Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 01:27
Behavioral task
behavioral1
Sample
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe
Resource
win10v2004-20240611-en
General
-
Target
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe
-
Size
1.1MB
-
MD5
105e56a8f722fc60cb17281dc8a0d073
-
SHA1
85bcb8e6b6c83f2a64260ae3ad2386b7e4aa0434
-
SHA256
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab
-
SHA512
6b4fd698cb80400d610629b0390314de0d06067d3648ba893a1fed5198bb6f0194e52685d95c7f0afc79eace95188668dcc05f4c6f19b89ee6ca05ca6d2b1172
-
SSDEEP
24576:U2G/nvxW3Ww0txUX597x0D6TmBqndcQ71Ee:UbA30GPWD6BNd
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2672 schtasks.exe -
Processes:
resource yara_rule \winDhcp\browserhostnet.exe dcrat behavioral1/memory/2660-13-0x0000000000320000-0x00000000003F6000-memory.dmp dcrat behavioral1/memory/1292-35-0x0000000001210000-0x00000000012E6000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
browserhostnet.exeSystem.exepid process 2660 browserhostnet.exe 1292 System.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2620 cmd.exe 2620 cmd.exe -
Drops file in Program Files directory 2 IoCs
Processes:
browserhostnet.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe browserhostnet.exe File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e browserhostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2840 schtasks.exe 2816 schtasks.exe 1972 schtasks.exe 2972 schtasks.exe 548 schtasks.exe 1932 schtasks.exe 1616 schtasks.exe 2684 schtasks.exe 2512 schtasks.exe 2412 schtasks.exe 2612 schtasks.exe 1812 schtasks.exe 2220 schtasks.exe 2944 schtasks.exe 1664 schtasks.exe 2576 schtasks.exe 1620 schtasks.exe 2688 schtasks.exe 2552 schtasks.exe 1820 schtasks.exe 2924 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
browserhostnet.exeSystem.exepid process 2660 browserhostnet.exe 1292 System.exe 1292 System.exe 1292 System.exe 1292 System.exe 1292 System.exe 1292 System.exe 1292 System.exe 1292 System.exe 1292 System.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
System.exepid process 1292 System.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
browserhostnet.exeSystem.exedescription pid process Token: SeDebugPrivilege 2660 browserhostnet.exe Token: SeDebugPrivilege 1292 System.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exeWScript.execmd.exebrowserhostnet.execmd.exedescription pid process target process PID 1444 wrote to memory of 2008 1444 9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe WScript.exe PID 1444 wrote to memory of 2008 1444 9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe WScript.exe PID 1444 wrote to memory of 2008 1444 9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe WScript.exe PID 1444 wrote to memory of 2008 1444 9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe WScript.exe PID 2008 wrote to memory of 2620 2008 WScript.exe cmd.exe PID 2008 wrote to memory of 2620 2008 WScript.exe cmd.exe PID 2008 wrote to memory of 2620 2008 WScript.exe cmd.exe PID 2008 wrote to memory of 2620 2008 WScript.exe cmd.exe PID 2620 wrote to memory of 2660 2620 cmd.exe browserhostnet.exe PID 2620 wrote to memory of 2660 2620 cmd.exe browserhostnet.exe PID 2620 wrote to memory of 2660 2620 cmd.exe browserhostnet.exe PID 2620 wrote to memory of 2660 2620 cmd.exe browserhostnet.exe PID 2660 wrote to memory of 492 2660 browserhostnet.exe cmd.exe PID 2660 wrote to memory of 492 2660 browserhostnet.exe cmd.exe PID 2660 wrote to memory of 492 2660 browserhostnet.exe cmd.exe PID 492 wrote to memory of 2960 492 cmd.exe w32tm.exe PID 492 wrote to memory of 2960 492 cmd.exe w32tm.exe PID 492 wrote to memory of 2960 492 cmd.exe w32tm.exe PID 492 wrote to memory of 1292 492 cmd.exe System.exe PID 492 wrote to memory of 1292 492 cmd.exe System.exe PID 492 wrote to memory of 1292 492 cmd.exe System.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe"C:\Users\Admin\AppData\Local\Temp\9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winDhcp\DyOE67CiXFDK4.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\winDhcp\QlWrCKPitO3EBDJkoooUbfBub6XAu.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\winDhcp\browserhostnet.exe"C:\winDhcp\browserhostnet.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HABYRpoR2i.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2960
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\System.exe"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\System.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "browserhostnetb" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\browserhostnet.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "browserhostnet" /sc ONLOGON /tr "'C:\MSOCache\All Users\browserhostnet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "browserhostnetb" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\browserhostnet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\winDhcp\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\winDhcp\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\winDhcp\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HABYRpoR2i.batFilesize
224B
MD582da8af4fae1807c9e916ed2d8c517d7
SHA16fb8f1398b00b160102db53a478aecb73b92c2d0
SHA256d93f089fb4649481d1e4190bb70f928c9ecdd7135694e372f27bab87c21c2e0c
SHA5120fa0032962a72fe3c73b429ff0cbbf0a6183d29b5a3223da4e0e929130332fe2bdedd1f0a57e0810640ef91ce34dfeeb52dfdee8f9f66d072225b5c902d5b528
-
C:\winDhcp\DyOE67CiXFDK4.vbeFilesize
213B
MD5a6895e1baccdda4b4f131a5d6b29884a
SHA15e53063494d49c65bb3f940edf030462a9646b0b
SHA2567218700f0f012caf18a92e2f012d56b3f1241414d11bb38d69e0633a33d80ff9
SHA512439eff2b5e330a534d582501053290dcf7a44f4de685cacb8b7a6b91bd76a59f044208f1e7eca52f857fe18a8c93441c0d4a62495a30b308035c6edce1b7e8a1
-
C:\winDhcp\QlWrCKPitO3EBDJkoooUbfBub6XAu.batFilesize
31B
MD50783953e91c834463a8af6965b8a6e82
SHA166d1c6db94b36f6112e393e33ae94f4b963f1b31
SHA256f1abb9924b1d91414efe342d4b3a2b7e9e49aaaeef4300f5f3a0cda9e7ad853d
SHA5120054fc1f4dbdc09ba5137d5b581d9da43878c23efb1ae888b71fbde8e28c09f9c39728423697dd5479063050fd5819c251856bb6b58155e9e8de99d8ee67165a
-
\winDhcp\browserhostnet.exeFilesize
827KB
MD568491d301f2370e9484c90a4ca8c458a
SHA157a7952959c07c419a2204939c1da301f6a47030
SHA256b92fd00e3af0abf5d62269056cf1a43e7da0efbf70467070ad2923bf41554c97
SHA5123e1f8e620ce892d222a624fe5a3d791e58ae5a3ac5048639854a5021099844feda6a32109ca78666690113014eea3c29821b955d462db73cd9c1807e2e815558
-
memory/1292-35-0x0000000001210000-0x00000000012E6000-memory.dmpFilesize
856KB
-
memory/2660-13-0x0000000000320000-0x00000000003F6000-memory.dmpFilesize
856KB