Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 01:09
Behavioral task
behavioral1
Sample
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe
Resource
win10v2004-20240611-en
General
-
Target
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe
-
Size
827KB
-
MD5
9c88646fc2e6a87d06ef9146d061b814
-
SHA1
a5a15178301aa854faf6e8fe6048ad1372a8ac67
-
SHA256
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983
-
SHA512
ebb5356f86cc925dcc8b47e0e96efe5dfb787b368c5921790086d378b574498c8083f5962d27451d78ab488667634a61f178c750b95cfcfe79f62f29989bc231
-
SSDEEP
12288:dEo0OhY4AtUMGEvw2vd1JdxXQJN5IsULGpSCXnRKldH5x5n76:0OG4AtUMGv21PdxXu5/hRKJfnW
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 1792 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 1792 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2068-1-0x00000000001A0000-0x0000000000276000-memory.dmp dcrat C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe dcrat behavioral1/memory/2588-25-0x0000000000DE0000-0x0000000000EB6000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
schtasks.exepid process 2588 schtasks.exe -
Drops file in Program Files directory 8 IoCs
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exedescription ioc process File created C:\Program Files\DVD Maker\fr-FR\3a6fe29a7ceee6 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\smss.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\f3b6ecef712a24 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files\Windows NT\Accessories\es-ES\886983d96e3d3e 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files\DVD Maker\fr-FR\schtasks.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe -
Drops file in Windows directory 2 IoCs
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exedescription ioc process File created C:\Windows\AppPatch\it-IT\explorer.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Windows\AppPatch\it-IT\7a0fd90576e088 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2724 schtasks.exe 2572 schtasks.exe 2516 schtasks.exe 2640 schtasks.exe 2416 schtasks.exe 1244 schtasks.exe 1304 schtasks.exe 1980 schtasks.exe 2956 schtasks.exe 2612 schtasks.exe 3020 schtasks.exe 2852 schtasks.exe 2776 schtasks.exe 2552 schtasks.exe 1336 schtasks.exe 1508 schtasks.exe 2964 schtasks.exe 2748 schtasks.exe 2856 schtasks.exe 1836 schtasks.exe 2184 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exeschtasks.exepid process 2068 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe 2544 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe 2588 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exeschtasks.exedescription pid process Token: SeDebugPrivilege 2068 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe Token: SeDebugPrivilege 2544 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe Token: SeDebugPrivilege 2588 schtasks.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.execmd.exedescription pid process target process PID 2068 wrote to memory of 2544 2068 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe PID 2068 wrote to memory of 2544 2068 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe PID 2068 wrote to memory of 2544 2068 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe PID 2544 wrote to memory of 2016 2544 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe cmd.exe PID 2544 wrote to memory of 2016 2544 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe cmd.exe PID 2544 wrote to memory of 2016 2544 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe cmd.exe PID 2016 wrote to memory of 1976 2016 cmd.exe w32tm.exe PID 2016 wrote to memory of 1976 2016 cmd.exe w32tm.exe PID 2016 wrote to memory of 1976 2016 cmd.exe w32tm.exe PID 2016 wrote to memory of 2588 2016 cmd.exe schtasks.exe PID 2016 wrote to memory of 2588 2016 cmd.exe schtasks.exe PID 2016 wrote to memory of 2588 2016 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe"C:\Users\Admin\AppData\Local\Temp\41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe"C:\Users\Admin\AppData\Local\Temp\41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKtyItKL0f.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵PID:1976
-
C:\Users\Default\SendTo\schtasks.exe"C:\Users\Default\SendTo\schtasks.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\it-IT\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppPatch\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\fr-FR\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\fr-FR\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\Default\SendTo\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows NT\Accessories\es-ES\csrss.exeFilesize
827KB
MD59c88646fc2e6a87d06ef9146d061b814
SHA1a5a15178301aa854faf6e8fe6048ad1372a8ac67
SHA25641ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983
SHA512ebb5356f86cc925dcc8b47e0e96efe5dfb787b368c5921790086d378b574498c8083f5962d27451d78ab488667634a61f178c750b95cfcfe79f62f29989bc231
-
C:\Users\Admin\AppData\Local\Temp\YKtyItKL0f.batFilesize
201B
MD54238c1fd02b8716264f77b5f2d8444a5
SHA10d9a49de59f0dbbc05e91f15b837e98f85dd4c62
SHA256d4fe6d3bfb7774cbf1a9bda96f2e552c60a66d29c64d3d58c1c1941b07e85e31
SHA51261409b8cf68ba1a09f7465e0584a30579d15246129b2586246446345cd0a9431fd9ceb3520b2f889ee40e9016f4377cddaf1a4601700ad51b64028c4af9cce3b
-
memory/2068-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmpFilesize
4KB
-
memory/2068-1-0x00000000001A0000-0x0000000000276000-memory.dmpFilesize
856KB
-
memory/2068-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmpFilesize
9.9MB
-
memory/2068-9-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmpFilesize
9.9MB
-
memory/2588-25-0x0000000000DE0000-0x0000000000EB6000-memory.dmpFilesize
856KB