Analysis

  • max time kernel
    1159s
  • max time network
    1198s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-05-2024 18:38

General

  • Target

    chainbrowserSession - Copie.exe

  • Size

    827KB

  • MD5

    dcd1dbdf7c8bfb9263e5dda02b1bfa79

  • SHA1

    0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b

  • SHA256

    3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae

  • SHA512

    d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc

  • SSDEEP

    12288:aAavWfeLpHbw89c1R66n20OHjNJWZtWDqEneSfIY9DyQpPt:RavZpHbw1R6PlTGqqERfFDyel

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 16 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe
    "C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe
      "C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:3140
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:32
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:5100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:1352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 5 /tr "'C:\Windows\security\EDP\Logs\InstallAgent.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Windows\security\EDP\Logs\InstallAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1148
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 8 /tr "'C:\Windows\security\EDP\Logs\InstallAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2368
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4620
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3384
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\DESIGNER\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:208
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4660
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\DESIGNER\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:292
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1244
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2924
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4532
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1228
  • C:\Windows\security\EDP\Logs\InstallAgent.exe
    C:\Windows\security\EDP\Logs\InstallAgent.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4228
  • C:\Recovery\WindowsRE\sysmon.exe
    C:\Recovery\WindowsRE\sysmon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:208
  • C:\Program Files\Common Files\DESIGNER\lsass.exe
    "C:\Program Files\Common Files\DESIGNER\lsass.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1000
  • C:\Windows\security\EDP\Logs\InstallAgent.exe
    C:\Windows\security\EDP\Logs\InstallAgent.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1444
  • C:\Program Files (x86)\Windows NT\sppsvc.exe
    "C:\Program Files (x86)\Windows NT\sppsvc.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4564
  • C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2100
  • C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe
    "C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3608
  • C:\Recovery\WindowsRE\sysmon.exe
    C:\Recovery\WindowsRE\sysmon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4424
  • C:\Program Files\Common Files\DESIGNER\lsass.exe
    "C:\Program Files\Common Files\DESIGNER\lsass.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1668
  • C:\Windows\security\EDP\Logs\InstallAgent.exe
    C:\Windows\security\EDP\Logs\InstallAgent.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1004
  • C:\Recovery\WindowsRE\sysmon.exe
    C:\Recovery\WindowsRE\sysmon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1012
  • C:\Program Files\Common Files\DESIGNER\lsass.exe
    "C:\Program Files\Common Files\DESIGNER\lsass.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2172
  • C:\Windows\security\EDP\Logs\InstallAgent.exe
    C:\Windows\security\EDP\Logs\InstallAgent.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2780
  • C:\Program Files (x86)\Windows NT\sppsvc.exe
    "C:\Program Files (x86)\Windows NT\sppsvc.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1624
  • C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe

    Filesize

    827KB

    MD5

    dcd1dbdf7c8bfb9263e5dda02b1bfa79

    SHA1

    0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b

    SHA256

    3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae

    SHA512

    d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InstallAgent.exe.log

    Filesize

    1KB

    MD5

    d63ff49d7c92016feb39812e4db10419

    SHA1

    2307d5e35ca9864ffefc93acf8573ea995ba189b

    SHA256

    375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

    SHA512

    00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

  • memory/588-0-0x00007FFE32143000-0x00007FFE32144000-memory.dmp

    Filesize

    4KB

  • memory/588-1-0x0000000000780000-0x0000000000856000-memory.dmp

    Filesize

    856KB

  • memory/588-2-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

    Filesize

    9.9MB

  • memory/588-22-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

    Filesize

    9.9MB