Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2024 15:46

General

  • Target

    13DA266DA3CB746AA680DB5C41148524.exe

  • Size

    1.1MB

  • MD5

    13da266da3cb746aa680db5c41148524

  • SHA1

    1d56737f102966336681e40ae281e4d83b400de6

  • SHA256

    9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796

  • SHA512

    c7d738df05173767ace1af0c0660b275589808687024ab3670a32c9546b982dbd8addfa0f34764712b9a640c7748d29ac3d4446583535c5747cf358624554dd5

  • SSDEEP

    24576:U2G/nvxW3Ww0t1rRGRMtRqFtFVc/pJGn4czXV:UbA301rRb+ip12l

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\13DA266DA3CB746AA680DB5C41148524.exe
    "C:\Users\Admin\AppData\Local\Temp\13DA266DA3CB746AA680DB5C41148524.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containerwinBroker\e8Rlw8Qp2tIZEv6MWU8.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\containerwinBroker\bc42ZgAN7HZpE65W.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\containerwinBroker\hostCrtnet.exe
          "C:\containerwinBroker\hostCrtnet.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2584
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c5ZP5GVEbN.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1544
              • C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\smss.exe
                "C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\smss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:1672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1456
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\c5ZP5GVEbN.bat

      Filesize

      222B

      MD5

      050dbb3b0e911545e3da59530f348e25

      SHA1

      92ae652ffb51537a808d05dd951dce9c33d93b1d

      SHA256

      1ca0f00b9e858593dea1e2b6ea750f1775b822c67420d9de9b27f72eb915b441

      SHA512

      8c1813199de3178eb0a5a158be0be280131c8c81f48e017ff0aa11d0b625660a5f8a7e4e5dac95c4aa47c60ace890cfbce564cbc9bde2e6e9b2aee624ea9098d

    • C:\containerwinBroker\bc42ZgAN7HZpE65W.bat

      Filesize

      38B

      MD5

      196b374439b47033484388410d253f0a

      SHA1

      de7a5511926ea62f37cad9a69fc8e294b1f0298a

      SHA256

      e23d98ea0e60b2406ff8a3fd9f38eeca302af3c64e3a31ccd785cfbc624f59e8

      SHA512

      d5c79063c0d863ce7c0bfca3eb00d27c0b072fb2c73a7c6453e105d1eb1df672d394f3add6dac7ecabfbae0d593d76b9b638a077f39d29d26e6ac09a5a40b9da

    • C:\containerwinBroker\e8Rlw8Qp2tIZEv6MWU8.vbe

      Filesize

      211B

      MD5

      f1a9dd02c8a9a467956dcc1840a64471

      SHA1

      6547289aa1da405deda3493955d0ef4fc4932637

      SHA256

      013a7cef251cc1f5665f20aa516762582b37a13d9225e973625c68e0778f45e4

      SHA512

      397fbec54b88034093bdfe9694cae48527af71055b7dcc5bfdff2ac9a5796d5a279b90a3c45ae0db63f4724a886f1713c9415bf58ef9215efc647f91702091d2

    • \containerwinBroker\hostCrtnet.exe

      Filesize

      828KB

      MD5

      d4bae6d782c8dd872ca7f43ed837fc62

      SHA1

      6b09e88a37cee804b17d7f61d7af6d6140eba32d

      SHA256

      6087c2c5696e21141be618103de53764253007890df7f61b70be61214a1ff6e0

      SHA512

      16b3a5478332e851c2c1ffb6a77cdab723edd17de70ebff4a0a8652646bc7702b0d128068cea7b00f83163e11dd5b17b1406a87779c766c47cebf6ad4cf77930

    • memory/1672-27-0x00000000012F0000-0x00000000013C6000-memory.dmp

      Filesize

      856KB

    • memory/2584-13-0x0000000000050000-0x0000000000126000-memory.dmp

      Filesize

      856KB