Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 04:31
Behavioral task
behavioral1
Sample
131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe
Resource
win10v2004-20240226-en
General
-
Target
131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe
-
Size
1.2MB
-
MD5
d7a0ca18ae95c63d25af6782b7bd6b8d
-
SHA1
86450a088d627ab64129c4dc34a824da3ee4b561
-
SHA256
131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3
-
SHA512
9714dcca024cd2780fb28ad9b12280e6ad4b0aca3b6650e0137c80c4b2b29db68add4b5085fa2ddf49e780a470b936b3bb74282eb3c4246661f6bd60a7688274
-
SSDEEP
24576:U2G/nvxW3Ww0txzb2+Jh6UN0AbIkKlAgHJOsiCWzD6z+47:UbA30B5rbNlILj1hCc
Malware Config
Signatures
-
DcRat 7 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process File created C:\Windows\System32\kdusb\spoolsv.exe winsessionperfcrtdhcpFontmonitornet.exe 2456 schtasks.exe 2436 schtasks.exe 1076 schtasks.exe 1964 schtasks.exe 2696 schtasks.exe 520 schtasks.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2448 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2448 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2448 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2448 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2448 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 520 2448 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x002c000000014c3b-9.dat dcrat behavioral1/memory/2600-13-0x00000000003C0000-0x00000000004AA000-memory.dmp dcrat behavioral1/memory/668-35-0x0000000000EB0000-0x0000000000F9A000-memory.dmp dcrat behavioral1/memory/668-36-0x000000001AE00000-0x000000001AE80000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
pid Process 2600 winsessionperfcrtdhcpFontmonitornet.exe 668 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 2544 cmd.exe 2544 cmd.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\kdusb\\spoolsv.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\avicap32\\csrss.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\authui\\taskhost.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Searches\\Idle.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\ntoskrnl\\services.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\MSBuild\\sppsvc.exe\"" winsessionperfcrtdhcpFontmonitornet.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\System32\kdusb\spoolsv.exe winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\avicap32\csrss.exe winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\avicap32\886983d96e3d3e31032c679b2d4ea91b6c05afef winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\ntoskrnl\services.exe winsessionperfcrtdhcpFontmonitornet.exe File opened for modification C:\Windows\System32\kdusb\spoolsv.exe winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\kdusb\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\authui\taskhost.exe winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\authui\b75386f1303e64d8139363b71e44ac16341adf4e winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\ntoskrnl\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d winsessionperfcrtdhcpFontmonitornet.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\MSBuild\sppsvc.exe winsessionperfcrtdhcpFontmonitornet.exe File created C:\Program Files\MSBuild\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c winsessionperfcrtdhcpFontmonitornet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1076 schtasks.exe 1964 schtasks.exe 2696 schtasks.exe 520 schtasks.exe 2456 schtasks.exe 2436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2600 winsessionperfcrtdhcpFontmonitornet.exe 2600 winsessionperfcrtdhcpFontmonitornet.exe 2600 winsessionperfcrtdhcpFontmonitornet.exe 668 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2600 winsessionperfcrtdhcpFontmonitornet.exe Token: SeDebugPrivilege 668 csrss.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2960 2164 131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe 28 PID 2164 wrote to memory of 2960 2164 131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe 28 PID 2164 wrote to memory of 2960 2164 131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe 28 PID 2164 wrote to memory of 2960 2164 131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe 28 PID 2960 wrote to memory of 2544 2960 WScript.exe 29 PID 2960 wrote to memory of 2544 2960 WScript.exe 29 PID 2960 wrote to memory of 2544 2960 WScript.exe 29 PID 2960 wrote to memory of 2544 2960 WScript.exe 29 PID 2544 wrote to memory of 2600 2544 cmd.exe 31 PID 2544 wrote to memory of 2600 2544 cmd.exe 31 PID 2544 wrote to memory of 2600 2544 cmd.exe 31 PID 2544 wrote to memory of 2600 2544 cmd.exe 31 PID 2600 wrote to memory of 668 2600 winsessionperfcrtdhcpFontmonitornet.exe 39 PID 2600 wrote to memory of 668 2600 winsessionperfcrtdhcpFontmonitornet.exe 39 PID 2600 wrote to memory of 668 2600 winsessionperfcrtdhcpFontmonitornet.exe 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe"C:\Users\Admin\AppData\Local\Temp\131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winsessionperfcrtdhcp\H4eizCYuNaDysMfGy8i9P9o.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\winsessionperfcrtdhcp\USu4u0OJi5iSZO.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\winsessionperfcrtdhcp\winsessionperfcrtdhcpFontmonitornet.exe"C:\winsessionperfcrtdhcp\winsessionperfcrtdhcpFontmonitornet.exe"4⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\System32\avicap32\csrss.exe"C:\Windows\System32\avicap32\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\kdusb\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\avicap32\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\authui\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\ntoskrnl\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD57b821ef7118b960e5707288a81e136cc
SHA16251f2f8d2cf3a107b26a53b09feae748bfb8088
SHA256a6bbcf93787d3e116fe20798611f286a07f95388bf4fe0695af6a55a0d1f3d4d
SHA512892d97be3dff4a2e2596becdcf65114a29f2ae6536c187587addfe5017d35ef73148106df0f5c37536ca530e146a081d9a33a68eea54ecbb037fb6b951bc38de
-
Filesize
66B
MD50286dfaabb2eaca6be6162d5872aaeba
SHA175ab5fa416ec4e9e3df83f28cc67e71c593cfda4
SHA256a07930110496f899d363e0120709c95eca5fdd7ce127e51457647a9eec103622
SHA5126b5999896ca5d3c2d38054769ba76402d6e53406a5bed281dd17fa5d3db0c7dcc711acc997bf7f9e602643a896da4de5cd0c59d393bbea82a3e03474ecfbbb6f
-
Filesize
910KB
MD513ba0d9074cdbfeae9f78242af80afb6
SHA1ec312cbd990aa9b5dd03d7bd73ffbe79d7ddc27c
SHA256a57b942025856c8ba21f897830a67cd4d3e317587f0bb6a7fce37f53d9e9d026
SHA51203e00bb2dbd43249489fe0a32a9277134eb026b1322bee5a208718e05ba9a4077ad4e02075c1e12cf6e3d941329a1203a3210ea932ea86b8855d01867dfe37c9