Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 01:30
Behavioral task
behavioral1
Sample
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
Resource
win10v2004-20240226-en
General
-
Target
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
-
Size
1.7MB
-
MD5
1cf1c8a6b74890f6d1913bf3b9e46a79
-
SHA1
3baa803148359d5ecd3afac11352e8ecab90ceee
-
SHA256
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239
-
SHA512
6903889c69d4b6c13c768592abff2aa20b3f8c689381d4814f27c4647023bcfdbd20e99d98913e1d8ec19751d2eb1dbc5a8ca3e0a48be3acdcbd9a644ea5cc70
-
SSDEEP
24576:J2G/nvxW3WAAJElP9nCWgiFzoJNkvnw28BAc1eThSQFdO5q+4OvqLqzvXrJhtZ:JbA3Qa4h527ceSQFdOo+HqLqHfP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2416 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2416 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x002a000000015c3c-10.dat dcrat behavioral1/memory/2560-14-0x0000000000B90000-0x0000000000D12000-memory.dmp dcrat behavioral1/memory/1456-51-0x0000000000E30000-0x0000000000FB2000-memory.dmp dcrat behavioral1/memory/1456-52-0x000000001B050000-0x000000001B0D0000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
pid Process 2560 hostnet.exe 1456 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2576 cmd.exe 2576 cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\FreeCell\de-DE\System.exe hostnet.exe File created C:\Program Files\Microsoft Games\FreeCell\de-DE\27d1bcfc3c54e0 hostnet.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\PLA\Templates\lsass.exe hostnet.exe File created C:\Windows\PLA\Templates\6203df4a6bafc7 hostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 844 schtasks.exe 1776 schtasks.exe 2012 schtasks.exe 1028 schtasks.exe 2664 schtasks.exe 1928 schtasks.exe 1356 schtasks.exe 2336 schtasks.exe 940 schtasks.exe 2152 schtasks.exe 2760 schtasks.exe 804 schtasks.exe 1704 schtasks.exe 1208 schtasks.exe 2720 schtasks.exe 2636 schtasks.exe 1632 schtasks.exe 2428 schtasks.exe 540 schtasks.exe 2392 schtasks.exe 2484 schtasks.exe 776 schtasks.exe 1428 schtasks.exe 1272 schtasks.exe 2988 schtasks.exe 2332 schtasks.exe 1244 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2560 hostnet.exe 2560 hostnet.exe 2560 hostnet.exe 1456 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2560 hostnet.exe Token: SeDebugPrivilege 1456 cmd.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2992 2440 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 28 PID 2440 wrote to memory of 2992 2440 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 28 PID 2440 wrote to memory of 2992 2440 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 28 PID 2440 wrote to memory of 2992 2440 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 28 PID 2992 wrote to memory of 2576 2992 WScript.exe 29 PID 2992 wrote to memory of 2576 2992 WScript.exe 29 PID 2992 wrote to memory of 2576 2992 WScript.exe 29 PID 2992 wrote to memory of 2576 2992 WScript.exe 29 PID 2576 wrote to memory of 2560 2576 cmd.exe 31 PID 2576 wrote to memory of 2560 2576 cmd.exe 31 PID 2576 wrote to memory of 2560 2576 cmd.exe 31 PID 2576 wrote to memory of 2560 2576 cmd.exe 31 PID 2560 wrote to memory of 2932 2560 hostnet.exe 60 PID 2560 wrote to memory of 2932 2560 hostnet.exe 60 PID 2560 wrote to memory of 2932 2560 hostnet.exe 60 PID 2932 wrote to memory of 896 2932 cmd.exe 62 PID 2932 wrote to memory of 896 2932 cmd.exe 62 PID 2932 wrote to memory of 896 2932 cmd.exe 62 PID 2932 wrote to memory of 1456 2932 cmd.exe 65 PID 2932 wrote to memory of 1456 2932 cmd.exe 65 PID 2932 wrote to memory of 1456 2932 cmd.exe 65 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\BlockSurrogateagentFont\hostnet.exe"C:\BlockSurrogateagentFont\hostnet.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NXbjsV5dMk.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:896
-
-
C:\BlockSurrogateagentFont\cmd.exe"C:\BlockSurrogateagentFont\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Videos\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\FreeCell\de-DE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\FreeCell\de-DE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\FreeCell\de-DE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\BlockSurrogateagentFont\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\BlockSurrogateagentFont\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5277c7ccc3313d83f51d594cba0ae300d
SHA148531a959a24846841b8fda471c5fea259f2ca38
SHA256175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac
-
Filesize
40B
MD515611ce0ff6e3e772e3a8b7ac6cf4653
SHA175bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA5121151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71
-
Filesize
199B
MD54ddf41f54a28bbab15b116a41ba10aa3
SHA1a372c0af8639fe3dd969f00eaf309ed191736a44
SHA2567240a04aa44c6e80a13e74b71022faac563b073e64a82a50bfd44ba6b862013f
SHA512af48c461fccd74822ad659fb1df9e1aaee3ea56abdd5eee909c5b143d05b8203c98a4c736af09c8497db073d42d5e03fca4cf23b9b5dff1c48743bfb474326f3
-
Filesize
1.5MB
MD553827648303c620a8fa81a2998ae5ae5
SHA18aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d