Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 04:09

General

  • Target

    dd32729dcf73c31a478099c25da5789c.exe

  • Size

    1.4MB

  • MD5

    dd32729dcf73c31a478099c25da5789c

  • SHA1

    dad05d17829936c6136d16962c38d2981e56bb21

  • SHA256

    6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e

  • SHA512

    fcf113386c292d03c39071587907f0700936d0ac060c8b96f1ce71683b5e78b1c4b730fdc79b35bb1fe097010844e237034a4184e32fc0b4566ef2f31d382fc0

  • SSDEEP

    24576:U2G/nvxW3Ww0tdGyavpdrgnar7l2odPdcsZHpa+AGO05d2GqXW+lWR++40:UbA30alr7tcsZHpaVwulmJ

Malware Config

Signatures

  • DcRat 8 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe
    "C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
          "C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\ProgramData\Start Menu\dwm.exe
            "C:\ProgramData\Start Menu\dwm.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\cscdll\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2164
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1972
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\Admin\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:268
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\avicap32\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1388
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\WMSPDMOE\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1672

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe

          Filesize

          205B

          MD5

          abd20005732c70524b80234027cf0db4

          SHA1

          d0cdbcfce900f87af778847ef0d3cab111d81a96

          SHA256

          a3f95542fdf730753c47edb849267864f0cff972bfa20cab36065c24953c45d6

          SHA512

          c3a71016fa58d8d1cd173c9b9ba32c157d2277535fd8f658cc87981cc4721d7c04e822b96a58d8f31d87724237b24c81635c13bb746dc12db1f2379e4867f7ba

        • C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat

          Filesize

          66B

          MD5

          58afc535c3d36e78abb3677a61dc4737

          SHA1

          bd3914278bba89d1b88dac33ca2b1ca9c04c3aa4

          SHA256

          ebdb6f3c9799886ce3dd7e9ed19333446b94303c8ad00d5b49d744a0c867d4d4

          SHA512

          8f609700f10ce525feee7a3e7bd1799e573bd6b1e67783478cf5e1390a18de5eb37bf179bbd805532f7e05d12602205af00e7b3c214d09516bdcbd90c25aa4b3

        • \winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe

          Filesize

          1.1MB

          MD5

          4f85fd9da0e6d825b520f09905b16301

          SHA1

          11b96ca925a09cd96569c4be2930b9b2bad9dd07

          SHA256

          fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

          SHA512

          cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

        • memory/1680-42-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

          Filesize

          9.9MB

        • memory/1680-44-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

          Filesize

          9.9MB

        • memory/1680-43-0x000000001A8A0000-0x000000001A920000-memory.dmp

          Filesize

          512KB

        • memory/1680-38-0x0000000000100000-0x0000000000222000-memory.dmp

          Filesize

          1.1MB

        • memory/1680-39-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

          Filesize

          9.9MB

        • memory/1680-40-0x000000001A8A0000-0x000000001A920000-memory.dmp

          Filesize

          512KB

        • memory/2552-13-0x0000000001280000-0x00000000013A2000-memory.dmp

          Filesize

          1.1MB

        • memory/2552-41-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

          Filesize

          9.9MB

        • memory/2552-15-0x0000000001200000-0x0000000001280000-memory.dmp

          Filesize

          512KB

        • memory/2552-14-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

          Filesize

          9.9MB