Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 01:00
Behavioral task
behavioral1
Sample
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe
Resource
win10v2004-20240226-en
General
-
Target
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe
-
Size
828KB
-
MD5
1b8dc013de93bb0edf121b38e7f8ab6f
-
SHA1
2c17ada00c2b779f5e04a801265f151591e11e18
-
SHA256
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c
-
SHA512
4b23622774ea394608ade50bac520aebd64788d626e9fc316e57db8f4a4628cec221420955adae70d7ddcd7c273f6cac409d64f931e01e1a490b275788370d33
-
SSDEEP
12288:K8rQgxfLc/EHk/2Wk3D0bdxTZiLaO4Vb/5:VrzxfLFkHbXdVLVb/5
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2480 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2740-1-0x00000000011A0000-0x0000000001276000-memory.dmp dcrat C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe dcrat behavioral1/memory/828-19-0x0000000000C10000-0x0000000000CE6000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 828 csrss.exe -
Drops file in Program Files directory 2 IoCs
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exedescription ioc process File created C:\Program Files\Java\Idle.exe 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe File created C:\Program Files\Java\6ccacd8608530f 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe -
Drops file in Windows directory 3 IoCs
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exedescription ioc process File created C:\Windows\IME\es-ES\spoolsv.exe 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe File opened for modification C:\Windows\IME\es-ES\spoolsv.exe 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe File created C:\Windows\IME\es-ES\f3b6ecef712a24 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2376 schtasks.exe 1672 schtasks.exe 2464 schtasks.exe 2572 schtasks.exe 880 schtasks.exe 1664 schtasks.exe 2160 schtasks.exe 2420 schtasks.exe 2864 schtasks.exe 2600 schtasks.exe 2100 schtasks.exe 2532 schtasks.exe 2632 schtasks.exe 1148 schtasks.exe 2604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.execsrss.exepid process 2740 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe 828 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.execsrss.exedescription pid process Token: SeDebugPrivilege 2740 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe Token: SeDebugPrivilege 828 csrss.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exedescription pid process target process PID 2740 wrote to memory of 828 2740 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe csrss.exe PID 2740 wrote to memory of 828 2740 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe csrss.exe PID 2740 wrote to memory of 828 2740 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe"C:\Users\Admin\AppData\Local\Temp\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\es-ES\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\IME\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c0" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c0" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe
Filesize828KB
MD51b8dc013de93bb0edf121b38e7f8ab6f
SHA12c17ada00c2b779f5e04a801265f151591e11e18
SHA25600126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c
SHA5124b23622774ea394608ade50bac520aebd64788d626e9fc316e57db8f4a4628cec221420955adae70d7ddcd7c273f6cac409d64f931e01e1a490b275788370d33