Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 06:38
Behavioral task
behavioral1
Sample
NEAS.8b63b4a62f39fe51f04bad846500d900.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.8b63b4a62f39fe51f04bad846500d900.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.8b63b4a62f39fe51f04bad846500d900.exe
-
Size
1.6MB
-
MD5
8b63b4a62f39fe51f04bad846500d900
-
SHA1
cd57f895dfbdef71daaec73832d686e25c4a9443
-
SHA256
12d85b878dd9e2e4bf577444948bc0a1db87009f5d51e6e79403d1d8c2b5861d
-
SHA512
8eb64ea0b612c306eba388c733b2e65ffa93111b6062d2034d4733352be8721c0450f1a130dbcbf9c17510612f2374017a1597ed90a20d5d9dd99d6b4c7c09d5
-
SSDEEP
24576:dPMYXSRYoY64PXxohpNzb44qv/x8GMpmIB8VDLjyfH4VYiwzcHA8csX1OA:dPCRI+NoHwqRCY2cHAMF
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 520 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2820 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2820 schtasks.exe 28 -
resource yara_rule behavioral1/memory/1960-0-0x0000000000AE0000-0x0000000000C7E000-memory.dmp dcrat behavioral1/files/0x000600000001626b-22.dat dcrat behavioral1/files/0x000600000001626b-83.dat dcrat behavioral1/files/0x000600000001626b-84.dat dcrat behavioral1/memory/2352-85-0x00000000013E0000-0x000000000157E000-memory.dmp dcrat behavioral1/memory/2352-87-0x000000001B280000-0x000000001B300000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2352 taskhost.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe NEAS.8b63b4a62f39fe51f04bad846500d900.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\56085415360792 NEAS.8b63b4a62f39fe51f04bad846500d900.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCX8221.tmp NEAS.8b63b4a62f39fe51f04bad846500d900.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe NEAS.8b63b4a62f39fe51f04bad846500d900.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\csrss.exe NEAS.8b63b4a62f39fe51f04bad846500d900.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\886983d96e3d3e NEAS.8b63b4a62f39fe51f04bad846500d900.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\RCX7E0A.tmp NEAS.8b63b4a62f39fe51f04bad846500d900.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\csrss.exe NEAS.8b63b4a62f39fe51f04bad846500d900.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1196 schtasks.exe 1992 schtasks.exe 2756 schtasks.exe 2572 schtasks.exe 2624 schtasks.exe 2372 schtasks.exe 520 schtasks.exe 2840 schtasks.exe 2736 schtasks.exe 1396 schtasks.exe 2508 schtasks.exe 2696 schtasks.exe 3004 schtasks.exe 1984 schtasks.exe 1308 schtasks.exe 2668 schtasks.exe 2564 schtasks.exe 2792 schtasks.exe 888 schtasks.exe 3024 schtasks.exe 2592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1960 NEAS.8b63b4a62f39fe51f04bad846500d900.exe 2352 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1960 NEAS.8b63b4a62f39fe51f04bad846500d900.exe Token: SeDebugPrivilege 2352 taskhost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1960 wrote to memory of 3036 1960 NEAS.8b63b4a62f39fe51f04bad846500d900.exe 50 PID 1960 wrote to memory of 3036 1960 NEAS.8b63b4a62f39fe51f04bad846500d900.exe 50 PID 1960 wrote to memory of 3036 1960 NEAS.8b63b4a62f39fe51f04bad846500d900.exe 50 PID 3036 wrote to memory of 2944 3036 cmd.exe 52 PID 3036 wrote to memory of 2944 3036 cmd.exe 52 PID 3036 wrote to memory of 2944 3036 cmd.exe 52 PID 3036 wrote to memory of 2352 3036 cmd.exe 53 PID 3036 wrote to memory of 2352 3036 cmd.exe 53 PID 3036 wrote to memory of 2352 3036 cmd.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.8b63b4a62f39fe51f04bad846500d900.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.8b63b4a62f39fe51f04bad846500d900.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpsobUXTBt.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2944
-
-
C:\Users\Admin\taskhost.exe"C:\Users\Admin\taskhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192B
MD5cec63961d1098609b76d28747fc9fea4
SHA1a604d120a8b54fb2d86ace7ad05d977cc0e61146
SHA256c9568e31379a941fc7daee6baa4bba43aa5ba21b53760631ddab27e917ae9daa
SHA512d0404b6c681157ef421fc200c8508d902eee720397c29eb67daba1ddf08c445c0a7204fc52b6d4f7031c6b029721d955d1776b0b0c02c434786ddcc6d1c754d6
-
Filesize
1.6MB
MD58b63b4a62f39fe51f04bad846500d900
SHA1cd57f895dfbdef71daaec73832d686e25c4a9443
SHA25612d85b878dd9e2e4bf577444948bc0a1db87009f5d51e6e79403d1d8c2b5861d
SHA5128eb64ea0b612c306eba388c733b2e65ffa93111b6062d2034d4733352be8721c0450f1a130dbcbf9c17510612f2374017a1597ed90a20d5d9dd99d6b4c7c09d5
-
Filesize
1.6MB
MD58b63b4a62f39fe51f04bad846500d900
SHA1cd57f895dfbdef71daaec73832d686e25c4a9443
SHA25612d85b878dd9e2e4bf577444948bc0a1db87009f5d51e6e79403d1d8c2b5861d
SHA5128eb64ea0b612c306eba388c733b2e65ffa93111b6062d2034d4733352be8721c0450f1a130dbcbf9c17510612f2374017a1597ed90a20d5d9dd99d6b4c7c09d5
-
Filesize
1.6MB
MD58b63b4a62f39fe51f04bad846500d900
SHA1cd57f895dfbdef71daaec73832d686e25c4a9443
SHA25612d85b878dd9e2e4bf577444948bc0a1db87009f5d51e6e79403d1d8c2b5861d
SHA5128eb64ea0b612c306eba388c733b2e65ffa93111b6062d2034d4733352be8721c0450f1a130dbcbf9c17510612f2374017a1597ed90a20d5d9dd99d6b4c7c09d5