Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 10:10

General

  • Target

    3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe

  • Size

    1.1MB

  • MD5

    1f9c3cddc1c0c5f3411caa896e02350a

  • SHA1

    5c7e7074e9ee1b446890deb4eda500d5be074092

  • SHA256

    3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75

  • SHA512

    8cd0bd635431b23d7f29fa274d0d2bef1da0c94cbf5b927c34d12a67d1a19b7ead6b46257e1bb8d1880e72965ee7b068c1d059bb317fcaa3917c71993efb9bb9

  • SSDEEP

    24576:U2G/nvxW3Ww0trmGK9uhJ4bNJYrvyunNnLskPF:UbA30CGK9ve9n

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe
    "C:\Users\Admin\AppData\Local\Temp\3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\BlockagentServernetcommon\dWMX88gCACXoKvtETHr5LRHJRP.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\BlockagentServernetcommon\iMMFNCJn73wO9QJjxuedDCGIZ.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\BlockagentServernetcommon\chaindhcp.exe
          "C:\BlockagentServernetcommon\chaindhcp.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe
            "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2440
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppPatch\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1016
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\LocalLow\Mozilla\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Mozilla\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\LocalLow\Mozilla\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\BlockagentServernetcommon\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1644
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BlockagentServernetcommon\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\BlockagentServernetcommon\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\BlockagentServernetcommon\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\BlockagentServernetcommon\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\BlockagentServernetcommon\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1716
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1488
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\BlockagentServernetcommon\dWMX88gCACXoKvtETHr5LRHJRP.vbe
    Filesize

    227B

    MD5

    d40a0d6875e6223f9e5c4c9613c975b4

    SHA1

    c605b32b588597dce9916053944eccef138d3b6e

    SHA256

    2304bdc77b852533e29614bd26e244c64fee9c2e9c5ea2a8c4e4579fd8ade547

    SHA512

    2e2570f2d0af1fde57fd7ef1812981e75daed6a906f2a359e89713dabf2df204b4788c76adcdaca8bb9f3046a3ee9cf5731bc84105ce82af17953c7f7197ff78

  • C:\BlockagentServernetcommon\iMMFNCJn73wO9QJjxuedDCGIZ.bat
    Filesize

    44B

    MD5

    eb6b7f7bea1252f5f5bfcc2c9e0164e5

    SHA1

    ec7bfe67793b4b3f4842334e9476a5e9a2f95688

    SHA256

    31f24dac6e2778c338307d6ccdf2e7e8b8626266bfef12af006b20b4a27c05af

    SHA512

    02807c217a7e93cdfd7cb60c0bf9110ef7585b0d1843599bc3c4537481ebfe942f3f41b9b71c4aa26b2f4ef5619338d81f0474a387c859942e5814d49f8f3939

  • \BlockagentServernetcommon\chaindhcp.exe
    Filesize

    828KB

    MD5

    64bce0f72bd60afa24806c4e8184ba5d

    SHA1

    633df6157e70b70a4606e3f9f63fdc9db17dba14

    SHA256

    ce9beff66fd8ae2b916b2490e5c8da04c4316f98de24304c56417ea0bfd28451

    SHA512

    efeb232f08d86465cf88d2050e3e52818b877621d29b9bb1eab8f44238ef02b7495bb11910ed1709b8058d104269e05d0e31557f4bbe1afc0ba0bf3baf8f5191

  • memory/2424-34-0x0000000000AF0000-0x0000000000BC6000-memory.dmp
    Filesize

    856KB

  • memory/2480-13-0x0000000000960000-0x0000000000A36000-memory.dmp
    Filesize

    856KB