Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
-
submitted
04/07/2023, 13:46
General
-
Target
c0bea0a11853ecbdd169b0d0a.exe
-
Size
1.2MB
-
MD5
f20c74f02de55472d8b565868a19f4f5
-
SHA1
7be531a0a8ca1e686e6f7ff70fc3c2de963684fe
-
SHA256
c0bea0a11853ecbdd169b0d0ac30f0afcba308555752a0ead4de45895ec69ed2
-
SHA512
bd0664c6bb354ea240f942f8911daf494e62f97af6253ae77768b8d206e4c3245af655da94af410816917c1f7293123bc4dafa1ec8cc57fc1b5506fe5b3bebef
-
SSDEEP
24576:U2G/nvxW3Ww0t1Qo4QruJTrTn5mC8IasJ8lkf6LgH:UbA301n47rzrJfkY
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 2 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0bea0a11853ecbdd169b0d0a.exe"C:\Users\Admin\AppData\Local\Temp\c0bea0a11853ecbdd169b0d0a.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\8NQktCoAZviY5dhjarDv0yXqzR5kC.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\xpdAC628S.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\perfCrt.exe"C:\Windows\perfCrt.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\it-IT\spoolsv.exe"C:\Windows\it-IT\spoolsv.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e95083a9-1529-48ce-8d33-3f1d7d0092b5.vbs"6⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dea0d39f-db7b-4dc9-a5d4-f4936f40a5e3.vbs"6⤵
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "perfCrtp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\perfCrt.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "perfCrt" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\perfCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "perfCrtp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\perfCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\34c99522-106a-11ee-b24d-849b5e38b5ed\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
935KB
MD5f553aaacd5d5d904ae5103a9f9d1d8e2
SHA129d46f0d7be8aaf8c9348d706395c5e5ad7095dd
SHA256c1452a47310558c9a70b6fd3b9d68156aad8c1b07fd53455bff0ccd83b95ba8e
SHA512d7c11971125864dd2b746b22b01a15377569582185973c2f2c5e0300158ac0ee356c0dfb857edf93a6f2737ba9642448425c4c8329de99eaa6a43e796143d31b
-
Filesize
480B
MD5d2214026a47cbc6f713b8ff27eee1d40
SHA1e7e5956b71c9916d6a4f0395e958ded263499088
SHA256de04ea8456cae36f6a6d91f72a69958621a91503b708a14c8c72055367ac8ef5
SHA512804d9c3864a15968e35be35bb32a50c4e0812aff1fdad5f12912dba6f7028cea65b67f28de976af07187e1fdfe95b5cf0000b06dbd881ebd720f831f9a30f451
-
Filesize
704B
MD57e9e99cc4b5675105e895898c814ef36
SHA12e2265bc6082c050456956e731cfa781ea71d204
SHA256a6946a7688f5ecdb2ca33b7404c699c30d395806702987ed386345860c5e4104
SHA5125bb523efcfc445418dc5771be2ce7844262f748efbc4adecb1c7cbc28f26c9644925431f88c0ed78d49ed4b25995da076fcb2bceb7d6098bb77630666015faaf
-
Filesize
204B
MD5bda4c38d73a75f19a5b0db1e6e0b7754
SHA119d73217e43de79c98a853e7b67705013578e348
SHA256bd0bffa96bb67d96b7015d60cbb3bfaf64a7d1d8191e49fa17f7352a44058d4a
SHA512743f332733bbf8cd9be78fd4a2e8879e1fb895c1c329b71edb2fc6756e021cfd746dcaa38d86cc5f007a1b0f08cf2c6fbc1b695a5f5520c8c67aca5e08d812e5
-
Filesize
935KB
MD5f553aaacd5d5d904ae5103a9f9d1d8e2
SHA129d46f0d7be8aaf8c9348d706395c5e5ad7095dd
SHA256c1452a47310558c9a70b6fd3b9d68156aad8c1b07fd53455bff0ccd83b95ba8e
SHA512d7c11971125864dd2b746b22b01a15377569582185973c2f2c5e0300158ac0ee356c0dfb857edf93a6f2737ba9642448425c4c8329de99eaa6a43e796143d31b
-
Filesize
935KB
MD5f553aaacd5d5d904ae5103a9f9d1d8e2
SHA129d46f0d7be8aaf8c9348d706395c5e5ad7095dd
SHA256c1452a47310558c9a70b6fd3b9d68156aad8c1b07fd53455bff0ccd83b95ba8e
SHA512d7c11971125864dd2b746b22b01a15377569582185973c2f2c5e0300158ac0ee356c0dfb857edf93a6f2737ba9642448425c4c8329de99eaa6a43e796143d31b
-
Filesize
935KB
MD5f553aaacd5d5d904ae5103a9f9d1d8e2
SHA129d46f0d7be8aaf8c9348d706395c5e5ad7095dd
SHA256c1452a47310558c9a70b6fd3b9d68156aad8c1b07fd53455bff0ccd83b95ba8e
SHA512d7c11971125864dd2b746b22b01a15377569582185973c2f2c5e0300158ac0ee356c0dfb857edf93a6f2737ba9642448425c4c8329de99eaa6a43e796143d31b
-
Filesize
935KB
MD5f553aaacd5d5d904ae5103a9f9d1d8e2
SHA129d46f0d7be8aaf8c9348d706395c5e5ad7095dd
SHA256c1452a47310558c9a70b6fd3b9d68156aad8c1b07fd53455bff0ccd83b95ba8e
SHA512d7c11971125864dd2b746b22b01a15377569582185973c2f2c5e0300158ac0ee356c0dfb857edf93a6f2737ba9642448425c4c8329de99eaa6a43e796143d31b
-
Filesize
35B
MD57278c7ae6efbd4b50e3707c4dc4c608a
SHA1c8e1db9b85f599c98b278571b147cf81fe2fbae4
SHA2568f2fd99bb0dfa66ccca2c9173120318ea6702c64a5e112f63f9c2145ed9fe9dd
SHA512d06d550b8eec81c4faa8aca795dea9aac748cf4ea8e4ce42bf73403f6f2be67616e2732ecdcf2eca390448c75a026b011aa2b8536a6fdcb4a07c12f71486049b
-
Filesize
968KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
512KB
-
Filesize
968KB
-
Filesize
512KB
-
Filesize
512KB