Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 10:10
Behavioral task
behavioral1
Sample
3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe
Resource
win10v2004-20240508-en
General
-
Target
3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe
-
Size
1.1MB
-
MD5
1f9c3cddc1c0c5f3411caa896e02350a
-
SHA1
5c7e7074e9ee1b446890deb4eda500d5be074092
-
SHA256
3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75
-
SHA512
8cd0bd635431b23d7f29fa274d0d2bef1da0c94cbf5b927c34d12a67d1a19b7ead6b46257e1bb8d1880e72965ee7b068c1d059bb317fcaa3917c71993efb9bb9
-
SSDEEP
24576:U2G/nvxW3Ww0trmGK9uhJ4bNJYrvyunNnLskPF:UbA30CGK9ve9n
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2916 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2916 schtasks.exe -
Processes:
resource yara_rule \BlockagentServernetcommon\chaindhcp.exe dcrat behavioral1/memory/2480-13-0x0000000000960000-0x0000000000A36000-memory.dmp dcrat behavioral1/memory/2424-34-0x0000000000AF0000-0x0000000000BC6000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
chaindhcp.exelsm.exepid process 2480 chaindhcp.exe 2424 lsm.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2556 cmd.exe 2556 cmd.exe -
Drops file in Program Files directory 4 IoCs
Processes:
chaindhcp.exedescription ioc process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe chaindhcp.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\101b941d020240 chaindhcp.exe File created C:\Program Files (x86)\Windows Mail\es-ES\explorer.exe chaindhcp.exe File created C:\Program Files (x86)\Windows Mail\es-ES\7a0fd90576e088 chaindhcp.exe -
Drops file in Windows directory 5 IoCs
Processes:
chaindhcp.exedescription ioc process File created C:\Windows\AppPatch\6203df4a6bafc7 chaindhcp.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\taskhost.exe chaindhcp.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\b75386f1303e64 chaindhcp.exe File created C:\Windows\AppPatch\lsass.exe chaindhcp.exe File opened for modification C:\Windows\AppPatch\lsass.exe chaindhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 328 schtasks.exe 2328 schtasks.exe 2344 schtasks.exe 2668 schtasks.exe 2712 schtasks.exe 1568 schtasks.exe 1644 schtasks.exe 2440 schtasks.exe 3068 schtasks.exe 1596 schtasks.exe 1488 schtasks.exe 1016 schtasks.exe 1552 schtasks.exe 1576 schtasks.exe 1548 schtasks.exe 2672 schtasks.exe 2840 schtasks.exe 2704 schtasks.exe 2752 schtasks.exe 1716 schtasks.exe 1520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chaindhcp.exelsm.exepid process 2480 chaindhcp.exe 2480 chaindhcp.exe 2480 chaindhcp.exe 2424 lsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
chaindhcp.exelsm.exedescription pid process Token: SeDebugPrivilege 2480 chaindhcp.exe Token: SeDebugPrivilege 2424 lsm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exeWScript.execmd.exechaindhcp.exedescription pid process target process PID 2896 wrote to memory of 1564 2896 3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe WScript.exe PID 2896 wrote to memory of 1564 2896 3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe WScript.exe PID 2896 wrote to memory of 1564 2896 3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe WScript.exe PID 2896 wrote to memory of 1564 2896 3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe WScript.exe PID 1564 wrote to memory of 2556 1564 WScript.exe cmd.exe PID 1564 wrote to memory of 2556 1564 WScript.exe cmd.exe PID 1564 wrote to memory of 2556 1564 WScript.exe cmd.exe PID 1564 wrote to memory of 2556 1564 WScript.exe cmd.exe PID 2556 wrote to memory of 2480 2556 cmd.exe chaindhcp.exe PID 2556 wrote to memory of 2480 2556 cmd.exe chaindhcp.exe PID 2556 wrote to memory of 2480 2556 cmd.exe chaindhcp.exe PID 2556 wrote to memory of 2480 2556 cmd.exe chaindhcp.exe PID 2480 wrote to memory of 2424 2480 chaindhcp.exe lsm.exe PID 2480 wrote to memory of 2424 2480 chaindhcp.exe lsm.exe PID 2480 wrote to memory of 2424 2480 chaindhcp.exe lsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe"C:\Users\Admin\AppData\Local\Temp\3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockagentServernetcommon\dWMX88gCACXoKvtETHr5LRHJRP.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\BlockagentServernetcommon\iMMFNCJn73wO9QJjxuedDCGIZ.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\BlockagentServernetcommon\chaindhcp.exe"C:\BlockagentServernetcommon\chaindhcp.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppPatch\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\LocalLow\Mozilla\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Mozilla\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\LocalLow\Mozilla\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\BlockagentServernetcommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BlockagentServernetcommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\BlockagentServernetcommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\BlockagentServernetcommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\BlockagentServernetcommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\BlockagentServernetcommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BlockagentServernetcommon\dWMX88gCACXoKvtETHr5LRHJRP.vbeFilesize
227B
MD5d40a0d6875e6223f9e5c4c9613c975b4
SHA1c605b32b588597dce9916053944eccef138d3b6e
SHA2562304bdc77b852533e29614bd26e244c64fee9c2e9c5ea2a8c4e4579fd8ade547
SHA5122e2570f2d0af1fde57fd7ef1812981e75daed6a906f2a359e89713dabf2df204b4788c76adcdaca8bb9f3046a3ee9cf5731bc84105ce82af17953c7f7197ff78
-
C:\BlockagentServernetcommon\iMMFNCJn73wO9QJjxuedDCGIZ.batFilesize
44B
MD5eb6b7f7bea1252f5f5bfcc2c9e0164e5
SHA1ec7bfe67793b4b3f4842334e9476a5e9a2f95688
SHA25631f24dac6e2778c338307d6ccdf2e7e8b8626266bfef12af006b20b4a27c05af
SHA51202807c217a7e93cdfd7cb60c0bf9110ef7585b0d1843599bc3c4537481ebfe942f3f41b9b71c4aa26b2f4ef5619338d81f0474a387c859942e5814d49f8f3939
-
\BlockagentServernetcommon\chaindhcp.exeFilesize
828KB
MD564bce0f72bd60afa24806c4e8184ba5d
SHA1633df6157e70b70a4606e3f9f63fdc9db17dba14
SHA256ce9beff66fd8ae2b916b2490e5c8da04c4316f98de24304c56417ea0bfd28451
SHA512efeb232f08d86465cf88d2050e3e52818b877621d29b9bb1eab8f44238ef02b7495bb11910ed1709b8058d104269e05d0e31557f4bbe1afc0ba0bf3baf8f5191
-
memory/2424-34-0x0000000000AF0000-0x0000000000BC6000-memory.dmpFilesize
856KB
-
memory/2480-13-0x0000000000960000-0x0000000000A36000-memory.dmpFilesize
856KB