Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 04:52

General

  • Target

    e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe

  • Size

    959KB

  • MD5

    4d580c12dd002c7e9d0672cf7c0fef59

  • SHA1

    b46c4eaeea368c01f3b6e89a7749dcb9719fcf11

  • SHA256

    e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc

  • SHA512

    6a517c05bf3b3df6d66fbe026044456bc5ec9f643757a53705a869588c505fbb837fc763134b71bea390ca8f01f8b5fdda391ed5eb07829dcd8249027a6f99f0

  • SSDEEP

    24576:7IY/8GC9t2/zdHKXMXvE/s5ZVKBdd0aZ7+B:7IQRllfE/oYh+B

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables containing URLs to raw contents of a Github gist 2 IoCs
  • Detects executables packed with SmartAssembly 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe
    "C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1092
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2880
    • C:\Users\Admin\AppData\Local\Temp\trx.exe
      "C:\Users\Admin\AppData\Local\Temp\trx.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\MSCONFIG\0h6cj87wvPM.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\MSCONFIG\CONFIG.exe
            "C:\MSCONFIG\CONFIG.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2628
            • C:\Program Files\Java\jre7\bin\plugin2\csrss.exe
              "C:\Program Files\Java\jre7\bin\plugin2\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2916
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSCONFIG\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1200
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSCONFIG\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSCONFIG\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2212
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2232
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:536
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1156
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1724
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSCONFIG\0h6cj87wvPM.vbe
    Filesize

    208B

    MD5

    c82cc3c85bd84d0af9e997e0a4959cdd

    SHA1

    8ff246be20905b44b77082729819917245547013

    SHA256

    53db8dddc4b2d19225bc4e07771a867791fea3399c93f2e377b6794c2df3e86d

    SHA512

    09c484cf6b54b4dfd612fdbe32c116ada544dd684e98d4bcdf5ce67534712d2e16685ebecde94aded6a1a8767df75a3390d9871b52061b45bb9011bf2de353d9

  • C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat
    Filesize

    24B

    MD5

    8ec84d1942903da3492f14e534a8e841

    SHA1

    b152ff7373eac0aaef9c17637bde6cc754fe257a

    SHA256

    a695797842083715d31a3aba69946326d1208a8eb497b1dffbc9f7dfd4305c4d

    SHA512

    bd1e95501352c71ca432263bfca20a2bf9400074629133a0c7906165e79bb9d14419656f3e44da28e817657f86869e2196ae8f77c57683b8ca8e191ffe2bb076

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    Filesize

    12KB

    MD5

    74494703e5f44eeb9aa037f0f50bf682

    SHA1

    fcfd8813e63cd61c5bfd2db605827fb9070fe8e9

    SHA256

    3e4f692506d372bebc12d344c5f1543b67fa1dbe095c910aab78456510d7fe66

    SHA512

    dbd2a8d928c797c70c4286d8ebabe202902445ed60e94eeccf33c7e3d794c7e362139187dcd1a57a4919503c1c791cfbe38f6f6eff454248382b3c4e023791fe

  • C:\Users\Admin\AppData\Local\Temp\trx.exe
    Filesize

    1.5MB

    MD5

    03cde07f808c1c15f2b413e89a45b9d8

    SHA1

    2e4f97f7f28024db39758472d484484dc3030c0b

    SHA256

    daf2510e43a399ef767b7d9dfc87ac245a6d625b05aa9d60a3f1a5767f8cfb9f

    SHA512

    d6add1d4f6acf0b70d50bfbefdd2f9093860a0c9de745429c11a28b6e9d2921ab60fda306e3b90f641901c6fb9b50e0928d0b90e58ee799c573606971eb6ad18

  • \MSCONFIG\CONFIG.exe
    Filesize

    1.1MB

    MD5

    5e14719cd7fbb360095ace17828a75b3

    SHA1

    72cd087ba89bef7546a5657b352b61f2ea31f492

    SHA256

    095b2894512ec27bb89f8e5b1feb35ed137ebec9debf234d61935405f5a27561

    SHA512

    20bdef4870af81d4dedd18872213788d4a8c5ab2b7cf48e14f1e36096b91f79d791d3481dbd6e35599a1f2a00a2e105e05d92a8202b1597326c6d17905d3bc27

  • memory/1284-1-0x000000013FF80000-0x0000000140074000-memory.dmp
    Filesize

    976KB

  • memory/1284-13-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

  • memory/1284-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp
    Filesize

    4KB

  • memory/2164-61-0x000000007452E000-0x000000007452F000-memory.dmp
    Filesize

    4KB

  • memory/2164-14-0x000000007452E000-0x000000007452F000-memory.dmp
    Filesize

    4KB

  • memory/2164-16-0x00000000012E0000-0x00000000012EA000-memory.dmp
    Filesize

    40KB

  • memory/2628-35-0x0000000000E90000-0x0000000000FBE000-memory.dmp
    Filesize

    1.2MB

  • memory/2628-37-0x0000000000B10000-0x0000000000B1C000-memory.dmp
    Filesize

    48KB

  • memory/2628-38-0x0000000000460000-0x0000000000468000-memory.dmp
    Filesize

    32KB

  • memory/2628-39-0x0000000000B00000-0x0000000000B12000-memory.dmp
    Filesize

    72KB

  • memory/2628-40-0x0000000000B40000-0x0000000000B4C000-memory.dmp
    Filesize

    48KB

  • memory/2628-41-0x0000000000B50000-0x0000000000B5C000-memory.dmp
    Filesize

    48KB

  • memory/2628-36-0x00000000003D0000-0x00000000003E2000-memory.dmp
    Filesize

    72KB

  • memory/2916-58-0x00000000003A0000-0x00000000004CE000-memory.dmp
    Filesize

    1.2MB

  • memory/2916-59-0x00000000005E0000-0x00000000005F2000-memory.dmp
    Filesize

    72KB

  • memory/2916-60-0x0000000000800000-0x0000000000812000-memory.dmp
    Filesize

    72KB