-0x00000000004D0000-0x00000000004EC000-memory.dmpFilesize
112KB
-
memory/1856-73-0x00000000008B0000-0x0000000000A02000-memory.dmpFilesize
1.3MB