Analysis
-
max time kernel
123s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 06:38
Behavioral task
behavioral1
Sample
NEAS.8b63b4a62f39fe51f04bad846500d900.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.8b63b4a62f39fe51f04bad846500d900.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.8b63b4a62f39fe51f04bad846500d900.exe
-
Size
1.6MB
-
MD5
8b63b4a62f39fe51f04bad846500d900
-
SHA1
cd57f895dfbdef71daaec73832d686e25c4a9443
-
SHA256
12d85b878dd9e2e4bf577444948bc0a1db87009f5d51e6e79403d1d8c2b5861d
-
SHA512
8eb64ea0b612c306eba388c733b2e65ffa93111b6062d2034d4733352be8721c0450f1a130dbcbf9c17510612f2374017a1597ed90a20d5d9dd99d6b4c7c09d5
-
SSDEEP
24576:dPMYXSRYoY64PXxohpNzb44qv/x8GMpmIB8VDLjyfH4VYiwzcHA8csX1OA:dPCRI+NoHwqRCY2cHAMF
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 5012 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 5012 schtasks.exe 87 -
resource yara_rule behavioral2/memory/5008-0-0x0000000000150000-0x00000000002EE000-memory.dmp dcrat behavioral2/files/0x0006000000022def-24.dat dcrat behavioral2/files/0x0007000000022df2-96.dat dcrat behavioral2/files/0x0007000000022df2-97.dat dcrat behavioral2/memory/3468-98-0x00000000002D0000-0x000000000046E000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.8b63b4a62f39fe51f04bad846500d900.exe -
Executes dropped EXE 1 IoCs
pid Process 3468 explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\twain_32\RCXEF06.tmp NEAS.8b63b4a62f39fe51f04bad846500d900.exe File opened for modification C:\Windows\twain_32\dwm.exe NEAS.8b63b4a62f39fe51f04bad846500d900.exe File created C:\Windows\twain_32\dwm.exe NEAS.8b63b4a62f39fe51f04bad846500d900.exe File created C:\Windows\twain_32\6cb0b6c459d5d3 NEAS.8b63b4a62f39fe51f04bad846500d900.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1144 schtasks.exe 4548 schtasks.exe 1560 schtasks.exe 3372 schtasks.exe 3068 schtasks.exe 1988 schtasks.exe 2480 schtasks.exe 5020 schtasks.exe 4796 schtasks.exe 528 schtasks.exe 1596 schtasks.exe 3468 schtasks.exe 1572 schtasks.exe 864 schtasks.exe 4908 schtasks.exe 812 schtasks.exe 2872 schtasks.exe 2272 schtasks.exe 464 schtasks.exe 4152 schtasks.exe 1092 schtasks.exe 5028 schtasks.exe 1952 schtasks.exe 5072 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings NEAS.8b63b4a62f39fe51f04bad846500d900.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 5008 NEAS.8b63b4a62f39fe51f04bad846500d900.exe 5008 NEAS.8b63b4a62f39fe51f04bad846500d900.exe 5008 NEAS.8b63b4a62f39fe51f04bad846500d900.exe 3468 explorer.exe 3468 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5008 NEAS.8b63b4a62f39fe51f04bad846500d900.exe Token: SeDebugPrivilege 3468 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5008 wrote to memory of 3068 5008 NEAS.8b63b4a62f39fe51f04bad846500d900.exe 120 PID 5008 wrote to memory of 3068 5008 NEAS.8b63b4a62f39fe51f04bad846500d900.exe 120 PID 3068 wrote to memory of 1656 3068 cmd.exe 122 PID 3068 wrote to memory of 1656 3068 cmd.exe 122 PID 3068 wrote to memory of 3468 3068 cmd.exe 125 PID 3068 wrote to memory of 3468 3068 cmd.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.8b63b4a62f39fe51f04bad846500d900.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.8b63b4a62f39fe51f04bad846500d900.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cKDdDiVJTa.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1656
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\twain_32\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Videos\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5ec45ca9d44ff82d269fb8b1f2eef36cd
SHA19eae712d2d2c826a2bf6ee40a0da0895efeef436
SHA25696c9c02744b4cacc75d9eee867e24b4eef30a597d143b8edc070d59b51f00586
SHA512406b6a6a707778f2fdeb3ee392653ef8cb1489e62617801a1735888c3baad98bf8966c913509db65cc5b9004cc2b86156fd3409a39bf8770990f5a6ccde724dd
-
Filesize
1.6MB
MD5ec45ca9d44ff82d269fb8b1f2eef36cd
SHA19eae712d2d2c826a2bf6ee40a0da0895efeef436
SHA25696c9c02744b4cacc75d9eee867e24b4eef30a597d143b8edc070d59b51f00586
SHA512406b6a6a707778f2fdeb3ee392653ef8cb1489e62617801a1735888c3baad98bf8966c913509db65cc5b9004cc2b86156fd3409a39bf8770990f5a6ccde724dd
-
Filesize
199B
MD56aa467dff9134de9626e316a2eb99ee5
SHA1c649acceeb6e83c277704bdab20d8d17b5e0b492
SHA2560f670a58c4e0b16e24d96c1fc59e533d08163be1debd4cb209ee7b3f2382fd03
SHA5123dc6cb1fe5be705b97142052140bb67aab1b848e107aa7b2cb97e6d06186c69a9796b3d591ea51d5bda248f2e46035187bf8716a2e881446211d65526c5bfe6a
-
Filesize
1.6MB
MD58b63b4a62f39fe51f04bad846500d900
SHA1cd57f895dfbdef71daaec73832d686e25c4a9443
SHA25612d85b878dd9e2e4bf577444948bc0a1db87009f5d51e6e79403d1d8c2b5861d
SHA5128eb64ea0b612c306eba388c733b2e65ffa93111b6062d2034d4733352be8721c0450f1a130dbcbf9c17510612f2374017a1597ed90a20d5d9dd99d6b4c7c09d5