Overview

overview

10

Static

static

3

GameInputSvc.exe

windows7-x64

10

GameInputSvc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2024 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GameInputSvc.exe

  • Size

    1.8MB

  • MD5

    42b89874d3138f40f32285be945f2ceb

  • SHA1

    1766b4c4a040ba19afc4318e9b2eab775fee88d7

  • SHA256

    619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

  • SHA512

    df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

  • SSDEEP

    49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\GameInputSvc.exe
    "C:\Users\Admin\AppData\Local\Temp\GameInputSvc.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zXPx3L6jpq.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2320
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:2424
          • C:\Program Files\Mozilla Firefox\defaults\pref\Idle.exe
            "C:\Program Files\Mozilla Firefox\defaults\pref\Idle.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1404
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2872
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2628
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellNew\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ShellNew\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1140
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1232
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "GameInputSvcG" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\GameInputSvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "GameInputSvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\GameInputSvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "GameInputSvcG" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\GameInputSvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2908

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Common Files\Services\csrss.exe
        Filesize

        1.8MB

        MD5

        42b89874d3138f40f32285be945f2ceb

        SHA1

        1766b4c4a040ba19afc4318e9b2eab775fee88d7

        SHA256

        619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

        SHA512

        df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zXPx3L6jpq.bat
        Filesize

        231B

        MD5

        013e599e8c129d19c2db2b2ebd369e8d

        SHA1

        2240ad7a53434621754044528de3a8a2c81fa66a

        SHA256

        1341d78b987edd47a942a6fab71ee81974a3303715c688889d8e4c4cea98b93b

        SHA512

        08a19090931b2dab32e35c9aa1353a6e3167e4a71c2d41bba47699860d5b4d009b20a19075f72268bb11c51974064fa18e01107fab4df62914dd1e9aa5de4097

        Download Submit

      • memory/1352-11-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1352-17-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1352-4-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1352-6-0x0000000000520000-0x000000000052E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1352-8-0x00000000009F0000-0x0000000000A0C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1352-10-0x0000000000A10000-0x0000000000A28000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1352-0-0x000007FEF6263000-0x000007FEF6264000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1352-3-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1352-2-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1352-24-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1352-25-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1352-1-0x0000000000FB0000-0x0000000001182000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1352-31-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1404-34-0x00000000000C0000-0x0000000000292000-memory.dmp

        Filesize

        1.8MB

        Download