Analysis
-
max time kernel
133s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-05-2024 23:41
Behavioral task
behavioral1
Sample
chainbrowserSession - Copie.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
chainbrowserSession - Copie.exe
Resource
win7-20240508-en
General
-
Target
chainbrowserSession - Copie.exe
-
Size
827KB
-
MD5
dcd1dbdf7c8bfb9263e5dda02b1bfa79
-
SHA1
0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
-
SHA256
3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
-
SHA512
d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc
-
SSDEEP
12288:aAavWfeLpHbw89c1R66n20OHjNJWZtWDqEneSfIY9DyQpPt:RavZpHbw1R6PlTGqqERfFDyel
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3452 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3840 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 364 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 4616 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/4252-0-0x0000000000AC0000-0x0000000000B96000-memory.dmp dcrat C:\Program Files (x86)\Windows Defender\unsecapp.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 4720 sihost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\unsecapp.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Defender\29c1c3cc0f7685 chainbrowserSession - Copie.exe File created C:\Program Files\Windows Mail\en-US\sihost.exe chainbrowserSession - Copie.exe File created C:\Program Files\Windows Mail\en-US\66fc9ff0ee96c2 chainbrowserSession - Copie.exe -
Drops file in Windows directory 5 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File created C:\Windows\ServiceProfiles\6cb0b6c459d5d3 chainbrowserSession - Copie.exe File created C:\Windows\schemas\CodeIntegrity\csrss.exe chainbrowserSession - Copie.exe File created C:\Windows\schemas\CodeIntegrity\886983d96e3d3e chainbrowserSession - Copie.exe File created C:\Windows\ServiceProfiles\dwm.exe chainbrowserSession - Copie.exe File opened for modification C:\Windows\ServiceProfiles\dwm.exe chainbrowserSession - Copie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3840 schtasks.exe 364 schtasks.exe 1744 schtasks.exe 3452 schtasks.exe 2140 schtasks.exe 3068 schtasks.exe 2168 schtasks.exe 4312 schtasks.exe 2992 schtasks.exe 4656 schtasks.exe 1428 schtasks.exe 5088 schtasks.exe 4248 schtasks.exe 1788 schtasks.exe 2080 schtasks.exe 1892 schtasks.exe 3596 schtasks.exe 620 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
chainbrowserSession - Copie.exesihost.exepid process 4252 chainbrowserSession - Copie.exe 4720 sihost.exe 4720 sihost.exe 4720 sihost.exe 4720 sihost.exe 4720 sihost.exe 4720 sihost.exe 4720 sihost.exe 4720 sihost.exe 4720 sihost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sihost.exepid process 4720 sihost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
chainbrowserSession - Copie.exesihost.exedescription pid process Token: SeDebugPrivilege 4252 chainbrowserSession - Copie.exe Token: SeDebugPrivilege 4720 sihost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
chainbrowserSession - Copie.exedescription pid process target process PID 4252 wrote to memory of 4720 4252 chainbrowserSession - Copie.exe sihost.exe PID 4252 wrote to memory of 4720 4252 chainbrowserSession - Copie.exe sihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Program Files\Windows Mail\en-US\sihost.exe"C:\Program Files\Windows Mail\en-US\sihost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\schemas\CodeIntegrity\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\schemas\CodeIntegrity\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\schemas\CodeIntegrity\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\en-US\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5dcd1dbdf7c8bfb9263e5dda02b1bfa79
SHA10912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
SHA2563fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
SHA512d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc