Analysis

  • max time kernel
    124s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2023, 01:16

General

  • Target

    11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe

  • Size

    1.1MB

  • MD5

    200fbe006c4bd2254f52a2511351db06

  • SHA1

    a861260bf97882d4c9bcd8c8ff20f55bd76ede83

  • SHA256

    11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358

  • SHA512

    cd17043118609474bd3206fee19448defab1dea375a19d7547b5282348ee5474aa827fd61adcaa1adc47886dfbf69636d0c4aa806f2c42639ed0807a29cb15fa

  • SSDEEP

    24576:U2G/nvxW3Ww0tAz3pfv5IOTh+hGBJgHUvhMUo+VdiYm:UbA30Y3nVd5xTo+8

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe
    "C:\Users\Admin\AppData\Local\Temp\11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\driverPerf\g4pK8s1dCKS6KxkAWsMtWcT.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\driverPerf\Tt0xWJ2ZExmQ.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\driverPerf\msblock.exe
          "C:\driverPerf\msblock.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe
            "C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe"
            5⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\driverPerf\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\driverPerf\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2524
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\driverPerf\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2480
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Favorites\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:660
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2880
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3004
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\driverPerf\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\driverPerf\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\driverPerf\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:812

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe

          Filesize

          826KB

          MD5

          dee33f30963672c3ced45d21865491e7

          SHA1

          32ba23ca2c1a5a417598e74f40ea3f565af576a5

          SHA256

          d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394

          SHA512

          2f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704

        • C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe

          Filesize

          826KB

          MD5

          dee33f30963672c3ced45d21865491e7

          SHA1

          32ba23ca2c1a5a417598e74f40ea3f565af576a5

          SHA256

          d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394

          SHA512

          2f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          b730e625309d62b661739be348f2e5c1

          SHA1

          9b526fab9360fbc1b09ea6052a11e03a5f971372

          SHA256

          96f961cf29e7608bbcf43da00c5c28d62b5c61c0b1db4975e36b0f0fb7de56a5

          SHA512

          86fd843f8953eddcb530c127ba63dc2b327159be34249695fcabf1492c63b614160b62705248be4d9f5bfd5cbd7e701158f828eb55115c41b821c2d1100370c6

        • C:\Users\Admin\AppData\Local\Temp\CabD24F.tmp

          Filesize

          61KB

          MD5

          f3441b8572aae8801c04f3060b550443

          SHA1

          4ef0a35436125d6821831ef36c28ffaf196cda15

          SHA256

          6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

          SHA512

          5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

        • C:\Users\Admin\AppData\Local\Temp\TarD2DE.tmp

          Filesize

          163KB

          MD5

          9441737383d21192400eca82fda910ec

          SHA1

          725e0d606a4fc9ba44aa8ffde65bed15e65367e4

          SHA256

          bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

          SHA512

          7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

        • C:\Users\Public\Favorites\lsm.exe

          Filesize

          826KB

          MD5

          dee33f30963672c3ced45d21865491e7

          SHA1

          32ba23ca2c1a5a417598e74f40ea3f565af576a5

          SHA256

          d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394

          SHA512

          2f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704

        • C:\driverPerf\Tt0xWJ2ZExmQ.bat

          Filesize

          27B

          MD5

          500c80074d17912910553f55d7b055da

          SHA1

          6f162d1302f47e6602253c6d15cd3c0d80809168

          SHA256

          23a5a450f50a53f642fece0d41d53836338eb3b0ea30b12fba65b2f68c2a55ec

          SHA512

          a139df792b36b179378ccb21cce89d89eaa4a43a35c45916bfbded939436bd2d391f11ec368fcd0620623db0bcb43fcf7ea47e03f24db52093eabf8d1ff5a1d9

        • C:\driverPerf\g4pK8s1dCKS6KxkAWsMtWcT.vbe

          Filesize

          199B

          MD5

          3804e3ae55ee7bf3584bb2b6709de114

          SHA1

          4b5cf16a8fd49ca13c22e0088e223fddc4fd84ae

          SHA256

          cc35cdbd169f4ac11ca2550a61aefa051b3407347d8e0798209212649657aa19

          SHA512

          dba42db3ee28ea3ad40d2440c0c116c064751eea148607dd9043126ba3de75b2d58abb0a7f890193eb6ebb0d1c02d7928e72a73ca40fa5b4ab8389110e6835fb

        • C:\driverPerf\msblock.exe

          Filesize

          826KB

          MD5

          dee33f30963672c3ced45d21865491e7

          SHA1

          32ba23ca2c1a5a417598e74f40ea3f565af576a5

          SHA256

          d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394

          SHA512

          2f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704

        • C:\driverPerf\msblock.exe

          Filesize

          826KB

          MD5

          dee33f30963672c3ced45d21865491e7

          SHA1

          32ba23ca2c1a5a417598e74f40ea3f565af576a5

          SHA256

          d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394

          SHA512

          2f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704

        • \driverPerf\msblock.exe

          Filesize

          826KB

          MD5

          dee33f30963672c3ced45d21865491e7

          SHA1

          32ba23ca2c1a5a417598e74f40ea3f565af576a5

          SHA256

          d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394

          SHA512

          2f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704

        • \driverPerf\msblock.exe

          Filesize

          826KB

          MD5

          dee33f30963672c3ced45d21865491e7

          SHA1

          32ba23ca2c1a5a417598e74f40ea3f565af576a5

          SHA256

          d4fbd231478b43f169e0fc0ae2f08d13bae4e0918d11265e417f4d8d0e44e394

          SHA512

          2f028b8ef81b194a77e29f894a9eb990f7b68faef7731c6b8abea4a7000210c8e755e34beae362a93eff45deb03b686921fb923955f64a2ff99ec65c9622c704

        • memory/2496-36-0x0000000001180000-0x0000000001256000-memory.dmp

          Filesize

          856KB

        • memory/2496-37-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

          Filesize

          9.9MB

        • memory/2496-38-0x0000000000A20000-0x0000000000AA0000-memory.dmp

          Filesize

          512KB

        • memory/2496-111-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

          Filesize

          9.9MB

        • memory/2496-112-0x0000000000A20000-0x0000000000AA0000-memory.dmp

          Filesize

          512KB

        • memory/2660-15-0x000000001AE40000-0x000000001AEC0000-memory.dmp

          Filesize

          512KB

        • memory/2660-14-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

          Filesize

          9.9MB

        • memory/2660-13-0x0000000000E60000-0x0000000000F36000-memory.dmp

          Filesize

          856KB

        • memory/2660-110-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

          Filesize

          9.9MB