Analysis
-
max time kernel
1159s -
max time network
1198s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15-05-2024 18:38
Behavioral task
behavioral1
Sample
chainbrowserSession - Copie.exe
Resource
win10-20240404-en
General
-
Target
chainbrowserSession - Copie.exe
-
Size
827KB
-
MD5
dcd1dbdf7c8bfb9263e5dda02b1bfa79
-
SHA1
0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
-
SHA256
3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
-
SHA512
d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc
-
SSDEEP
12288:aAavWfeLpHbw89c1R66n20OHjNJWZtWDqEneSfIY9DyQpPt:RavZpHbw1R6PlTGqqERfFDyel
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3700 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 4328 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3384 4328 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/588-1-0x0000000000780000-0x0000000000856000-memory.dmp dcrat C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe dcrat -
Executes dropped EXE 16 IoCs
Processes:
smss.exeInstallAgent.exesysmon.exelsass.exeInstallAgent.exesppsvc.exeSystem.exesmss.exesysmon.exelsass.exeInstallAgent.exesysmon.exelsass.exeInstallAgent.exesppsvc.exeSystem.exepid process 3140 smss.exe 4228 InstallAgent.exe 208 sysmon.exe 1000 lsass.exe 1444 InstallAgent.exe 4564 sppsvc.exe 2100 System.exe 3608 smss.exe 4424 sysmon.exe 1668 lsass.exe 1004 InstallAgent.exe 1012 sysmon.exe 2172 lsass.exe 2780 InstallAgent.exe 1624 sppsvc.exe 3904 System.exe -
Drops file in Program Files directory 9 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File created C:\Program Files (x86)\Windows NT\sppsvc.exe chainbrowserSession - Copie.exe File created C:\Program Files\Common Files\DESIGNER\lsass.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\69ddcba757bf72 chainbrowserSession - Copie.exe File created C:\Program Files\Common Files\DESIGNER\6203df4a6bafc7 chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\27d1bcfc3c54e0 chainbrowserSession - Copie.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows NT\0a1fd5f707cd16 chainbrowserSession - Copie.exe -
Drops file in Windows directory 2 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File created C:\Windows\security\EDP\Logs\InstallAgent.exe chainbrowserSession - Copie.exe File created C:\Windows\security\EDP\Logs\200f98429d280b chainbrowserSession - Copie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4092 schtasks.exe 4712 schtasks.exe 4696 schtasks.exe 4620 schtasks.exe 4744 schtasks.exe 4660 schtasks.exe 1352 schtasks.exe 5100 schtasks.exe 32 schtasks.exe 1228 schtasks.exe 4532 schtasks.exe 2924 schtasks.exe 208 schtasks.exe 1636 schtasks.exe 2368 schtasks.exe 1148 schtasks.exe 292 schtasks.exe 3384 schtasks.exe 756 schtasks.exe 3700 schtasks.exe 1244 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
chainbrowserSession - Copie.exesmss.exepid process 588 chainbrowserSession - Copie.exe 588 chainbrowserSession - Copie.exe 588 chainbrowserSession - Copie.exe 588 chainbrowserSession - Copie.exe 588 chainbrowserSession - Copie.exe 588 chainbrowserSession - Copie.exe 588 chainbrowserSession - Copie.exe 3140 smss.exe 3140 smss.exe 3140 smss.exe 3140 smss.exe 3140 smss.exe 3140 smss.exe 3140 smss.exe 3140 smss.exe 3140 smss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
smss.exepid process 3140 smss.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
chainbrowserSession - Copie.exesmss.exeInstallAgent.exesysmon.exelsass.exeInstallAgent.exesppsvc.exeSystem.exesmss.exesysmon.exelsass.exeInstallAgent.exesysmon.exelsass.exeInstallAgent.exesppsvc.exeSystem.exedescription pid process Token: SeDebugPrivilege 588 chainbrowserSession - Copie.exe Token: SeDebugPrivilege 3140 smss.exe Token: SeDebugPrivilege 4228 InstallAgent.exe Token: SeDebugPrivilege 208 sysmon.exe Token: SeDebugPrivilege 1000 lsass.exe Token: SeDebugPrivilege 1444 InstallAgent.exe Token: SeDebugPrivilege 4564 sppsvc.exe Token: SeDebugPrivilege 2100 System.exe Token: SeDebugPrivilege 3608 smss.exe Token: SeDebugPrivilege 4424 sysmon.exe Token: SeDebugPrivilege 1668 lsass.exe Token: SeDebugPrivilege 1004 InstallAgent.exe Token: SeDebugPrivilege 1012 sysmon.exe Token: SeDebugPrivilege 2172 lsass.exe Token: SeDebugPrivilege 2780 InstallAgent.exe Token: SeDebugPrivilege 1624 sppsvc.exe Token: SeDebugPrivilege 3904 System.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
chainbrowserSession - Copie.exedescription pid process target process PID 588 wrote to memory of 3140 588 chainbrowserSession - Copie.exe smss.exe PID 588 wrote to memory of 3140 588 chainbrowserSession - Copie.exe smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe"C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /f1⤵
- Creates scheduled task(s)
PID:32
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 5 /tr "'C:\Windows\security\EDP\Logs\InstallAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Windows\security\EDP\Logs\InstallAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 8 /tr "'C:\Windows\security\EDP\Logs\InstallAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\DESIGNER\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\DESIGNER\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228
-
C:\Windows\security\EDP\Logs\InstallAgent.exeC:\Windows\security\EDP\Logs\InstallAgent.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
C:\Recovery\WindowsRE\sysmon.exeC:\Recovery\WindowsRE\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:208
-
C:\Program Files\Common Files\DESIGNER\lsass.exe"C:\Program Files\Common Files\DESIGNER\lsass.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
C:\Windows\security\EDP\Logs\InstallAgent.exeC:\Windows\security\EDP\Logs\InstallAgent.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
C:\Program Files (x86)\Windows NT\sppsvc.exe"C:\Program Files (x86)\Windows NT\sppsvc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe"C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
C:\Recovery\WindowsRE\sysmon.exeC:\Recovery\WindowsRE\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
C:\Program Files\Common Files\DESIGNER\lsass.exe"C:\Program Files\Common Files\DESIGNER\lsass.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
C:\Windows\security\EDP\Logs\InstallAgent.exeC:\Windows\security\EDP\Logs\InstallAgent.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
C:\Recovery\WindowsRE\sysmon.exeC:\Recovery\WindowsRE\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
C:\Program Files\Common Files\DESIGNER\lsass.exe"C:\Program Files\Common Files\DESIGNER\lsass.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
C:\Windows\security\EDP\Logs\InstallAgent.exeC:\Windows\security\EDP\Logs\InstallAgent.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
C:\Program Files (x86)\Windows NT\sppsvc.exe"C:\Program Files (x86)\Windows NT\sppsvc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5dcd1dbdf7c8bfb9263e5dda02b1bfa79
SHA10912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
SHA2563fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
SHA512d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a