Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 09:53
Behavioral task
behavioral1
Sample
LegacyPhasmo/LegacyPhasmo.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
LegacyPhasmo/LegacyPhasmo.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
LegacyPhasmo/start.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
LegacyPhasmo/start.exe
Resource
win10v2004-20240226-en
General
-
Target
LegacyPhasmo/start.exe
-
Size
1.1MB
-
MD5
7002fdc4d02a4ed4a5a6f56bc40efcef
-
SHA1
cef5ea6d5507392e4fd5cb9511160f4882b4d8b8
-
SHA256
6fddd93899ba0f1de262aa86d1e7f4ed3df8b29e9d2b9679d42b5a81addea6f4
-
SHA512
d5859012071a604563d96c8cffb9a5f12ae5a085b0160d3e90de140bd50c752d97287c1810140d72bf2404880fecd8332a458005e5e8052f5ad74cf11f12a538
-
SSDEEP
24576:U2G/nvxW3Ww0t6eSgFX3x5aC6FRMzpC6nHZW/n:UbA306e9FTtYeP0P
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 2360 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2360 schtasks.exe 32 -
resource yara_rule behavioral3/files/0x0029000000015c2f-12.dat dcrat behavioral3/memory/2484-13-0x0000000000350000-0x0000000000426000-memory.dmp dcrat behavioral3/memory/1340-29-0x0000000000EE0000-0x0000000000FB6000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
pid Process 2484 reviewMonitor.exe 1340 reviewMonitor.exe -
Loads dropped DLL 2 IoCs
pid Process 2552 cmd.exe 2552 cmd.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows NT\winlogon.exe reviewMonitor.exe File created C:\Program Files\Windows NT\cc11b995f2a76d reviewMonitor.exe File created C:\Program Files\Windows NT\Accessories\de-DE\dwm.exe reviewMonitor.exe File created C:\Program Files\Windows NT\Accessories\de-DE\6cb0b6c459d5d3 reviewMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2336 schtasks.exe 2796 schtasks.exe 1632 schtasks.exe 2316 schtasks.exe 636 schtasks.exe 2696 schtasks.exe 2504 schtasks.exe 2012 schtasks.exe 2404 schtasks.exe 1884 schtasks.exe 1300 schtasks.exe 2188 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2484 reviewMonitor.exe 2484 reviewMonitor.exe 2484 reviewMonitor.exe 1340 reviewMonitor.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2484 reviewMonitor.exe Token: SeDebugPrivilege 1340 reviewMonitor.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1400 wrote to memory of 2616 1400 start.exe 28 PID 1400 wrote to memory of 2616 1400 start.exe 28 PID 1400 wrote to memory of 2616 1400 start.exe 28 PID 1400 wrote to memory of 2616 1400 start.exe 28 PID 2616 wrote to memory of 2552 2616 WScript.exe 29 PID 2616 wrote to memory of 2552 2616 WScript.exe 29 PID 2616 wrote to memory of 2552 2616 WScript.exe 29 PID 2616 wrote to memory of 2552 2616 WScript.exe 29 PID 2552 wrote to memory of 2484 2552 cmd.exe 31 PID 2552 wrote to memory of 2484 2552 cmd.exe 31 PID 2552 wrote to memory of 2484 2552 cmd.exe 31 PID 2552 wrote to memory of 2484 2552 cmd.exe 31 PID 2484 wrote to memory of 2932 2484 reviewMonitor.exe 45 PID 2484 wrote to memory of 2932 2484 reviewMonitor.exe 45 PID 2484 wrote to memory of 2932 2484 reviewMonitor.exe 45 PID 2932 wrote to memory of 1628 2932 cmd.exe 47 PID 2932 wrote to memory of 1628 2932 cmd.exe 47 PID 2932 wrote to memory of 1628 2932 cmd.exe 47 PID 2932 wrote to memory of 1340 2932 cmd.exe 48 PID 2932 wrote to memory of 1340 2932 cmd.exe 48 PID 2932 wrote to memory of 1340 2932 cmd.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LegacyPhasmo\start.exe"C:\Users\Admin\AppData\Local\Temp\LegacyPhasmo\start.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MshyperHostmonitordhcp\0DcM5JqD9S9f9.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\MshyperHostmonitordhcp\MgkA4hhn0q04GXYwCcIaXFzSS.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\MshyperHostmonitordhcp\reviewMonitor.exe"C:\MshyperHostmonitordhcp\reviewMonitor.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FC3kSwLXrk.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1628
-
-
C:\MSOCache\All Users\reviewMonitor.exe"C:\MSOCache\All Users\reviewMonitor.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MshyperHostmonitordhcp\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MshyperHostmonitordhcp\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MshyperHostmonitordhcp\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewMonitorr" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\reviewMonitor.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewMonitor" /sc ONLOGON /tr "'C:\MSOCache\All Users\reviewMonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewMonitorr" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\reviewMonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5d2b97d2aae9482940374f468a574d6a0
SHA1db0b075661a48ce48889d72331bf6f8dc2678156
SHA2567a33058c1663d4917294bc87987b53f98fe9dd03ba8be69f288cafa74ece40bf
SHA5124c17782d77ec02197c012668baaf297df10f8003f512d994343fefff5f9b86be1ecbd6ae8d652a14fb7ae0ccec53d0f5e9ecf40fa0ffa629b190967160502bfa
-
Filesize
45B
MD550ac67118e356521f6739fb631a1bbbe
SHA168671a07d7a39463726b43c2d53ef535989cccaf
SHA2569373ac51e6c5e168c642e48912b314dd69b2b6a47b401e1741ba992ebc06c4df
SHA51240728b08c37095b39cd4bf67048de5c71f5400433321e37dc4fbc98d77435a960b80734347c25e136b1251324bf7b2b71df7cddb4abc3f213a7113d006996883
-
Filesize
827KB
MD5452f976724291ddcd7fc0d12ff1dc544
SHA1add1cdb2396b67fa42961ee07d91d7a45bad915a
SHA2560285686187df5c5ddfda90a068b02a00eb2ce4fea21ea7adef2e07021707ae7d
SHA5122b637ec0bf44fe2dbd3fe7801413e81cb102eff09fa51c20258fec72c13de8e966ea11db8e0603f54747c18142a0a9a2ccd258cefe25cc32a33931d9da5a6ed3
-
Filesize
204B
MD5454139e9134c96f3a4bffd7f65a250de
SHA1fa598e5ad180b290a50f370d7af55633fc5397eb
SHA2562c7f256e16447dd3d16daca6ace2f76d88e9b1df45180b8dcff3f2c0525ac4fb
SHA5124aca27848e79dfc8b08e70b68a53d2e3af7b36b8ab1ecd9e4d10d7eae8e4b70be7e2bd8cecb7cf36624c4b2e18526cfd869bcb38f7fc690288697460e4f9c3ab