Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 04:09
Behavioral task
behavioral1
Sample
dd32729dcf73c31a478099c25da5789c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dd32729dcf73c31a478099c25da5789c.exe
Resource
win10v2004-20240226-en
General
-
Target
dd32729dcf73c31a478099c25da5789c.exe
-
Size
1.4MB
-
MD5
dd32729dcf73c31a478099c25da5789c
-
SHA1
dad05d17829936c6136d16962c38d2981e56bb21
-
SHA256
6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e
-
SHA512
fcf113386c292d03c39071587907f0700936d0ac060c8b96f1ce71683b5e78b1c4b730fdc79b35bb1fe097010844e237034a4184e32fc0b4566ef2f31d382fc0
-
SSDEEP
24576:U2G/nvxW3Ww0tdGyavpdrgnar7l2odPdcsZHpa+AGO05d2GqXW+lWR++40:UbA30alr7tcsZHpaVwulmJ
Malware Config
Signatures
-
DcRat 8 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
pid Process 1672 schtasks.exe 2428 schtasks.exe 2496 schtasks.exe 2164 schtasks.exe 1972 schtasks.exe 268 schtasks.exe 1388 schtasks.exe 2784 schtasks.exe -
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2676 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2676 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2676 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2676 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 268 2676 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2676 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2676 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2676 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x002200000001559a-9.dat dcrat behavioral1/memory/2552-13-0x0000000001280000-0x00000000013A2000-memory.dmp dcrat behavioral1/memory/1680-38-0x0000000000100000-0x0000000000222000-memory.dmp dcrat behavioral1/memory/1680-40-0x000000001A8A0000-0x000000001A920000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
pid Process 2552 winPerfdhcpCommonSvcsavesperfMonitor.exe 1680 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 2624 cmd.exe 2624 cmd.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\Desktop\\cmd.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\Start Menu\\dwm.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\cscdll\\services.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\DtcInstall\\explorer.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\PerfLogs\\Admin\\sppsvc.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\avicap32\\csrss.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Uninstall Information\\smss.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\WMSPDMOE\\sppsvc.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\System32\avicap32\886983d96e3d3e31032c679b2d4ea91b6c05afef winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\WMSPDMOE\sppsvc.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\WMSPDMOE\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\cscdll\services.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\cscdll\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\avicap32\csrss.exe winPerfdhcpCommonSvcsavesperfMonitor.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\smss.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Program Files\Uninstall Information\69ddcba757bf72f7d36c464c71f42baab150b2b9 winPerfdhcpCommonSvcsavesperfMonitor.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\rc0000\System.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\DtcInstall\explorer.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\DtcInstall\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 winPerfdhcpCommonSvcsavesperfMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1672 schtasks.exe 2428 schtasks.exe 2496 schtasks.exe 2164 schtasks.exe 1972 schtasks.exe 268 schtasks.exe 1388 schtasks.exe 2784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2552 winPerfdhcpCommonSvcsavesperfMonitor.exe 1680 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2552 winPerfdhcpCommonSvcsavesperfMonitor.exe Token: SeDebugPrivilege 1680 dwm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2992 2184 dd32729dcf73c31a478099c25da5789c.exe 28 PID 2184 wrote to memory of 2992 2184 dd32729dcf73c31a478099c25da5789c.exe 28 PID 2184 wrote to memory of 2992 2184 dd32729dcf73c31a478099c25da5789c.exe 28 PID 2184 wrote to memory of 2992 2184 dd32729dcf73c31a478099c25da5789c.exe 28 PID 2992 wrote to memory of 2624 2992 WScript.exe 29 PID 2992 wrote to memory of 2624 2992 WScript.exe 29 PID 2992 wrote to memory of 2624 2992 WScript.exe 29 PID 2992 wrote to memory of 2624 2992 WScript.exe 29 PID 2624 wrote to memory of 2552 2624 cmd.exe 31 PID 2624 wrote to memory of 2552 2624 cmd.exe 31 PID 2624 wrote to memory of 2552 2624 cmd.exe 31 PID 2624 wrote to memory of 2552 2624 cmd.exe 31 PID 2552 wrote to memory of 1680 2552 winPerfdhcpCommonSvcsavesperfMonitor.exe 42 PID 2552 wrote to memory of 1680 2552 winPerfdhcpCommonSvcsavesperfMonitor.exe 42 PID 2552 wrote to memory of 1680 2552 winPerfdhcpCommonSvcsavesperfMonitor.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe"C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\ProgramData\Start Menu\dwm.exe"C:\ProgramData\Start Menu\dwm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\cscdll\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\Admin\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\avicap32\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\WMSPDMOE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205B
MD5abd20005732c70524b80234027cf0db4
SHA1d0cdbcfce900f87af778847ef0d3cab111d81a96
SHA256a3f95542fdf730753c47edb849267864f0cff972bfa20cab36065c24953c45d6
SHA512c3a71016fa58d8d1cd173c9b9ba32c157d2277535fd8f658cc87981cc4721d7c04e822b96a58d8f31d87724237b24c81635c13bb746dc12db1f2379e4867f7ba
-
Filesize
66B
MD558afc535c3d36e78abb3677a61dc4737
SHA1bd3914278bba89d1b88dac33ca2b1ca9c04c3aa4
SHA256ebdb6f3c9799886ce3dd7e9ed19333446b94303c8ad00d5b49d744a0c867d4d4
SHA5128f609700f10ce525feee7a3e7bd1799e573bd6b1e67783478cf5e1390a18de5eb37bf179bbd805532f7e05d12602205af00e7b3c214d09516bdcbd90c25aa4b3
-
Filesize
1.1MB
MD54f85fd9da0e6d825b520f09905b16301
SHA111b96ca925a09cd96569c4be2930b9b2bad9dd07
SHA256fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
SHA512cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e