Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 00:06
Behavioral task
behavioral1
Sample
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Resource
win10v2004-20230220-en
General
-
Target
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
-
Size
1.1MB
-
MD5
8d491e642b1402ee5bf8d1417c437da1
-
SHA1
cddc7a2610d738c4ddf11c1bf008e045741138d4
-
SHA256
b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72
-
SHA512
a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377
-
SSDEEP
24576:AJ8kuxCAZLI3rjRUfM+7HeWhUsus8k9bYUE/oXc02+4:Zdqi7j3E/oM0R
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 736 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1212-54-0x0000000000860000-0x0000000000982000-memory.dmp dcrat C:\Windows\splwow64\explorer.exe dcrat C:\Windows\splwow64\explorer.exe dcrat behavioral1/memory/1740-71-0x0000000000090000-0x00000000001B2000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 1740 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\"" B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\ProgramData\\Start Menu\\System.exe\"" B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\MigAutoPlay\\lsm.exe\"" B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\splwow64\\explorer.exe\"" B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe -
Drops file in System32 directory 3 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exedescription ioc process File created C:\Windows\System32\MigAutoPlay\lsm.exe B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe File opened for modification C:\Windows\System32\MigAutoPlay\lsm.exe B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe File created C:\Windows\System32\MigAutoPlay\101b941d020240259ca4912829b53995ad543df6 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe -
Drops file in Windows directory 2 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exedescription ioc process File created C:\Windows\splwow64\explorer.exe B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe File created C:\Windows\splwow64\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 584 schtasks.exe 1160 schtasks.exe 328 schtasks.exe 1568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exeexplorer.exepid process 1212 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe 1740 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1212 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe Token: SeDebugPrivilege 1740 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.execmd.exedescription pid process target process PID 1212 wrote to memory of 1764 1212 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe cmd.exe PID 1212 wrote to memory of 1764 1212 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe cmd.exe PID 1212 wrote to memory of 1764 1212 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe cmd.exe PID 1764 wrote to memory of 1600 1764 cmd.exe chcp.com PID 1764 wrote to memory of 1600 1764 cmd.exe chcp.com PID 1764 wrote to memory of 1600 1764 cmd.exe chcp.com PID 1764 wrote to memory of 1576 1764 cmd.exe w32tm.exe PID 1764 wrote to memory of 1576 1764 cmd.exe w32tm.exe PID 1764 wrote to memory of 1576 1764 cmd.exe w32tm.exe PID 1764 wrote to memory of 1740 1764 cmd.exe explorer.exe PID 1764 wrote to memory of 1740 1764 cmd.exe explorer.exe PID 1764 wrote to memory of 1740 1764 cmd.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe"C:\Users\Admin\AppData\Local\Temp\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zCpJr4a4Og.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1576
-
C:\Windows\splwow64\explorer.exe"C:\Windows\splwow64\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\MigAutoPlay\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\splwow64\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zCpJr4a4Og.batFilesize
248B
MD56da7f7b1f4b18589d0ba147bbda0821b
SHA14e68289d5e46301b08ec56b92a45feca1a7e6b67
SHA2568050fc6a702e3359d8a4d847e5e8cf256060836525c150bb2d379c86aa5b888c
SHA512ff1d1fc2ccf29c042053c11630b4d194bc2509b1e002a85de3da706806912a812e8eaa435f8cce401306365f42b004f33f86efcae397eb803c3012406d521119
-
C:\Windows\splwow64\explorer.exeFilesize
1.1MB
MD58d491e642b1402ee5bf8d1417c437da1
SHA1cddc7a2610d738c4ddf11c1bf008e045741138d4
SHA256b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72
SHA512a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377
-
C:\Windows\splwow64\explorer.exeFilesize
1.1MB
MD58d491e642b1402ee5bf8d1417c437da1
SHA1cddc7a2610d738c4ddf11c1bf008e045741138d4
SHA256b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72
SHA512a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377
-
memory/1212-54-0x0000000000860000-0x0000000000982000-memory.dmpFilesize
1.1MB
-
memory/1212-55-0x00000000007D0000-0x0000000000850000-memory.dmpFilesize
512KB
-
memory/1740-71-0x0000000000090000-0x00000000001B2000-memory.dmpFilesize
1.1MB
-
memory/1740-72-0x0000000000500000-0x000000000050C000-memory.dmpFilesize
48KB