Analysis

  • max time kernel
    127s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 06:30

General

  • Target

    05fc0bdf63407c4bf2aa13262366cec5.exe

  • Size

    624KB

  • MD5

    05fc0bdf63407c4bf2aa13262366cec5

  • SHA1

    3c25001232633ced8c5dbd159793f5db7b9bd3c8

  • SHA256

    7c00050f9a74c897dc0b917b07898b14150329571584ed3d7928d7c59b974c2b

  • SHA512

    9513fb1767b3f7c480c86e9958df83e30f19f0b487f7e37b844266a968dfe9b4275e4fe3c11118a5ccace381d69e928dab61a32b113095b3a2f3f83bc6a821e4

  • SSDEEP

    12288:aRZ+IoG/n9IQxW3OBsee2X+t4Rb/32N7QqcLCf8VIP9A2oxldxDZt:U2G/nvxW3Ww0t/32NCkC2o5xD7

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\05fc0bdf63407c4bf2aa13262366cec5.exe
    "C:\Users\Admin\AppData\Local\Temp\05fc0bdf63407c4bf2aa13262366cec5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\browserperfMonitor\vkP8jBMFLUV3sBPqx5nb72wkkbdxGy.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\browserperfMonitor\Djd9PDHmb.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\browserperfMonitor\portProviderRef.exe
          "C:\browserperfMonitor\portProviderRef.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2140
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XlfNLVjqje.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2856
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2864
              • C:\Users\Admin\AppData\Local\WmiPrvSE.exe
                "C:/Users/Admin/AppData/Local/\WmiPrvSE.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XlfNLVjqje.bat

      Filesize

      207B

      MD5

      e19eea5bf181167f5e9c9e2249b20e51

      SHA1

      7afeb7688764f604335b545099113fc199cf35ef

      SHA256

      4a5d0803e901679dc4502c3ebee31bff0fa92bcc6ac3ef2a688b1805bccaa68f

      SHA512

      e2e213e8d29b9349ecbd87eca9917f30ff5ca9188f43e55a256ace0903c71ea6f44903a2c5b474f05484701f71334305cdeaa88eb2d8a00c06ebfd9d02a402f5

    • C:\browserperfMonitor\Djd9PDHmb.bat

      Filesize

      43B

      MD5

      e6c63fa184d2f4c5d38e9b525bfddb81

      SHA1

      feb5e4b45154422a4e84dfcdc2279d3cb75901ff

      SHA256

      ce100b5fc38b08ad9df71883aea94f49083eb8bbec1ddc7c3a5f3c6a7514ec5b

      SHA512

      595fd643b0caaabb87fda59acd1fcd3bd953beb7b6e334e1724fd3d33fcc86d854e70d8bf080cac097eb3ddf180c95d0b9773f25aadfd66c1759adc5b2b7fe69

    • C:\browserperfMonitor\portProviderRef.exe

      Filesize

      315KB

      MD5

      0d11a32c038c7f303ad3c020717c007d

      SHA1

      fffea33c9efe66d4c343d926e30aa114e5d5967d

      SHA256

      246bbbec6cc0c1fa290496f764d38451b8f0b64d3ff08f587e0814fd49198757

      SHA512

      1afd437ee901fa934a7c425bed6a95b4b3cd303c3383e99ded4d4ef38e0e758d82febbf2030a2a7b3af131f03e1bf8d9cedf326cc221ef57e733e5c97cb24ff7

    • C:\browserperfMonitor\vkP8jBMFLUV3sBPqx5nb72wkkbdxGy.vbe

      Filesize

      201B

      MD5

      b7a2b70763db60fd1a9698cc2f1673b5

      SHA1

      233ef75d111f6b43cc8d2cd0d9e84479d04d2e2e

      SHA256

      2ed7cb88c0f405254bc9051c1fb58477bb7d046f59d94c7ec1fe7b03448751f7

      SHA512

      1c8c757064e8b1ada32149a9d2d08ecf75d3936055c5f7d4d43dd82bcbfefbb00c1f038e02e935de6713ced80e6026c9185875f4402d760842bfc804edbef74b

    • memory/2140-13-0x0000000000200000-0x0000000000256000-memory.dmp

      Filesize

      344KB

    • memory/2600-23-0x0000000000830000-0x0000000000886000-memory.dmp

      Filesize

      344KB