Analysis
-
max time kernel
18s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
23-03-2023 04:49
General
-
Target
7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
-
Size
10.0MB
-
MD5
718c1a4f0cdacf94d4d6ad97e06a459f
-
SHA1
f7ea9a4f39e415c15ef563ecd4f381013e52d3a7
-
SHA256
7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033
-
SHA512
8a3d55db0a4eae644922895e140269f22f8214af875bf3544255bcc1be6b1de9a1274b1dd41cc4ac5826a9ac5e1d8d216994891dc124c01ba722db214652f80e
-
SSDEEP
196608:2JJ8G/X6v9189c+HzrMyU59NSOWQqA00aWOj/AoDvVq:2JJTCv8cEnMrrNSOhLPOj/Pv
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 13 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe"C:\Users\Admin\AppData\Local\Temp\7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe"C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nCS3PLly1U.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
-
C:\Windows\Downloaded Program Files\conhost_8.exe"C:\Windows\Downloaded Program Files\conhost_8.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Roaming\conhost_8.exe"C:\Users\Admin\AppData\Roaming\conhost_8.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe"C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1883⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost_8c" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\conhost_8.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost_8" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\conhost_8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost_8c" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\conhost_8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\ja-JP\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\it-IT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MASTER 8BPM" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\MASTER 8BP.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MASTER 8BP" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\MASTER 8BP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MASTER 8BPM" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\MASTER 8BP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost_8c" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost_8.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost_8" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost_8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost_8c" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost_8.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD53ee631ed0386c88faaad83c97ade2dcd
SHA1308ac9da54565404430b220881c76f49793c0e9f
SHA256be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6
SHA512976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d
-
Filesize
2.1MB
MD53ee631ed0386c88faaad83c97ade2dcd
SHA1308ac9da54565404430b220881c76f49793c0e9f
SHA256be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6
SHA512976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d
-
Filesize
214B
MD56cfb640f3d0bc2f6419f34c270d980ee
SHA1d35ee59109ec80a9dcda2a9ae7f8c70729674299
SHA25616b01c3708409958f9e8169d775620414e3f483e00ec6eb38f667c8c43d9b476
SHA512ec3153edba4b5ab537878033a9ba98c9afc35c0b7bca2497c443f3bc821cd0238a84cb14fe33eb8f6b51102e9971110710b2100f19e626fef41101096b498b52
-
Filesize
7KB
MD549e00ab90e4c169885da76d92bd1bb7b
SHA1653306f93718408f82679b55d9109709075a89f6
SHA2560465ee668031a938d07e0874c70dd2d248d65567bac4d883965363451fac1fe8
SHA512bfb676d32413923ca5552fea4a4c1aae93aa4db336b4193a54ede21f7c307b733504dec24d8c00a1af9b2f1dc959db5c5508a074b039ed7e6b1b51b4165bdb3b
-
Filesize
7KB
MD549e00ab90e4c169885da76d92bd1bb7b
SHA1653306f93718408f82679b55d9109709075a89f6
SHA2560465ee668031a938d07e0874c70dd2d248d65567bac4d883965363451fac1fe8
SHA512bfb676d32413923ca5552fea4a4c1aae93aa4db336b4193a54ede21f7c307b733504dec24d8c00a1af9b2f1dc959db5c5508a074b039ed7e6b1b51b4165bdb3b
-
Filesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
Filesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
Filesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
Filesize
2.0MB
MD5b521b2a220a99d820b688d4ad5db8067
SHA108e97a2e4871b789d3388fd51479710626b69a92
SHA25655371f430ea0369bf4e079f39558a4c6c5462b19ddc9f16f064286288f50a12b
SHA5122e4d9b8d556a609abae4dfedf18136618fb1bb8f77d3a596c97bffc2edde9dec147456dcf586c00de9a438b789599fe288de8117109b6b04db9045279b3caca1
-
Filesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
Filesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
Filesize
2.1MB
MD53ee631ed0386c88faaad83c97ade2dcd
SHA1308ac9da54565404430b220881c76f49793c0e9f
SHA256be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6
SHA512976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d
-
Filesize
2.1MB
MD53ee631ed0386c88faaad83c97ade2dcd
SHA1308ac9da54565404430b220881c76f49793c0e9f
SHA256be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6
SHA512976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d
-
Filesize
2.1MB
MD53ee631ed0386c88faaad83c97ade2dcd
SHA1308ac9da54565404430b220881c76f49793c0e9f
SHA256be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6
SHA512976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d
-
Filesize
2.1MB
MD53ee631ed0386c88faaad83c97ade2dcd
SHA1308ac9da54565404430b220881c76f49793c0e9f
SHA256be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6
SHA512976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d
-
Filesize
2.1MB
MD53ee631ed0386c88faaad83c97ade2dcd
SHA1308ac9da54565404430b220881c76f49793c0e9f
SHA256be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6
SHA512976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d
-
Filesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
Filesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
Filesize
2.0MB
MD5b521b2a220a99d820b688d4ad5db8067
SHA108e97a2e4871b789d3388fd51479710626b69a92
SHA25655371f430ea0369bf4e079f39558a4c6c5462b19ddc9f16f064286288f50a12b
SHA5122e4d9b8d556a609abae4dfedf18136618fb1bb8f77d3a596c97bffc2edde9dec147456dcf586c00de9a438b789599fe288de8117109b6b04db9045279b3caca1
-
Filesize
2.1MB
-
Filesize
40KB
-
Filesize
512KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
1.7MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
512KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
88KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
3.8MB
-
Filesize
17.8MB
-
Filesize
17.8MB
-
Filesize
17.8MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
220KB
-
Filesize
32KB
-
Filesize
1.7MB
-
Filesize
512KB
-
Filesize
72KB