Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 02:41
Behavioral task
behavioral1
Sample
dd0a4243de09c5864297da95ddc1362c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dd0a4243de09c5864297da95ddc1362c.exe
Resource
win10v2004-20240319-en
General
-
Target
dd0a4243de09c5864297da95ddc1362c.exe
-
Size
1.6MB
-
MD5
dd0a4243de09c5864297da95ddc1362c
-
SHA1
e91545cf645d3987e44d657bd37b79a2cd7515d4
-
SHA256
23a9505d97a5c7c3ac76901f21e72ca79d0aa56393c3e9e13f30f5286431f1cc
-
SHA512
b0ae4c48264051823bd74167c42e4071d189394b77b664f333c872f8ff8d20dddf26b2dc64efb013bf735d5accac2e38f340079c23c53196709eed9765123901
-
SSDEEP
24576:i2G/nvxW3WyZRE4c3f7LcJVCsjTcgucZDlx7HZHb40W00l6g+4V:ibA3NELx+0lGe
Malware Config
Signatures
-
DcRat 7 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2732 schtasks.exe 2512 schtasks.exe File created C:\Windows\System32\sppwmi\sppsvc.exe MonitornetdhcpcommonRefhostDll.exe 2416 schtasks.exe 2544 schtasks.exe 1276 schtasks.exe 2720 schtasks.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2560 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2560 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 2560 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2560 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2560 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2560 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0031000000015c1e-9.dat dcrat behavioral1/memory/2428-13-0x0000000000340000-0x000000000048E000-memory.dmp dcrat behavioral1/memory/2784-36-0x00000000008F0000-0x0000000000A3E000-memory.dmp dcrat -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 2 IoCs
pid Process 2428 MonitornetdhcpcommonRefhostDll.exe 2784 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2580 cmd.exe 2580 cmd.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\sppwmi\\sppsvc.exe\"" MonitornetdhcpcommonRefhostDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Media Player\\winlogon.exe\"" MonitornetdhcpcommonRefhostDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\SysWOW64\\setup16\\cmd.exe\"" MonitornetdhcpcommonRefhostDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PerfLogs\\Admin\\services.exe\"" MonitornetdhcpcommonRefhostDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Monitornetdhcpcommon\\sppsvc.exe\"" MonitornetdhcpcommonRefhostDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\EhStorAPI\\csrss.exe\"" MonitornetdhcpcommonRefhostDll.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\setup16\cmd.exe MonitornetdhcpcommonRefhostDll.exe File created C:\Windows\SysWOW64\setup16\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228 MonitornetdhcpcommonRefhostDll.exe File created C:\Windows\System32\EhStorAPI\csrss.exe MonitornetdhcpcommonRefhostDll.exe File created C:\Windows\System32\EhStorAPI\886983d96e3d3e31032c679b2d4ea91b6c05afef MonitornetdhcpcommonRefhostDll.exe File created C:\Windows\System32\sppwmi\sppsvc.exe MonitornetdhcpcommonRefhostDll.exe File opened for modification C:\Windows\System32\sppwmi\sppsvc.exe MonitornetdhcpcommonRefhostDll.exe File created C:\Windows\System32\sppwmi\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c MonitornetdhcpcommonRefhostDll.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\winlogon.exe MonitornetdhcpcommonRefhostDll.exe File created C:\Program Files\Windows Media Player\cc11b995f2a76da408ea6a601e682e64743153ad MonitornetdhcpcommonRefhostDll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2732 schtasks.exe 2512 schtasks.exe 2416 schtasks.exe 2544 schtasks.exe 1276 schtasks.exe 2720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2428 MonitornetdhcpcommonRefhostDll.exe 2784 winlogon.exe 2784 winlogon.exe 2784 winlogon.exe 2784 winlogon.exe 2784 winlogon.exe 2784 winlogon.exe 2784 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2428 MonitornetdhcpcommonRefhostDll.exe Token: SeDebugPrivilege 2784 winlogon.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2136 2684 dd0a4243de09c5864297da95ddc1362c.exe 28 PID 2684 wrote to memory of 2136 2684 dd0a4243de09c5864297da95ddc1362c.exe 28 PID 2684 wrote to memory of 2136 2684 dd0a4243de09c5864297da95ddc1362c.exe 28 PID 2684 wrote to memory of 2136 2684 dd0a4243de09c5864297da95ddc1362c.exe 28 PID 2136 wrote to memory of 2580 2136 WScript.exe 29 PID 2136 wrote to memory of 2580 2136 WScript.exe 29 PID 2136 wrote to memory of 2580 2136 WScript.exe 29 PID 2136 wrote to memory of 2580 2136 WScript.exe 29 PID 2580 wrote to memory of 2428 2580 cmd.exe 31 PID 2580 wrote to memory of 2428 2580 cmd.exe 31 PID 2580 wrote to memory of 2428 2580 cmd.exe 31 PID 2580 wrote to memory of 2428 2580 cmd.exe 31 PID 2428 wrote to memory of 2784 2428 MonitornetdhcpcommonRefhostDll.exe 39 PID 2428 wrote to memory of 2784 2428 MonitornetdhcpcommonRefhostDll.exe 39 PID 2428 wrote to memory of 2784 2428 MonitornetdhcpcommonRefhostDll.exe 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe"C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Monitornetdhcpcommon\qTMy7tKgcv8HK3o1cT.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Monitornetdhcpcommon\UMkN4Z1.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe"C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe"4⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Program Files\Windows Media Player\winlogon.exe"C:\Program Files\Windows Media Player\winlogon.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\sppwmi\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\setup16\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\Admin\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Monitornetdhcpcommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\EhStorAPI\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD548a60762b79ad9f6a6243ac662713ce2
SHA1b0adb833ec22168c21022ff4a9da743d2803dace
SHA2567125fce7974bcb82ed25158d6df05502444032b5ee3dbd632b9688ea0aa3d4c4
SHA512f26f35f69fd8fe4c83cad1e06cb5e0451654f6890242f4781a83d74c79d36116dd802e71f2914664d2858ac43a08ecec2fcabdd29093b8f40e03b79f30059cb3
-
Filesize
204B
MD5bf3d7f76563cab7463d7af23eae9806d
SHA1c5bf0526d8815d1223a1fd7919872ab22fb0d86c
SHA25690d824616f4cfb00b38f8787620d092ece7fec348c788d4cafd4a37e30abe194
SHA5127020295c2f35b05297f432b387ae50fb884ba7eb856f333cf5dc16c2d779b11a1a64bdf7c4abdc974666e6225dc7824e6e45c6bc258519a0a5baaf95619ac430
-
Filesize
1.3MB
MD55403717e99762e8c0e9cc5e97c74473c
SHA13405db3bab54365efb29172f061dc461a43f9da3
SHA256c282d6ab229dbc8f26ebe56d64db0c5ac2721a8d0d3d3f915563d125cccbbb4b
SHA512334b4da3b0a8c92d1f10ddaae473379a0ed966e699d45aa57240c37464f3f30488375376d447f0e6ab621fa92337a79f95ca387dbb72e337565f0a9eda0400a3