Analysis
-
max time kernel
117s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 02:21
Behavioral task
behavioral1
Sample
4a8fd7bb970c86e0650a3e110fb5e6d0.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4a8fd7bb970c86e0650a3e110fb5e6d0.exe
Resource
win10v2004-20240426-en
General
-
Target
4a8fd7bb970c86e0650a3e110fb5e6d0.exe
-
Size
901KB
-
MD5
4a8fd7bb970c86e0650a3e110fb5e6d0
-
SHA1
514e8249d87435de3b34bfd06e3dea9a6fb0fc96
-
SHA256
86e9ac84264ae29059d78e2a3ebedea8d3b6c1083d03b82bdab8e32d306fd8a9
-
SHA512
390a7e834dec74cbcc49efeee1adddb05bbe2e972e08a0ec5e6cfbecc92e4a864f6c33ce1a1d293acd42cc4f8f6ca89a8226820819170f8d86ff5e5d301e5910
-
SSDEEP
12288:ZRlDmSxJVEcVQ8KNIeyYzXIpv+KX5x3JfjaOCXzP8bGUwqHGrgc:zlDVLfVQ8KMYD/KXZfjaV8bGjqHGrF
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 1808 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 1808 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2108-1-0x0000000000D30000-0x0000000000E18000-memory.dmp dcrat C:\MSOCache\All Users\sppsvc.exe dcrat behavioral1/memory/3032-32-0x00000000012B0000-0x0000000001398000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 3032 System.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in Program Files directory 11 IoCs
Processes:
4a8fd7bb970c86e0650a3e110fb5e6d0.exedescription ioc process File created C:\Program Files\Windows Mail\fr-FR\System.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\DVD Maker\31b6081bbce4de 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Windows Portable Devices\Idle.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Windows Portable Devices\6ccacd8608530f 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Mozilla Firefox\taskhost.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Mozilla Firefox\b75386f1303e64 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Uninstall Information\System.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Uninstall Information\27d1bcfc3c54e0 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Windows Mail\fr-FR\27d1bcfc3c54e0 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\DVD Maker\4a8fd7bb970c86e0650a3e110fb5e6d0.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File opened for modification C:\Program Files\Uninstall Information\System.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe -
Drops file in Windows directory 2 IoCs
Processes:
4a8fd7bb970c86e0650a3e110fb5e6d0.exedescription ioc process File created C:\Windows\Cursors\spoolsv.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Windows\Cursors\f3b6ecef712a24 4a8fd7bb970c86e0650a3e110fb5e6d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3040 schtasks.exe 2104 schtasks.exe 2728 schtasks.exe 1868 schtasks.exe 2760 schtasks.exe 2520 schtasks.exe 2924 schtasks.exe 2772 schtasks.exe 2896 schtasks.exe 2244 schtasks.exe 2660 schtasks.exe 2872 schtasks.exe 2628 schtasks.exe 3024 schtasks.exe 1240 schtasks.exe 3056 schtasks.exe 2908 schtasks.exe 2724 schtasks.exe 2836 schtasks.exe 2768 schtasks.exe 1720 schtasks.exe 2940 schtasks.exe 2080 schtasks.exe 2860 schtasks.exe 760 schtasks.exe 1092 schtasks.exe 1968 schtasks.exe 544 schtasks.exe 2704 schtasks.exe 2392 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
4a8fd7bb970c86e0650a3e110fb5e6d0.exeSystem.exepid process 2108 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 2108 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 2108 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 2108 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 3032 System.exe 3032 System.exe 3032 System.exe 3032 System.exe 3032 System.exe 3032 System.exe 3032 System.exe 3032 System.exe 3032 System.exe 3032 System.exe 3032 System.exe 3032 System.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
System.exepid process 3032 System.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4a8fd7bb970c86e0650a3e110fb5e6d0.exeSystem.exedescription pid process Token: SeDebugPrivilege 2108 4a8fd7bb970c86e0650a3e110fb5e6d0.exe Token: SeDebugPrivilege 3032 System.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4a8fd7bb970c86e0650a3e110fb5e6d0.exedescription pid process target process PID 2108 wrote to memory of 3032 2108 4a8fd7bb970c86e0650a3e110fb5e6d0.exe System.exe PID 2108 wrote to memory of 3032 2108 4a8fd7bb970c86e0650a3e110fb5e6d0.exe System.exe PID 2108 wrote to memory of 3032 2108 4a8fd7bb970c86e0650a3e110fb5e6d0.exe System.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a8fd7bb970c86e0650a3e110fb5e6d0.exe"C:\Users\Admin\AppData\Local\Temp\4a8fd7bb970c86e0650a3e110fb5e6d0.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\Temp\Crashpad\reports\System.exe"C:\Windows\Temp\Crashpad\reports\System.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\fr-FR\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4a8fd7bb970c86e0650a3e110fb5e6d04" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\4a8fd7bb970c86e0650a3e110fb5e6d0.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4a8fd7bb970c86e0650a3e110fb5e6d0" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\4a8fd7bb970c86e0650a3e110fb5e6d0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4a8fd7bb970c86e0650a3e110fb5e6d04" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\4a8fd7bb970c86e0650a3e110fb5e6d0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Cursors\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\Crashpad\reports\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\reports\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
901KB
MD54a8fd7bb970c86e0650a3e110fb5e6d0
SHA1514e8249d87435de3b34bfd06e3dea9a6fb0fc96
SHA25686e9ac84264ae29059d78e2a3ebedea8d3b6c1083d03b82bdab8e32d306fd8a9
SHA512390a7e834dec74cbcc49efeee1adddb05bbe2e972e08a0ec5e6cfbecc92e4a864f6c33ce1a1d293acd42cc4f8f6ca89a8226820819170f8d86ff5e5d301e5910