Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 15:46
Behavioral task
behavioral1
Sample
13DA266DA3CB746AA680DB5C41148524.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
13DA266DA3CB746AA680DB5C41148524.exe
Resource
win10v2004-20240709-en
General
-
Target
13DA266DA3CB746AA680DB5C41148524.exe
-
Size
1.1MB
-
MD5
13da266da3cb746aa680db5c41148524
-
SHA1
1d56737f102966336681e40ae281e4d83b400de6
-
SHA256
9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796
-
SHA512
c7d738df05173767ace1af0c0660b275589808687024ab3670a32c9546b982dbd8addfa0f34764712b9a640c7748d29ac3d4446583535c5747cf358624554dd5
-
SSDEEP
24576:U2G/nvxW3Ww0t1rRGRMtRqFtFVc/pJGn4czXV:UbA301rRb+ip12l
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 724 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2576 schtasks.exe -
Processes:
resource yara_rule \containerwinBroker\hostCrtnet.exe dcrat behavioral1/memory/2584-13-0x0000000000050000-0x0000000000126000-memory.dmp dcrat behavioral1/memory/1672-27-0x00000000012F0000-0x00000000013C6000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
hostCrtnet.exesmss.exepid process 2584 hostCrtnet.exe 1672 smss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2672 cmd.exe 2672 cmd.exe -
Drops file in Program Files directory 2 IoCs
Processes:
hostCrtnet.exedescription ioc process File created C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe hostCrtnet.exe File created C:\Program Files (x86)\MSBuild\Microsoft\5940a34987c991 hostCrtnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2368 schtasks.exe 3020 schtasks.exe 2984 schtasks.exe 2600 schtasks.exe 752 schtasks.exe 1456 schtasks.exe 1168 schtasks.exe 724 schtasks.exe 2868 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
hostCrtnet.exesmss.exepid process 2584 hostCrtnet.exe 1672 smss.exe 1672 smss.exe 1672 smss.exe 1672 smss.exe 1672 smss.exe 1672 smss.exe 1672 smss.exe 1672 smss.exe 1672 smss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
smss.exepid process 1672 smss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hostCrtnet.exesmss.exedescription pid process Token: SeDebugPrivilege 2584 hostCrtnet.exe Token: SeDebugPrivilege 1672 smss.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
13DA266DA3CB746AA680DB5C41148524.exeWScript.execmd.exehostCrtnet.execmd.exedescription pid process target process PID 3068 wrote to memory of 2836 3068 13DA266DA3CB746AA680DB5C41148524.exe WScript.exe PID 3068 wrote to memory of 2836 3068 13DA266DA3CB746AA680DB5C41148524.exe WScript.exe PID 3068 wrote to memory of 2836 3068 13DA266DA3CB746AA680DB5C41148524.exe WScript.exe PID 3068 wrote to memory of 2836 3068 13DA266DA3CB746AA680DB5C41148524.exe WScript.exe PID 2836 wrote to memory of 2672 2836 WScript.exe cmd.exe PID 2836 wrote to memory of 2672 2836 WScript.exe cmd.exe PID 2836 wrote to memory of 2672 2836 WScript.exe cmd.exe PID 2836 wrote to memory of 2672 2836 WScript.exe cmd.exe PID 2672 wrote to memory of 2584 2672 cmd.exe hostCrtnet.exe PID 2672 wrote to memory of 2584 2672 cmd.exe hostCrtnet.exe PID 2672 wrote to memory of 2584 2672 cmd.exe hostCrtnet.exe PID 2672 wrote to memory of 2584 2672 cmd.exe hostCrtnet.exe PID 2584 wrote to memory of 2104 2584 hostCrtnet.exe cmd.exe PID 2584 wrote to memory of 2104 2584 hostCrtnet.exe cmd.exe PID 2584 wrote to memory of 2104 2584 hostCrtnet.exe cmd.exe PID 2104 wrote to memory of 1544 2104 cmd.exe w32tm.exe PID 2104 wrote to memory of 1544 2104 cmd.exe w32tm.exe PID 2104 wrote to memory of 1544 2104 cmd.exe w32tm.exe PID 2104 wrote to memory of 1672 2104 cmd.exe smss.exe PID 2104 wrote to memory of 1672 2104 cmd.exe smss.exe PID 2104 wrote to memory of 1672 2104 cmd.exe smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\13DA266DA3CB746AA680DB5C41148524.exe"C:\Users\Admin\AppData\Local\Temp\13DA266DA3CB746AA680DB5C41148524.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\containerwinBroker\e8Rlw8Qp2tIZEv6MWU8.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\containerwinBroker\bc42ZgAN7HZpE65W.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\containerwinBroker\hostCrtnet.exe"C:\containerwinBroker\hostCrtnet.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c5ZP5GVEbN.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1544
-
C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\smss.exe"C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\smss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222B
MD5050dbb3b0e911545e3da59530f348e25
SHA192ae652ffb51537a808d05dd951dce9c33d93b1d
SHA2561ca0f00b9e858593dea1e2b6ea750f1775b822c67420d9de9b27f72eb915b441
SHA5128c1813199de3178eb0a5a158be0be280131c8c81f48e017ff0aa11d0b625660a5f8a7e4e5dac95c4aa47c60ace890cfbce564cbc9bde2e6e9b2aee624ea9098d
-
Filesize
38B
MD5196b374439b47033484388410d253f0a
SHA1de7a5511926ea62f37cad9a69fc8e294b1f0298a
SHA256e23d98ea0e60b2406ff8a3fd9f38eeca302af3c64e3a31ccd785cfbc624f59e8
SHA512d5c79063c0d863ce7c0bfca3eb00d27c0b072fb2c73a7c6453e105d1eb1df672d394f3add6dac7ecabfbae0d593d76b9b638a077f39d29d26e6ac09a5a40b9da
-
Filesize
211B
MD5f1a9dd02c8a9a467956dcc1840a64471
SHA16547289aa1da405deda3493955d0ef4fc4932637
SHA256013a7cef251cc1f5665f20aa516762582b37a13d9225e973625c68e0778f45e4
SHA512397fbec54b88034093bdfe9694cae48527af71055b7dcc5bfdff2ac9a5796d5a279b90a3c45ae0db63f4724a886f1713c9415bf58ef9215efc647f91702091d2
-
Filesize
828KB
MD5d4bae6d782c8dd872ca7f43ed837fc62
SHA16b09e88a37cee804b17d7f61d7af6d6140eba32d
SHA2566087c2c5696e21141be618103de53764253007890df7f61b70be61214a1ff6e0
SHA51216b3a5478332e851c2c1ffb6a77cdab723edd17de70ebff4a0a8652646bc7702b0d128068cea7b00f83163e11dd5b17b1406a87779c766c47cebf6ad4cf77930