Analysis
-
max time kernel
120s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 01:09
Behavioral task
behavioral1
Sample
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe
Resource
win10v2004-20240611-en
General
-
Target
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe
-
Size
827KB
-
MD5
33ab5cbb351fa75f5d4f3e3b5aa064a9
-
SHA1
ac9bcf69aecff1ff5d4108df204a4a2b572e1eef
-
SHA256
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17
-
SHA512
4e62650b49ae86c152463742a04980627d54dc8efc7dd3443625210d13db815f279989d846bbca4376cd127595403cfd53160c0fa78f3d198bf400da5655a98e
-
SSDEEP
12288:6HggW+CSPHjaphInx+6XlRitt/tNRWCkQu:6AgW+C4jaqZlR4/jRWCkT
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2612 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/3016-1-0x0000000000010000-0x00000000000E6000-memory.dmp dcrat C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exe dcrat behavioral1/memory/2676-23-0x0000000000B00000-0x0000000000BD6000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
lsass.exepid process 2676 lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2504 schtasks.exe 2984 schtasks.exe 2820 schtasks.exe 2500 schtasks.exe 2640 schtasks.exe 560 schtasks.exe 2692 schtasks.exe 2480 schtasks.exe 2912 schtasks.exe 2528 schtasks.exe 2768 schtasks.exe 2996 schtasks.exe 2452 schtasks.exe 656 schtasks.exe 1272 schtasks.exe 2700 schtasks.exe 2860 schtasks.exe 2596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exelsass.exepid process 3016 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe 2676 lsass.exe 2676 lsass.exe 2676 lsass.exe 2676 lsass.exe 2676 lsass.exe 2676 lsass.exe 2676 lsass.exe 2676 lsass.exe 2676 lsass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsass.exepid process 2676 lsass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exelsass.exedescription pid process Token: SeDebugPrivilege 3016 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe Token: SeDebugPrivilege 2676 lsass.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.execmd.exedescription pid process target process PID 3016 wrote to memory of 2512 3016 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe cmd.exe PID 3016 wrote to memory of 2512 3016 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe cmd.exe PID 3016 wrote to memory of 2512 3016 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe cmd.exe PID 2512 wrote to memory of 2232 2512 cmd.exe w32tm.exe PID 2512 wrote to memory of 2232 2512 cmd.exe w32tm.exe PID 2512 wrote to memory of 2232 2512 cmd.exe w32tm.exe PID 2512 wrote to memory of 2676 2512 cmd.exe lsass.exe PID 2512 wrote to memory of 2676 2512 cmd.exe lsass.exe PID 2512 wrote to memory of 2676 2512 cmd.exe lsass.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe"C:\Users\Admin\AppData\Local\Temp\2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qdkxfnloT6.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2232
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\spoolsv.exeFilesize
827KB
MD533ab5cbb351fa75f5d4f3e3b5aa064a9
SHA1ac9bcf69aecff1ff5d4108df204a4a2b572e1eef
SHA2562e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17
SHA5124e62650b49ae86c152463742a04980627d54dc8efc7dd3443625210d13db815f279989d846bbca4376cd127595403cfd53160c0fa78f3d198bf400da5655a98e
-
C:\Users\Admin\AppData\Local\Temp\qdkxfnloT6.batFilesize
237B
MD58500d2174c92ea85887e3e77dd6b1648
SHA15fd29cd3781ea64e433207e9fdc21c631afd13e3
SHA2563c25276e1accbe5abd1c5e10fd2ee91b4f34c2ef27f29b0af4b83ef54bac527c
SHA512e428a5fe52be3d0ee495f004afae72d25f873f0464fb3cb3da0e58bef9a43776fb40642b6e902d0c33bed7ce9c38835e86ddb241182e7a4fbacc31094f9a0d25
-
memory/2676-23-0x0000000000B00000-0x0000000000BD6000-memory.dmpFilesize
856KB
-
memory/3016-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmpFilesize
4KB
-
memory/3016-1-0x0000000000010000-0x00000000000E6000-memory.dmpFilesize
856KB
-
memory/3016-2-0x000007FEF5620000-0x000007FEF600C000-memory.dmpFilesize
9.9MB
-
memory/3016-20-0x000007FEF5620000-0x000007FEF600C000-memory.dmpFilesize
9.9MB