Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
20/07/2023, 00:17
Behavioral task
behavioral1
Sample
HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe
Resource
win10v2004-20230703-en
General
-
Target
HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe
-
Size
608KB
-
MD5
e8934df9ec508ad4eab478d511060d90
-
SHA1
31582857d61047166558c92c166a6a903a09bf83
-
SHA256
bd13041dfdb44e77eb2bc5d19ef39c05a7820010d36d2fede24d1ad330ae6daa
-
SHA512
aecedefc6b269bfddfd9d61d91802686cfab2bea951563d2b74fb6841670f4d9e215ccab7f8953842be5a25f39dd3a034eb5cda52d54812e40f713a3465261f8
-
SSDEEP
12288:QqnOi180YXNIIGSWAXb0ztt841j3RS/8A9rcF:Q+Oi1qNJGSnXb0zDu
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 10 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2668 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2668 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2668 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2668 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2668 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2668 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2668 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2668 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2668 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2668 schtasks.exe 30 -
resource yara_rule behavioral1/memory/760-55-0x00000000002E0000-0x000000000037E000-memory.dmp dcrat behavioral1/memory/760-56-0x000000001AF40000-0x000000001AFC0000-memory.dmp dcrat behavioral1/files/0x0006000000018ad8-65.dat dcrat behavioral1/files/0x0009000000016d64-81.dat dcrat behavioral1/files/0x0009000000016d64-82.dat dcrat behavioral1/memory/1956-83-0x0000000000E90000-0x0000000000F2E000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 1956 HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\PerfLogs\\Admin\\System.exe\"" HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d8c072d3-b73b-4e14-b723-60c4a863b89f\\HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe\"" HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Documents\\My Videos\\wininit.exe\"" HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\PerfLogs\\Admin\\winlogon.exe\"" HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\C_10010\\winlogon.exe\"" HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\rtm\\taskhost.exe\"" HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\lsm.exe\"" HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\tapisrv\\csrss.exe\"" HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\Idle.exe\"" HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\cliconfg\\services.exe\"" HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\System32\rtm\taskhost.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe File created C:\Windows\System32\rtm\b75386f1303e64d8139363b71e44ac16341adf4e HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe File created C:\Windows\System32\cliconfg\services.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe File created C:\Windows\System32\cliconfg\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe File created C:\Windows\System32\tapisrv\csrss.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe File created C:\Windows\System32\tapisrv\886983d96e3d3e31032c679b2d4ea91b6c05afef HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe File created C:\Windows\System32\C_10010\winlogon.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe File created C:\Windows\System32\C_10010\cc11b995f2a76da408ea6a601e682e64743153ad HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Idle.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\6ccacd8608530fba3a93e87ae2225c7032aa18c1 HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2708 schtasks.exe 2564 schtasks.exe 2700 schtasks.exe 2140 schtasks.exe 2292 schtasks.exe 1416 schtasks.exe 2756 schtasks.exe 2652 schtasks.exe 2524 schtasks.exe 2604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 760 HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe 1956 HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 760 HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe Token: SeDebugPrivilege 1956 HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 760 wrote to memory of 1956 760 HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe 41 PID 760 wrote to memory of 1956 760 HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe 41 PID 760 wrote to memory of 1956 760 HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\d8c072d3-b73b-4e14-b723-60c4a863b89f\HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe"C:\Users\Admin\AppData\Local\Temp\d8c072d3-b73b-4e14-b723-60c4a863b89f\HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\PerfLogs\Admin\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d8c072d3-b73b-4e14-b723-60c4a863b89f\HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\tapisrv\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\C_10010\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\rtm\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\cliconfg\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608KB
MD5e8934df9ec508ad4eab478d511060d90
SHA131582857d61047166558c92c166a6a903a09bf83
SHA256bd13041dfdb44e77eb2bc5d19ef39c05a7820010d36d2fede24d1ad330ae6daa
SHA512aecedefc6b269bfddfd9d61d91802686cfab2bea951563d2b74fb6841670f4d9e215ccab7f8953842be5a25f39dd3a034eb5cda52d54812e40f713a3465261f8
-
C:\Users\Admin\AppData\Local\Temp\d8c072d3-b73b-4e14-b723-60c4a863b89f\HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe
Filesize608KB
MD5e8934df9ec508ad4eab478d511060d90
SHA131582857d61047166558c92c166a6a903a09bf83
SHA256bd13041dfdb44e77eb2bc5d19ef39c05a7820010d36d2fede24d1ad330ae6daa
SHA512aecedefc6b269bfddfd9d61d91802686cfab2bea951563d2b74fb6841670f4d9e215ccab7f8953842be5a25f39dd3a034eb5cda52d54812e40f713a3465261f8
-
C:\Users\Admin\AppData\Local\Temp\d8c072d3-b73b-4e14-b723-60c4a863b89f\HEUR-Trojan-Spy.MSIL.Stealer.gen-bd13041dfdb4.exe
Filesize608KB
MD5e8934df9ec508ad4eab478d511060d90
SHA131582857d61047166558c92c166a6a903a09bf83
SHA256bd13041dfdb44e77eb2bc5d19ef39c05a7820010d36d2fede24d1ad330ae6daa
SHA512aecedefc6b269bfddfd9d61d91802686cfab2bea951563d2b74fb6841670f4d9e215ccab7f8953842be5a25f39dd3a034eb5cda52d54812e40f713a3465261f8