Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 14:27

General

  • Target

    AgE312YolF45.exe

  • Size

    2.0MB

  • MD5

    3c85f943f1f46c62c996d02b335ead81

  • SHA1

    d19a217efea23a93c24541c0027e2bb19a32a148

  • SHA256

    3f55ade4a555c326fc309c8478b1abe8acb9d24ca3496d5a3e65256c35b81ee7

  • SHA512

    24220be76b6723f87c8a3b690d1ef3f876682e6fd156f5dc087d88ca7d1e020e6171354838ece2952341835babf63e51f4bd89626a2420f730b524787be34b8b

  • SSDEEP

    24576:u2G/nvxW3WieCYSoWse8bvSGOkDSqMdxcXZLE2XTo6+2lXgW8/ezB8diUV6gwvB+:ubA3jYSovbvSXqGsLw6RXRgBdF6rZYdt

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe
    "C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ReviewRuntimenet\21ZjY.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ReviewRuntimenet\TQG4xYGlGcFKVrVpNsWy.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\ReviewRuntimenet\ServerSaveshost.exe
          "C:\ReviewRuntimenet\ServerSaveshost.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2936
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bp2QSrQG1f.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1812
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2236
              • C:\Windows\Prefetch\ReadyBoot\csrss.exe
                "C:\Windows\Prefetch\ReadyBoot\csrss.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1696
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca9caac2-0768-4a73-8b8a-dd2fc8c21f8c.vbs"
                  7⤵
                    PID:1636
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\197153c0-cdbd-4f7c-903b-943b36c4b484.vbs"
                    7⤵
                      PID:820
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                4⤵
                • Modifies registry key
                PID:2224
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\ReviewRuntimenet\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ReviewRuntimenet\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2768
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\ReviewRuntimenet\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2852
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2908
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2348
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2412
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:316
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2440
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1188
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2616
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1692
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1204
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:264
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1744
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1128
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1968

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ReviewRuntimenet\21ZjY.vbe
          Filesize

          213B

          MD5

          09a35d6cb1e2ea076586988cdbcc940a

          SHA1

          7e062f07474330abdab5d77ad336bc0a3532ca89

          SHA256

          6d8ba67017098b244d617acea6d2e70b47db126ca14924b9a82703bae95a5c38

          SHA512

          2f3100f18b3aa18abdbead9e8955af0eebdf451ed0ec987306fcc73bda195933b8fe8c59be7a8f777192890260efb96edaf6b3c04ce56e3151c7a0c9ee960f7c

        • C:\ReviewRuntimenet\ServerSaveshost.exe
          Filesize

          1.7MB

          MD5

          88e250828f656440b29f7be2b67b5d44

          SHA1

          86c19cccc181827c99f8703f017ee2d22a1ffe1e

          SHA256

          67d4916350ff960cd46e98f0c1d00290b63eb8a6c94c3595e76245d4ae4706d0

          SHA512

          11c7da52c1a67af894608dad046cf85947f64e74ecaae20edbf3f748ee0a9b65d3a5a03ceb1a690016de883fa39a5fba384cb6d031a09a086e323367f7de3c1f

        • C:\ReviewRuntimenet\TQG4xYGlGcFKVrVpNsWy.bat
          Filesize

          153B

          MD5

          285b91a7a5b84ebdca3dc8f49a68638c

          SHA1

          61c9262f49da3afdf6310efd11108adb9b8283ff

          SHA256

          59ddfb2705077e864946fe450625206671a1faafc9e46704ca108b4196d24f99

          SHA512

          7ce8348ddb6571aaadcce2e8780d3032055a2bded51e9dd4a2eb1aa1f7f24ea9258322dae8c15223ed92b83681f2b5333b0e828239624b1e929771a4b670601d

        • C:\Users\Admin\AppData\Local\Temp\197153c0-cdbd-4f7c-903b-943b36c4b484.vbs
          Filesize

          491B

          MD5

          bd4c600493d8b3ebd31c567615c86f8b

          SHA1

          8e67b7fccff39954c19672b603f06b1e5a96235c

          SHA256

          1753230cbb0f1f6a54464b5810e8a7f3efcfbbe80fdfb8560889babb33eff8fd

          SHA512

          ab58c3eb65f99565b53964bb5b66f425ec55c7a2fd349ec53c9ec9344bcf43e12fe957b1a3b63df928cc3ab31cf6d5ea2b8166ed7e058f2b7aa9b64a0585d157

        • C:\Users\Admin\AppData\Local\Temp\bp2QSrQG1f.bat
          Filesize

          204B

          MD5

          bbaa8dc024c5443c733dc9bea0bc6867

          SHA1

          2dceb80cf2db133a2febff76767c0fb96d11d682

          SHA256

          af0cdd446ec2a2aeca814db2dc871f9b2326c75c2c915ad181a69a3f5fdb009c

          SHA512

          535d846c74f3eb3666447e551c3011931642eac6f86d49f577b59a6ae1acb39825265aa2fdd58a3c7508c4c3e247f5c78520e53528bb03003ad7455d97a45736

        • C:\Users\Admin\AppData\Local\Temp\ca9caac2-0768-4a73-8b8a-dd2fc8c21f8c.vbs
          Filesize

          715B

          MD5

          1c481223b8099c98cab692f597865dee

          SHA1

          1015dc2476dd3e8b3318590c3b01c0682fb0dc41

          SHA256

          38659c5e3886ba04e5bffeb716b55cb38a9b1c6648251fe0a033837a61c727f2

          SHA512

          40cd2963de7b4365a32b35eca77446f0bf1a1152df1cd934c51b6ec3bbecb7b433409a4b6294d1f626962fa0e21d9436b48158f5246fa21ba7bf06ce7d05c9ad

        • memory/1696-57-0x0000000000920000-0x0000000000932000-memory.dmp
          Filesize

          72KB

        • memory/1696-56-0x0000000000030000-0x00000000001E4000-memory.dmp
          Filesize

          1.7MB

        • memory/2936-22-0x0000000000BC0000-0x0000000000BCC000-memory.dmp
          Filesize

          48KB

        • memory/2936-25-0x0000000000BE0000-0x0000000000BEE000-memory.dmp
          Filesize

          56KB

        • memory/2936-20-0x0000000000660000-0x000000000066C000-memory.dmp
          Filesize

          48KB

        • memory/2936-21-0x0000000000670000-0x0000000000682000-memory.dmp
          Filesize

          72KB

        • memory/2936-18-0x0000000000640000-0x0000000000648000-memory.dmp
          Filesize

          32KB

        • memory/2936-23-0x0000000000BD0000-0x0000000000BDC000-memory.dmp
          Filesize

          48KB

        • memory/2936-24-0x000000001A6E0000-0x000000001A6EA000-memory.dmp
          Filesize

          40KB

        • memory/2936-19-0x0000000000650000-0x000000000065A000-memory.dmp
          Filesize

          40KB

        • memory/2936-26-0x0000000000BF0000-0x0000000000BF8000-memory.dmp
          Filesize

          32KB

        • memory/2936-27-0x000000001A6D0000-0x000000001A6DA000-memory.dmp
          Filesize

          40KB

        • memory/2936-28-0x000000001A8D0000-0x000000001A8DC000-memory.dmp
          Filesize

          48KB

        • memory/2936-17-0x0000000000510000-0x0000000000526000-memory.dmp
          Filesize

          88KB

        • memory/2936-16-0x0000000000380000-0x0000000000390000-memory.dmp
          Filesize

          64KB

        • memory/2936-15-0x0000000000370000-0x0000000000378000-memory.dmp
          Filesize

          32KB

        • memory/2936-14-0x0000000000150000-0x000000000016C000-memory.dmp
          Filesize

          112KB

        • memory/2936-13-0x0000000000D90000-0x0000000000F44000-memory.dmp
          Filesize

          1.7MB