Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 05:56
Behavioral task
behavioral1
Sample
44e2a2a697477c436112954794761cc0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
44e2a2a697477c436112954794761cc0.exe
Resource
win10v2004-20231201-en
General
-
Target
44e2a2a697477c436112954794761cc0.exe
-
Size
1.1MB
-
MD5
44e2a2a697477c436112954794761cc0
-
SHA1
87195428fd9e65ea14889e4853dc44f391088963
-
SHA256
90f403c6304240465460ace49b8db9d46c7d28bc36fd49b89f4722ee497bd2dd
-
SHA512
c2040c04ec3d743941c2ba059f572f07d5df2a043c5302b3cf6e13d74610025457be22c3b8d9a1943873b99ac72e5972830a5c17becc52fdc19582e0d58911c4
-
SSDEEP
24576:U2G/nvxW3Ww0titP01wNiMXBlVJX3NSdGKJg6U8HC:UbA30KP0XMXHX38dPDi
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2696 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2696 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0033000000015c6d-9.dat dcrat behavioral1/files/0x0033000000015c6d-12.dat dcrat behavioral1/files/0x0033000000015c6d-11.dat dcrat behavioral1/files/0x0033000000015c6d-10.dat dcrat behavioral1/memory/2732-13-0x0000000001180000-0x0000000001256000-memory.dmp dcrat behavioral1/files/0x000600000001608c-20.dat dcrat behavioral1/files/0x00060000000162f2-37.dat dcrat behavioral1/files/0x00060000000162f2-36.dat dcrat behavioral1/memory/2908-38-0x0000000000830000-0x0000000000906000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
pid Process 2732 intoperf.exe 2908 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2652 cmd.exe 2652 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Resources\Ease of Access Themes\services.exe intoperf.exe File created C:\Windows\Resources\Ease of Access Themes\c5b4cb5e9653cc intoperf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2560 schtasks.exe 2084 schtasks.exe 1920 schtasks.exe 1700 schtasks.exe 1704 schtasks.exe 1988 schtasks.exe 2524 schtasks.exe 808 schtasks.exe 476 schtasks.exe 1944 schtasks.exe 1628 schtasks.exe 1624 schtasks.exe 2804 schtasks.exe 2864 schtasks.exe 896 schtasks.exe 1552 schtasks.exe 2948 schtasks.exe 2740 schtasks.exe 2032 schtasks.exe 1124 schtasks.exe 1008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2732 intoperf.exe 2732 intoperf.exe 2732 intoperf.exe 2908 explorer.exe 2908 explorer.exe 2908 explorer.exe 2908 explorer.exe 2908 explorer.exe 2908 explorer.exe 2908 explorer.exe 2908 explorer.exe 2908 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2908 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2732 intoperf.exe Token: SeDebugPrivilege 2908 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1280 2020 44e2a2a697477c436112954794761cc0.exe 28 PID 2020 wrote to memory of 1280 2020 44e2a2a697477c436112954794761cc0.exe 28 PID 2020 wrote to memory of 1280 2020 44e2a2a697477c436112954794761cc0.exe 28 PID 2020 wrote to memory of 1280 2020 44e2a2a697477c436112954794761cc0.exe 28 PID 1280 wrote to memory of 2652 1280 WScript.exe 29 PID 1280 wrote to memory of 2652 1280 WScript.exe 29 PID 1280 wrote to memory of 2652 1280 WScript.exe 29 PID 1280 wrote to memory of 2652 1280 WScript.exe 29 PID 2652 wrote to memory of 2732 2652 cmd.exe 31 PID 2652 wrote to memory of 2732 2652 cmd.exe 31 PID 2652 wrote to memory of 2732 2652 cmd.exe 31 PID 2652 wrote to memory of 2732 2652 cmd.exe 31 PID 2732 wrote to memory of 2128 2732 intoperf.exe 54 PID 2732 wrote to memory of 2128 2732 intoperf.exe 54 PID 2732 wrote to memory of 2128 2732 intoperf.exe 54 PID 2128 wrote to memory of 1616 2128 cmd.exe 56 PID 2128 wrote to memory of 1616 2128 cmd.exe 56 PID 2128 wrote to memory of 1616 2128 cmd.exe 56 PID 2128 wrote to memory of 2908 2128 cmd.exe 57 PID 2128 wrote to memory of 2908 2128 cmd.exe 57 PID 2128 wrote to memory of 2908 2128 cmd.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\44e2a2a697477c436112954794761cc0.exe"C:\Users\Admin\AppData\Local\Temp\44e2a2a697477c436112954794761cc0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgewin\j1qIwrxR5PWhzH3rYbChGhv1rfV.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgewin\aVtauS9Ns.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\bridgewin\intoperf.exe"C:\bridgewin\intoperf.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSGzlsGc5j.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1616
-
-
C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\explorer.exe"C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\bridgewin\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\bridgewin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\bridgewin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Ease of Access Themes\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Ease of Access Themes\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
226B
MD55998fb703f3fe07d0a1fe0967a3e6734
SHA1db1ea82add17ded03f700946720246e71b55904a
SHA2565aa133f4dd6f146be2a23f9c6f0cf712c9e6a24fcb1bcfb15687f89eb8dade85
SHA512f330d40947a80d2ccb8a69cebce86faf0addac6de9d1a315f45e84176628b3c5ce13ca538b32b653242296fb2fe6e25eae853dcecaac8125c456ed6b39c35809
-
Filesize
27B
MD59563bdb4457bb726008ec17163dcefe6
SHA17c2927cc8ae633484e96cf0926eabadcffe44554
SHA256f7016b9d9c3f1d7b89e0a4c06b1183e0d7207be92bad7e7cc960e976758fac4c
SHA5125e5cb09ac2017366cbc024e452983ea783b763b837e00c67e450a86a7b83fbc5bf97da87b19d41f0393e8faf5d97491529d55a52e4556868a249d299bc002591
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
195B
MD5bcb81ae961fe26cc730d5429caee2a15
SHA15eee2200e5a5d79aa54e9de51a5e7332d26b32fc
SHA256d8fe32ec91d7d9e865ce5f3a3382d6093ea78fbeb4dfe521021ad918f6f64bc3
SHA512aaea8d450d6ca80ff0b6d82b8585a9e808863891fbc2de9387ad0220263d98898c89bebca90d331bef7eb900718c8625d4a259c0034b05246524e6d83fe5599d
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7