Analysis

  • max time kernel
    125s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2024 07:11

General

  • Target

    76552F8BD7533C66BC900C75ABDC0EA7.exe

  • Size

    1.2MB

  • MD5

    76552f8bd7533c66bc900c75abdc0ea7

  • SHA1

    9a682fc922b82e6896c9892efb85687586963355

  • SHA256

    7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f

  • SHA512

    4479dc402d8f9ddf9d8fcb46d9a5048484e59e91b5f4c0b1efd6042ab287556fc028f5e3f0ae03856521bdc346613d848469732de77150719d14dfa3c5171b77

  • SSDEEP

    24576:sMYo92G/nvxW3Ww0tp6A3bEXxdhJGx+RYdVmX9ddqGC:/NbA30QArEX+x+en

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe
    "C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:2768
      • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
        "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat" "
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2800
            • C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe
              "C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2644
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZdpTwG6ox.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:592
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:1104
                  • C:\surrogatereviewRuntimebrokerMonitor\conhost.exe
                    "C:\surrogatereviewRuntimebrokerMonitor\conhost.exe"
                    7⤵
                    • Executes dropped EXE
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2356
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2340
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:928
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2576
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2848
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hostNeth" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\it-IT\hostNet.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hostNet" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\hostNet.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hostNeth" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\hostNet.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\surrogatereviewRuntimebrokerMonitor\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\surrogatereviewRuntimebrokerMonitor\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2552
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2252
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2168
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1280
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1692
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\surrogatereviewRuntimebrokerMonitor\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:264
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:792
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\surrogatereviewRuntimebrokerMonitor\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2592

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\uZdpTwG6ox.bat

        Filesize

        215B

        MD5

        47e49721ea8091840d99555c83649513

        SHA1

        84882c7331314dc1de39b4839eaca0b89c9b62c9

        SHA256

        ce915c24d44041174160af04fb6dd3e3b6879946626b6c9c95f300870702b4f7

        SHA512

        7a9b65a257b3ad33a18ccadf1a20efeda83753143c12df173c561a9d9bad93a0b9608ace77f82a4a99d0b11d4b636d51de791e6588cc03b6c2e380495d43766a

      • C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe

        Filesize

        237B

        MD5

        67ef89a77b03bfa1932cc54db6dce88f

        SHA1

        a2afed6d40b91cb6d48a7023fea05c0853437050

        SHA256

        67b88c35860e20d6b83ca746c93088b98e0eb0ecfd913e769e1353e1809bef30

        SHA512

        7bf14a84e8af2ed04908666ef48233da887d856724c91e3ae3d80bda19b50d47681b5e3e8ae39de2e434c1af5d47f945af2ed0b0b2b3ae7a46987f8b3e962652

      • C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat

        Filesize

        52B

        MD5

        fbbcc9f113a6c0c84210f8550cffca28

        SHA1

        b3e94b80d166ad9c71260ce9674b7edd5d00aa25

        SHA256

        fdb006c74fb6e8d52546f9cbf5cbc86cd39905eac5bf29536d1e1a8d3332846f

        SHA512

        f434c8e5ad16219c4a526690c9e8bf3a139df51439fb047a0fcd77e1e939c3fb53ef4d71c0609520fb522f7bcd34f3aab192df083dd3fa75d68724d26efd03b8

      • \Users\Admin\AppData\Local\Temp\CrackLauncher.exe

        Filesize

        102KB

        MD5

        c137c5f5287d73a94d55bc18df238303

        SHA1

        95b4b01775bea14feaaa462c98d969eb81696d2c

        SHA256

        d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

        SHA512

        ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

      • \Users\Admin\AppData\Local\Temp\DCRatBuild.exe

        Filesize

        1.1MB

        MD5

        d5073e19a3ad042b1f759bcd13a65a3f

        SHA1

        9df8b87566284b169e56ee4a8b78d72ce2e3e5aa

        SHA256

        28aee210bbeacee17831ab5acaa78551bb3c981ec8018ba3d0c2332178294e8b

        SHA512

        89c210bf7bccf524b2dc26d5ba574c06e7c5e7233932d2f98ddf37665542c170d99589c60fd3a1d9c92b322e3c1f8694988a8f446904a4155ee495bd9cb3171e

      • \surrogatereviewRuntimebrokerMonitor\hostNet.exe

        Filesize

        827KB

        MD5

        bc8b1b7e6c72022131728dd99627e1d3

        SHA1

        0dcd162ee7a24204fb032b5e02d3f99c185e82bf

        SHA256

        60e5109f2ee7a7ff493ea0cb43cd182f22a6a2769561f030bc4668a46d8c6d7a

        SHA512

        9dae0a6cd1d6a26f6f03e00755dd0c05a41bcda787dc3fd6d245672058d7eed0c54b4aabdadb65c42341707e942603b0a01dbb442148949b8b7229197abca340

      • memory/2356-59-0x0000000000E20000-0x0000000000EF6000-memory.dmp

        Filesize

        856KB

      • memory/2508-12-0x0000000000400000-0x000000000053F000-memory.dmp

        Filesize

        1.2MB

      • memory/2644-27-0x00000000012F0000-0x00000000013C6000-memory.dmp

        Filesize

        856KB