Analysis
-
max time kernel
127s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 06:30
Behavioral task
behavioral1
Sample
05fc0bdf63407c4bf2aa13262366cec5.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
05fc0bdf63407c4bf2aa13262366cec5.exe
Resource
win10v2004-20240709-en
General
-
Target
05fc0bdf63407c4bf2aa13262366cec5.exe
-
Size
624KB
-
MD5
05fc0bdf63407c4bf2aa13262366cec5
-
SHA1
3c25001232633ced8c5dbd159793f5db7b9bd3c8
-
SHA256
7c00050f9a74c897dc0b917b07898b14150329571584ed3d7928d7c59b974c2b
-
SHA512
9513fb1767b3f7c480c86e9958df83e30f19f0b487f7e37b844266a968dfe9b4275e4fe3c11118a5ccace381d69e928dab61a32b113095b3a2f3f83bc6a821e4
-
SSDEEP
12288:aRZ+IoG/n9IQxW3OBsee2X+t4Rb/32N7QqcLCf8VIP9A2oxldxDZt:U2G/nvxW3Ww0t/32NCkC2o5xD7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
portProviderRef.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\"" portProviderRef.exe -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2664 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2664 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2664 schtasks.exe -
Processes:
resource yara_rule C:\browserperfMonitor\portProviderRef.exe dcrat behavioral1/memory/2140-13-0x0000000000200000-0x0000000000256000-memory.dmp dcrat behavioral1/memory/2600-23-0x0000000000830000-0x0000000000886000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
portProviderRef.exeWmiPrvSE.exepid process 2140 portProviderRef.exe 2600 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 3064 cmd.exe 3064 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
portProviderRef.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\"" portProviderRef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\"" portProviderRef.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2680 schtasks.exe 2776 schtasks.exe 2928 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
portProviderRef.exeWmiPrvSE.exepid process 2140 portProviderRef.exe 2600 WmiPrvSE.exe 2600 WmiPrvSE.exe 2600 WmiPrvSE.exe 2600 WmiPrvSE.exe 2600 WmiPrvSE.exe 2600 WmiPrvSE.exe 2600 WmiPrvSE.exe 2600 WmiPrvSE.exe 2600 WmiPrvSE.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WmiPrvSE.exepid process 2600 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
portProviderRef.exeWmiPrvSE.exedescription pid process Token: SeDebugPrivilege 2140 portProviderRef.exe Token: SeDebugPrivilege 2600 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
05fc0bdf63407c4bf2aa13262366cec5.exeWScript.execmd.exeportProviderRef.execmd.exedescription pid process target process PID 2496 wrote to memory of 2340 2496 05fc0bdf63407c4bf2aa13262366cec5.exe WScript.exe PID 2496 wrote to memory of 2340 2496 05fc0bdf63407c4bf2aa13262366cec5.exe WScript.exe PID 2496 wrote to memory of 2340 2496 05fc0bdf63407c4bf2aa13262366cec5.exe WScript.exe PID 2496 wrote to memory of 2340 2496 05fc0bdf63407c4bf2aa13262366cec5.exe WScript.exe PID 2340 wrote to memory of 3064 2340 WScript.exe cmd.exe PID 2340 wrote to memory of 3064 2340 WScript.exe cmd.exe PID 2340 wrote to memory of 3064 2340 WScript.exe cmd.exe PID 2340 wrote to memory of 3064 2340 WScript.exe cmd.exe PID 3064 wrote to memory of 2140 3064 cmd.exe portProviderRef.exe PID 3064 wrote to memory of 2140 3064 cmd.exe portProviderRef.exe PID 3064 wrote to memory of 2140 3064 cmd.exe portProviderRef.exe PID 3064 wrote to memory of 2140 3064 cmd.exe portProviderRef.exe PID 2140 wrote to memory of 2856 2140 portProviderRef.exe cmd.exe PID 2140 wrote to memory of 2856 2140 portProviderRef.exe cmd.exe PID 2140 wrote to memory of 2856 2140 portProviderRef.exe cmd.exe PID 2856 wrote to memory of 2864 2856 cmd.exe w32tm.exe PID 2856 wrote to memory of 2864 2856 cmd.exe w32tm.exe PID 2856 wrote to memory of 2864 2856 cmd.exe w32tm.exe PID 2856 wrote to memory of 2600 2856 cmd.exe WmiPrvSE.exe PID 2856 wrote to memory of 2600 2856 cmd.exe WmiPrvSE.exe PID 2856 wrote to memory of 2600 2856 cmd.exe WmiPrvSE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05fc0bdf63407c4bf2aa13262366cec5.exe"C:\Users\Admin\AppData\Local\Temp\05fc0bdf63407c4bf2aa13262366cec5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\browserperfMonitor\vkP8jBMFLUV3sBPqx5nb72wkkbdxGy.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\browserperfMonitor\Djd9PDHmb.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\browserperfMonitor\portProviderRef.exe"C:\browserperfMonitor\portProviderRef.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XlfNLVjqje.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2864
-
-
C:\Users\Admin\AppData\Local\WmiPrvSE.exe"C:/Users/Admin/AppData/Local/\WmiPrvSE.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5e19eea5bf181167f5e9c9e2249b20e51
SHA17afeb7688764f604335b545099113fc199cf35ef
SHA2564a5d0803e901679dc4502c3ebee31bff0fa92bcc6ac3ef2a688b1805bccaa68f
SHA512e2e213e8d29b9349ecbd87eca9917f30ff5ca9188f43e55a256ace0903c71ea6f44903a2c5b474f05484701f71334305cdeaa88eb2d8a00c06ebfd9d02a402f5
-
Filesize
43B
MD5e6c63fa184d2f4c5d38e9b525bfddb81
SHA1feb5e4b45154422a4e84dfcdc2279d3cb75901ff
SHA256ce100b5fc38b08ad9df71883aea94f49083eb8bbec1ddc7c3a5f3c6a7514ec5b
SHA512595fd643b0caaabb87fda59acd1fcd3bd953beb7b6e334e1724fd3d33fcc86d854e70d8bf080cac097eb3ddf180c95d0b9773f25aadfd66c1759adc5b2b7fe69
-
Filesize
315KB
MD50d11a32c038c7f303ad3c020717c007d
SHA1fffea33c9efe66d4c343d926e30aa114e5d5967d
SHA256246bbbec6cc0c1fa290496f764d38451b8f0b64d3ff08f587e0814fd49198757
SHA5121afd437ee901fa934a7c425bed6a95b4b3cd303c3383e99ded4d4ef38e0e758d82febbf2030a2a7b3af131f03e1bf8d9cedf326cc221ef57e733e5c97cb24ff7
-
Filesize
201B
MD5b7a2b70763db60fd1a9698cc2f1673b5
SHA1233ef75d111f6b43cc8d2cd0d9e84479d04d2e2e
SHA2562ed7cb88c0f405254bc9051c1fb58477bb7d046f59d94c7ec1fe7b03448751f7
SHA5121c8c757064e8b1ada32149a9d2d08ecf75d3936055c5f7d4d43dd82bcbfefbb00c1f038e02e935de6713ced80e6026c9185875f4402d760842bfc804edbef74b