Analysis
-
max time kernel
129s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 05:55
Behavioral task
behavioral1
Sample
44e2a2a697477c436112954794761cc0.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
44e2a2a697477c436112954794761cc0.exe
Resource
win10v2004-20231201-en
General
-
Target
44e2a2a697477c436112954794761cc0.exe
-
Size
1.1MB
-
MD5
44e2a2a697477c436112954794761cc0
-
SHA1
87195428fd9e65ea14889e4853dc44f391088963
-
SHA256
90f403c6304240465460ace49b8db9d46c7d28bc36fd49b89f4722ee497bd2dd
-
SHA512
c2040c04ec3d743941c2ba059f572f07d5df2a043c5302b3cf6e13d74610025457be22c3b8d9a1943873b99ac72e5972830a5c17becc52fdc19582e0d58911c4
-
SSDEEP
24576:U2G/nvxW3Ww0titP01wNiMXBlVJX3NSdGKJg6U8HC:UbA30KP0XMXHX38dPDi
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2712 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2712 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x000a00000001439b-9.dat dcrat behavioral1/files/0x000a00000001439b-11.dat dcrat behavioral1/files/0x000a00000001439b-10.dat dcrat behavioral1/files/0x000a00000001439b-12.dat dcrat behavioral1/memory/2536-13-0x0000000000FD0000-0x00000000010A6000-memory.dmp dcrat behavioral1/files/0x00070000000147f7-20.dat dcrat behavioral1/files/0x00060000000155fd-36.dat dcrat behavioral1/files/0x00060000000155fd-37.dat dcrat behavioral1/memory/1116-38-0x0000000000F50000-0x0000000001026000-memory.dmp dcrat behavioral1/memory/1116-40-0x0000000000BA0000-0x0000000000C20000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
pid Process 2536 intoperf.exe 1116 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 2128 cmd.exe 2128 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\System.exe intoperf.exe File created C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0 intoperf.exe File created C:\Program Files\Windows Journal\dwm.exe intoperf.exe File created C:\Program Files\Windows Journal\6cb0b6c459d5d3 intoperf.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Branding\Basebrd\en-US\101b941d020240 intoperf.exe File created C:\Windows\Web\Wallpaper\Characters\conhost.exe intoperf.exe File created C:\Windows\Web\Wallpaper\Characters\088424020bedd6 intoperf.exe File created C:\Windows\Branding\Basebrd\en-US\lsm.exe intoperf.exe File opened for modification C:\Windows\Branding\Basebrd\en-US\lsm.exe intoperf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2632 schtasks.exe 2424 schtasks.exe 2448 schtasks.exe 2476 schtasks.exe 2608 schtasks.exe 3044 schtasks.exe 2244 schtasks.exe 1752 schtasks.exe 1956 schtasks.exe 2000 schtasks.exe 1304 schtasks.exe 1952 schtasks.exe 3056 schtasks.exe 2472 schtasks.exe 948 schtasks.exe 1684 schtasks.exe 2444 schtasks.exe 1216 schtasks.exe 1992 schtasks.exe 2620 schtasks.exe 2928 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2536 intoperf.exe 2536 intoperf.exe 2536 intoperf.exe 2536 intoperf.exe 2536 intoperf.exe 1116 dwm.exe 1116 dwm.exe 1116 dwm.exe 1116 dwm.exe 1116 dwm.exe 1116 dwm.exe 1116 dwm.exe 1116 dwm.exe 1116 dwm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1116 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2536 intoperf.exe Token: SeDebugPrivilege 1116 dwm.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2828 3052 44e2a2a697477c436112954794761cc0.exe 28 PID 3052 wrote to memory of 2828 3052 44e2a2a697477c436112954794761cc0.exe 28 PID 3052 wrote to memory of 2828 3052 44e2a2a697477c436112954794761cc0.exe 28 PID 3052 wrote to memory of 2828 3052 44e2a2a697477c436112954794761cc0.exe 28 PID 2828 wrote to memory of 2128 2828 WScript.exe 29 PID 2828 wrote to memory of 2128 2828 WScript.exe 29 PID 2828 wrote to memory of 2128 2828 WScript.exe 29 PID 2828 wrote to memory of 2128 2828 WScript.exe 29 PID 2128 wrote to memory of 2536 2128 cmd.exe 31 PID 2128 wrote to memory of 2536 2128 cmd.exe 31 PID 2128 wrote to memory of 2536 2128 cmd.exe 31 PID 2128 wrote to memory of 2536 2128 cmd.exe 31 PID 2536 wrote to memory of 2268 2536 intoperf.exe 54 PID 2536 wrote to memory of 2268 2536 intoperf.exe 54 PID 2536 wrote to memory of 2268 2536 intoperf.exe 54 PID 2268 wrote to memory of 2956 2268 cmd.exe 56 PID 2268 wrote to memory of 2956 2268 cmd.exe 56 PID 2268 wrote to memory of 2956 2268 cmd.exe 56 PID 2268 wrote to memory of 1116 2268 cmd.exe 57 PID 2268 wrote to memory of 1116 2268 cmd.exe 57 PID 2268 wrote to memory of 1116 2268 cmd.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\44e2a2a697477c436112954794761cc0.exe"C:\Users\Admin\AppData\Local\Temp\44e2a2a697477c436112954794761cc0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgewin\j1qIwrxR5PWhzH3rYbChGhv1rfV.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgewin\aVtauS9Ns.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\bridgewin\intoperf.exe"C:\bridgewin\intoperf.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HafTyyQZTn.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2956
-
-
C:\Program Files\Windows Journal\dwm.exe"C:\Program Files\Windows Journal\dwm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\en-US\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\Basebrd\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Characters\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Characters\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Characters\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\bridgewin\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\bridgewin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\bridgewin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
205B
MD58ead1ad0a44a4f49e8aab28ed03b0605
SHA189f4c090c0190dfb0aeff59c84453db3cd8c2b7b
SHA256ba03543f616da58ade674bc74194d9ab2ccd7da6bf6a737c6e0d5e28f68df10b
SHA5125c397be976c99b8842c49ba516bf0e9abf3c7af947cbf90944242d69a7c45e18d22360a6d8d201b402496bf3676e368f5cc7bee3f34f646a4757615d213b022e
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
27B
MD59563bdb4457bb726008ec17163dcefe6
SHA17c2927cc8ae633484e96cf0926eabadcffe44554
SHA256f7016b9d9c3f1d7b89e0a4c06b1183e0d7207be92bad7e7cc960e976758fac4c
SHA5125e5cb09ac2017366cbc024e452983ea783b763b837e00c67e450a86a7b83fbc5bf97da87b19d41f0393e8faf5d97491529d55a52e4556868a249d299bc002591
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
195B
MD5bcb81ae961fe26cc730d5429caee2a15
SHA15eee2200e5a5d79aa54e9de51a5e7332d26b32fc
SHA256d8fe32ec91d7d9e865ce5f3a3382d6093ea78fbeb4dfe521021ad918f6f64bc3
SHA512aaea8d450d6ca80ff0b6d82b8585a9e808863891fbc2de9387ad0220263d98898c89bebca90d331bef7eb900718c8625d4a259c0034b05246524e6d83fe5599d
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7