Analysis
-
max time kernel
87s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
02-06-2023 01:20
General
-
Target
GoogleChromeUpdate.exe
-
Size
1.5MB
-
MD5
a1d05206520518a47f710e7197bbc336
-
SHA1
270ac60027ac01b78139bec3a6fe54f702c4fe96
-
SHA256
374eba5495779dc24974bb881e0c3f298861a91d88d710da4f684bf8a2a01fe6
-
SHA512
6164910de359dd7f9ad12e75c1ea170ff5fb313598da249c12888a100cd01e3888bbea25240a7924ea825147a7979b0b941e9d8916a322dbb3846c077959921a
-
SSDEEP
24576:YW3QhwWwORHtx07i/85O8q9Fx7hFsf1gj7xN9sKrogXMAGqo3K6L29ufIOT0Gj:YW3QNRH/07imOljZhFsf1s9ZkgXZkKxC
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 13 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate.exe"C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate" "GoogleChromeUpdate.exe""2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\GoogleChromeUpdate.exe"C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\GoogleChromeUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\01JDjn9an.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\vyRlj1SkqrfRYAG7.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\componentsessioncrt.exe"C:\ProgramData\componentsessioncrt.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\MSOCache\All Users\componentsessioncrt.exe"C:\MSOCache\All Users\componentsessioncrt.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentsessioncrtc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\componentsessioncrt.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentsessioncrt" /sc ONLOGON /tr "'C:\MSOCache\All Users\componentsessioncrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentsessioncrtc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\componentsessioncrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
983KB
MD55defd0000aa1bf0805c8d2e2fc3ed20d
SHA1e7a366a7a834e2ab3cabc3dd412f065c636b4efb
SHA256fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888
SHA512e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d
-
Filesize
983KB
MD55defd0000aa1bf0805c8d2e2fc3ed20d
SHA1e7a366a7a834e2ab3cabc3dd412f065c636b4efb
SHA256fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888
SHA512e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d
-
Filesize
983KB
MD55defd0000aa1bf0805c8d2e2fc3ed20d
SHA1e7a366a7a834e2ab3cabc3dd412f065c636b4efb
SHA256fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888
SHA512e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d
-
Filesize
205B
MD576db147c9e20a89ea972166168a4b9ba
SHA1475c26be4c2e8bc8ef0fd4bcc469e92e64f332ae
SHA2565699049e3e55284b66a98cdbce5b4c36c3ce7396bdf60632c544ce390bad6dd0
SHA512e32b9bfa54d9c71d1b17ea71ee5846a9f2220b77ad23045f5662c52324037e99cab253676d8d8e75bea44e2cf824b1ea3cc92ee84cced7866292eb73d51f77eb
-
Filesize
983KB
MD55defd0000aa1bf0805c8d2e2fc3ed20d
SHA1e7a366a7a834e2ab3cabc3dd412f065c636b4efb
SHA256fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888
SHA512e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d
-
Filesize
983KB
MD55defd0000aa1bf0805c8d2e2fc3ed20d
SHA1e7a366a7a834e2ab3cabc3dd412f065c636b4efb
SHA256fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888
SHA512e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d
-
Filesize
40B
MD589947106df373d55eec5d73e11eac3e1
SHA1788822f62913626780934e0bae6239b2f945dc61
SHA256b30caba090d08a4bd296166f4833c90e5c0057d1bd04e0d50592319bccaf4637
SHA512cc4d1a9b2fc1596526e99488fffde8d39c263b5551c5c5696dacbe3065cf44f5a94d77a34821cfe10b53e0e9202c3328850bd53bc6e0d4aca3ff99d729e33168
-
Filesize
1.3MB
MD5bced1e7139210b3cdd27938afeb88d8f
SHA106954c644d000863658b68dce36b6972f38da7d1
SHA256d74aba28905fc35c7163604b9a807f289e00b0b28b4c88d06e308b4c977c1ea7
SHA512310af594a2a744cb2e87aca3daeb2251d2219644bfc4f83fbcbce30119045fcbf68bd5a6ab318caa8090fd6598cc0de475c4687ae109458d71e11bf946df4b94
-
Filesize
1.3MB
MD5bced1e7139210b3cdd27938afeb88d8f
SHA106954c644d000863658b68dce36b6972f38da7d1
SHA256d74aba28905fc35c7163604b9a807f289e00b0b28b4c88d06e308b4c977c1ea7
SHA512310af594a2a744cb2e87aca3daeb2251d2219644bfc4f83fbcbce30119045fcbf68bd5a6ab318caa8090fd6598cc0de475c4687ae109458d71e11bf946df4b94
-
Filesize
1.3MB
MD5bced1e7139210b3cdd27938afeb88d8f
SHA106954c644d000863658b68dce36b6972f38da7d1
SHA256d74aba28905fc35c7163604b9a807f289e00b0b28b4c88d06e308b4c977c1ea7
SHA512310af594a2a744cb2e87aca3daeb2251d2219644bfc4f83fbcbce30119045fcbf68bd5a6ab318caa8090fd6598cc0de475c4687ae109458d71e11bf946df4b94
-
Filesize
7KB
MD5a745603b979417ce41b4cc439b210d15
SHA10c7e093b01ac9e9554bc47a7bbb0d223db0cc567
SHA2563acf9c355bb2a8861ce51420934ddb134fc532236cb75ac0ca3da61775a71440
SHA5124112d322401b186a7a043aa237d129917ec91b6360c1dfec4447ca7129037dd8e3e54b7bd7e299e9af63d8f1798c5246e3663195286e01ca18dc3d50cdc9ff14
-
Filesize
7KB
MD5a745603b979417ce41b4cc439b210d15
SHA10c7e093b01ac9e9554bc47a7bbb0d223db0cc567
SHA2563acf9c355bb2a8861ce51420934ddb134fc532236cb75ac0ca3da61775a71440
SHA5124112d322401b186a7a043aa237d129917ec91b6360c1dfec4447ca7129037dd8e3e54b7bd7e299e9af63d8f1798c5246e3663195286e01ca18dc3d50cdc9ff14
-
Filesize
7KB
MD5a745603b979417ce41b4cc439b210d15
SHA10c7e093b01ac9e9554bc47a7bbb0d223db0cc567
SHA2563acf9c355bb2a8861ce51420934ddb134fc532236cb75ac0ca3da61775a71440
SHA5124112d322401b186a7a043aa237d129917ec91b6360c1dfec4447ca7129037dd8e3e54b7bd7e299e9af63d8f1798c5246e3663195286e01ca18dc3d50cdc9ff14
-
Filesize
7KB
MD5a745603b979417ce41b4cc439b210d15
SHA10c7e093b01ac9e9554bc47a7bbb0d223db0cc567
SHA2563acf9c355bb2a8861ce51420934ddb134fc532236cb75ac0ca3da61775a71440
SHA5124112d322401b186a7a043aa237d129917ec91b6360c1dfec4447ca7129037dd8e3e54b7bd7e299e9af63d8f1798c5246e3663195286e01ca18dc3d50cdc9ff14
-
Filesize
7KB
MD5a745603b979417ce41b4cc439b210d15
SHA10c7e093b01ac9e9554bc47a7bbb0d223db0cc567
SHA2563acf9c355bb2a8861ce51420934ddb134fc532236cb75ac0ca3da61775a71440
SHA5124112d322401b186a7a043aa237d129917ec91b6360c1dfec4447ca7129037dd8e3e54b7bd7e299e9af63d8f1798c5246e3663195286e01ca18dc3d50cdc9ff14
-
Filesize
7KB
MD5a745603b979417ce41b4cc439b210d15
SHA10c7e093b01ac9e9554bc47a7bbb0d223db0cc567
SHA2563acf9c355bb2a8861ce51420934ddb134fc532236cb75ac0ca3da61775a71440
SHA5124112d322401b186a7a043aa237d129917ec91b6360c1dfec4447ca7129037dd8e3e54b7bd7e299e9af63d8f1798c5246e3663195286e01ca18dc3d50cdc9ff14
-
Filesize
983KB
MD55defd0000aa1bf0805c8d2e2fc3ed20d
SHA1e7a366a7a834e2ab3cabc3dd412f065c636b4efb
SHA256fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888
SHA512e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d
-
Filesize
983KB
MD55defd0000aa1bf0805c8d2e2fc3ed20d
SHA1e7a366a7a834e2ab3cabc3dd412f065c636b4efb
SHA256fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888
SHA512e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
1016KB
-
Filesize
32KB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
1016KB