Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2024 22:33

General

  • Target

    1e55e82940a34f0347e2ec84674cb6c0N.exe

  • Size

    2.4MB

  • MD5

    1e55e82940a34f0347e2ec84674cb6c0

  • SHA1

    49a82cd8c8a3f020b6dbe9f9a4c409e16b0bbe33

  • SHA256

    8695345472b86220ef4154c2c8f86e301569b082238c84aeff34dea0c5c204e3

  • SHA512

    ce004fa9917044abf01664806301fe84c090e7ebd2e5378b95ecc92b8de37587d411384c54598c515046b93d0f6547c2030d0946b62213ad59e8c2986cb63634

  • SSDEEP

    49152:+bA3xoX3ciWYFZGNtz4QG+evJ692QNMkY/ZXZqqhRfgAlWzRA:+b6CFczzmDv892QNBYRXZqqhxg5RA

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e55e82940a34f0347e2ec84674cb6c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e55e82940a34f0347e2ec84674cb6c0N.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containerreviewCrtMonitordll\QvTRwOydF6PvsPSbsHoz.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\containerreviewCrtMonitordll\1Tl2sJLOUZoaFKUtUGyztdW5bQFfO.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\containerreviewCrtMonitordll\chainInto.exe
          "C:\containerreviewCrtMonitordll\chainInto.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1956
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5NT8uJA6yK.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2440
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2268
              • C:\Windows\Performance\WinSAT\DataStore\csrss.exe
                "C:\Windows\Performance\WinSAT\DataStore\csrss.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1668
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2841f8e0-f4ea-4e42-9733-b6c9f8206f15.vbs"
                  7⤵
                    PID:1004
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16df5f87-6d2e-40bd-b991-aded0b5b7ff1.vbs"
                    7⤵
                      PID:1436
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                4⤵
                • Modifies registry key
                PID:2216
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2140
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\Search\Data\Applications\OSPPSVC.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1844
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Search\Data\Applications\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2308
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\Search\Data\Applications\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\containerreviewCrtMonitordll\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1244
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\containerreviewCrtMonitordll\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\containerreviewCrtMonitordll\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3020
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1160
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2180
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:324
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2492
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:960
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2036
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:860
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:2848

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\16df5f87-6d2e-40bd-b991-aded0b5b7ff1.vbs

            Filesize

            501B

            MD5

            9aaaad7372c564ff352faff5b6da619f

            SHA1

            0c6d02130703e3ef7bd84c2d5877cea0ddd47f94

            SHA256

            dd6377131710bbafa5d8535e97d85983a9babb3875a7b49fc03813400e1b4d59

            SHA512

            b8eccbaf34b1eb316f6856866e581c513bb9da63c24a012989d556f581b3f21871aadc13067ebac594b63d5fc2294245acdcbf1b60ca930e00d2dd0333ccece2

          • C:\Users\Admin\AppData\Local\Temp\2841f8e0-f4ea-4e42-9733-b6c9f8206f15.vbs

            Filesize

            725B

            MD5

            2cf5c15983203b822390f53b99fc5d37

            SHA1

            f4b207ace7ed0abaf6134f1b1b493eadfeb76700

            SHA256

            f9c5d9b52326026143529a075b207c0c67c21e4cf14c7d36c00e5a2d1222e537

            SHA512

            b8807f92f50345697b761eff6c43d80171420b741627ef8d2c7c019089b3e611f77bf7d7fcecd9142bc52ce515916fa362ce3721617efcfcf629c11a01ddf65a

          • C:\Users\Admin\AppData\Local\Temp\5NT8uJA6yK.bat

            Filesize

            214B

            MD5

            7b458011a79649006674262299579150

            SHA1

            62e8e1a9555e570f3d3f5342ace96b7ef6a3f114

            SHA256

            aa44b3ae6636c2423eff620f1830e82102cc98a1e7f9a00f38ad7f195de4e095

            SHA512

            e90073cafc5b8a566b2a258f85258ef6046e7093120e048d7bfd7f68f3a12fbb9001182f51c7ae5bb3651e41190997cd1573ea6b389e74568152157835909f2f

          • C:\containerreviewCrtMonitordll\1Tl2sJLOUZoaFKUtUGyztdW5bQFfO.bat

            Filesize

            170B

            MD5

            7039783955d4e215e90cdb16e30d51a8

            SHA1

            a3ed136fd2a8e57e760d7f1f4412a4c6d96219d4

            SHA256

            df9a53758d5c34e9422b418b8c28e3f7441dcf2fb48fb81d620e684e50384e84

            SHA512

            7a7b75ea177c4a46a19ebbae5fb7f0fb18dcec0ea617bb377beace17bf3b34098527153ba58852cc4764083c5bfc86e6602340c81a61366d0da5dea3d3bcfb15

          • C:\containerreviewCrtMonitordll\QvTRwOydF6PvsPSbsHoz.vbe

            Filesize

            245B

            MD5

            c9cb24932937faaa045133e6803ba799

            SHA1

            2b0a00bbb55b5f13a782b4881445a6acf1658d6c

            SHA256

            0d74b56311e7161e43106e63e697b61e5ea268a86d771d9758a181fbf9a071d4

            SHA512

            c0607bd0c567b392e74bbdef99c3f5dfdd7e7217ac8aa5d3a9559f94096ee75e01ff686264d5508e84e3dc9a9b4bd0a159e0f4c86dc175c349563c2af3f83838

          • \containerreviewCrtMonitordll\chainInto.exe

            Filesize

            2.1MB

            MD5

            53426df99660bf62cab83572cc516da2

            SHA1

            e638b51282a10a04d60803920f6ed95b9f9db670

            SHA256

            390711a4056290cd6dbdc327d81178f7c38ab1850aeb9bde35c1307dd8132481

            SHA512

            58a3a3a3da60cb8e7132f444136630a1f6f2f9072b65cc24482799b8e69a872ee2d8aedef879b7c1bb248878aee0ef42d2e454a794331318b08020e2457e78f9

          • memory/1668-63-0x0000000000750000-0x0000000000762000-memory.dmp

            Filesize

            72KB

          • memory/1668-62-0x0000000000CF0000-0x0000000000F0A000-memory.dmp

            Filesize

            2.1MB

          • memory/1956-26-0x00000000023E0000-0x00000000023EC000-memory.dmp

            Filesize

            48KB

          • memory/1956-29-0x0000000002410000-0x000000000241C000-memory.dmp

            Filesize

            48KB

          • memory/1956-20-0x00000000021C0000-0x00000000021D0000-memory.dmp

            Filesize

            64KB

          • memory/1956-21-0x0000000000B70000-0x0000000000B7A000-memory.dmp

            Filesize

            40KB

          • memory/1956-22-0x0000000000B80000-0x0000000000B8C000-memory.dmp

            Filesize

            48KB

          • memory/1956-23-0x00000000021D0000-0x00000000021D8000-memory.dmp

            Filesize

            32KB

          • memory/1956-24-0x00000000023A0000-0x00000000023AC000-memory.dmp

            Filesize

            48KB

          • memory/1956-25-0x00000000023B0000-0x00000000023C2000-memory.dmp

            Filesize

            72KB

          • memory/1956-18-0x0000000000790000-0x0000000000798000-memory.dmp

            Filesize

            32KB

          • memory/1956-27-0x00000000023F0000-0x00000000023F8000-memory.dmp

            Filesize

            32KB

          • memory/1956-28-0x0000000002400000-0x000000000240C000-memory.dmp

            Filesize

            48KB

          • memory/1956-19-0x0000000000B90000-0x0000000000BA2000-memory.dmp

            Filesize

            72KB

          • memory/1956-30-0x0000000002420000-0x0000000002428000-memory.dmp

            Filesize

            32KB

          • memory/1956-31-0x0000000002430000-0x000000000243C000-memory.dmp

            Filesize

            48KB

          • memory/1956-34-0x000000001A940000-0x000000001A94E000-memory.dmp

            Filesize

            56KB

          • memory/1956-33-0x000000001A930000-0x000000001A93E000-memory.dmp

            Filesize

            56KB

          • memory/1956-32-0x0000000002440000-0x000000000244A000-memory.dmp

            Filesize

            40KB

          • memory/1956-35-0x000000001A950000-0x000000001A95A000-memory.dmp

            Filesize

            40KB

          • memory/1956-36-0x000000001A960000-0x000000001A96C000-memory.dmp

            Filesize

            48KB

          • memory/1956-17-0x0000000000B50000-0x0000000000B66000-memory.dmp

            Filesize

            88KB

          • memory/1956-16-0x0000000000780000-0x0000000000790000-memory.dmp

            Filesize

            64KB

          • memory/1956-15-0x0000000000770000-0x0000000000778000-memory.dmp

            Filesize

            32KB

          • memory/1956-14-0x0000000000750000-0x000000000076C000-memory.dmp

            Filesize

            112KB

          • memory/1956-13-0x0000000000290000-0x00000000004AA000-memory.dmp

            Filesize

            2.1MB