Analysis

  • max time kernel
    1759s
  • max time network
    1803s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-05-2024 18:34

General

  • Target

    chainbrowserSession - Copie.exe

  • Size

    827KB

  • MD5

    dcd1dbdf7c8bfb9263e5dda02b1bfa79

  • SHA1

    0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b

  • SHA256

    3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae

  • SHA512

    d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc

  • SSDEEP

    12288:aAavWfeLpHbw89c1R66n20OHjNJWZtWDqEneSfIY9DyQpPt:RavZpHbw1R6PlTGqqERfFDyel

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 25 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe
    "C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Do7QgDwaAc.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:5068
        • C:\Windows\LiveKernelReports\InstallAgent.exe
          "C:\Windows\LiveKernelReports\InstallAgent.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:3708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "chainbrowserSession - Copie" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:68
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1204
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "chainbrowserSession - Copie" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\UGTHRSVC\0410\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\INF\UGTHRSVC\0410\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:428
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\UGTHRSVC\0410\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\ApplicationFrameHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\ApplicationFrameHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\ApplicationFrameHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1248
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2256
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\InstallAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\InstallAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\InstallAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2216
    • C:\Windows\INF\UGTHRSVC\0410\explorer.exe
      C:\Windows\INF\UGTHRSVC\0410\explorer.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4764
    • C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe
      "C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
    • C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe
      "C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3360
    • C:\Users\All Users\Desktop\ApplicationFrameHost.exe
      "C:\Users\All Users\Desktop\ApplicationFrameHost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1044
    • C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe
      "C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4480
    • C:\Windows\LiveKernelReports\InstallAgent.exe
      C:\Windows\LiveKernelReports\InstallAgent.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
    • C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe
      "C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3600
    • C:\Program Files (x86)\Google\Update\csrss.exe
      "C:\Program Files (x86)\Google\Update\csrss.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2040
    • C:\Windows\INF\UGTHRSVC\0410\explorer.exe
      C:\Windows\INF\UGTHRSVC\0410\explorer.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3780
    • C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe
      "C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3308
    • C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe
      "C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Users\All Users\Desktop\ApplicationFrameHost.exe
      "C:\Users\All Users\Desktop\ApplicationFrameHost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3232
    • C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe
      "C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Windows\LiveKernelReports\InstallAgent.exe
      C:\Windows\LiveKernelReports\InstallAgent.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1244
    • C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe
      "C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:216
    • C:\Windows\INF\UGTHRSVC\0410\explorer.exe
      C:\Windows\INF\UGTHRSVC\0410\explorer.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1536
    • C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe
      "C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1824
    • C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe
      "C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3440
    • C:\Program Files (x86)\Google\Update\csrss.exe
      "C:\Program Files (x86)\Google\Update\csrss.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4460
    • C:\Windows\INF\UGTHRSVC\0410\explorer.exe
      C:\Windows\INF\UGTHRSVC\0410\explorer.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:928
    • C:\Users\All Users\Desktop\ApplicationFrameHost.exe
      "C:\Users\All Users\Desktop\ApplicationFrameHost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1892
    • C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe
      "C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5104
    • C:\Windows\LiveKernelReports\InstallAgent.exe
      C:\Windows\LiveKernelReports\InstallAgent.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe
      "C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\csrss.exe

      Filesize

      827KB

      MD5

      dcd1dbdf7c8bfb9263e5dda02b1bfa79

      SHA1

      0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b

      SHA256

      3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae

      SHA512

      d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InstallAgent.exe.log

      Filesize

      1KB

      MD5

      d63ff49d7c92016feb39812e4db10419

      SHA1

      2307d5e35ca9864ffefc93acf8573ea995ba189b

      SHA256

      375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

      SHA512

      00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainbrowserSession - Copie.exe.log

      Filesize

      1KB

      MD5

      b4268d8ae66fdd920476b97a1776bf85

      SHA1

      f920de54f7467f0970eccc053d3c6c8dd181d49a

      SHA256

      61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

      SHA512

      03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

    • C:\Users\Admin\AppData\Local\Temp\Do7QgDwaAc.bat

      Filesize

      210B

      MD5

      cc830f6f7886c85fc4c1a90be8584dcd

      SHA1

      670e394a20f607f56ae65efd1dc4989b109d863c

      SHA256

      86b75e1835dc9a52fc6a0a0d83d83636356f5277d8e775ad723af721d244fd19

      SHA512

      483f94b735d75b397b6aeda49fdf05d625019ab93b54e719d8527be61ca0c19d7c3845130b3e1dba6bcdda9bc3667a98f0d46f3fd4fda68fbe6ddb8146540cc7

    • memory/1452-0-0x00007FFD9C953000-0x00007FFD9C954000-memory.dmp

      Filesize

      4KB

    • memory/1452-1-0x0000000000E80000-0x0000000000F56000-memory.dmp

      Filesize

      856KB

    • memory/1452-4-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

      Filesize

      9.9MB

    • memory/1452-31-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

      Filesize

      9.9MB