Analysis
-
max time kernel
129s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
$RH9VZ2N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
$RH9VZ2N.exe
Resource
win10v2004-20241007-en
General
-
Target
$RH9VZ2N.exe
-
Size
1.8MB
-
MD5
42b89874d3138f40f32285be945f2ceb
-
SHA1
1766b4c4a040ba19afc4318e9b2eab775fee88d7
-
SHA256
619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
-
SHA512
df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
-
SSDEEP
49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 348 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2872 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2872 schtasks.exe 30 -
Executes dropped EXE 1 IoCs
pid Process 2428 dllhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\sppsvc.exe $RH9VZ2N.exe File created C:\Program Files\Windows Journal\lsass.exe $RH9VZ2N.exe File created C:\Program Files\Windows Journal\6203df4a6bafc7 $RH9VZ2N.exe File created C:\Program Files\Microsoft Office\Office14\explorer.exe $RH9VZ2N.exe File created C:\Program Files\Microsoft Office\Office14\7a0fd90576e088 $RH9VZ2N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3008 schtasks.exe 2752 schtasks.exe 1152 schtasks.exe 436 schtasks.exe 2836 schtasks.exe 2488 schtasks.exe 2064 schtasks.exe 2828 schtasks.exe 2712 schtasks.exe 2720 schtasks.exe 2936 schtasks.exe 2368 schtasks.exe 348 schtasks.exe 2664 schtasks.exe 2268 schtasks.exe 1960 schtasks.exe 2400 schtasks.exe 1452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2748 $RH9VZ2N.exe 2428 dllhost.exe 2428 dllhost.exe 2428 dllhost.exe 2428 dllhost.exe 2428 dllhost.exe 2428 dllhost.exe 2428 dllhost.exe 2428 dllhost.exe 2428 dllhost.exe 2428 dllhost.exe 2428 dllhost.exe 2428 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2428 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2748 $RH9VZ2N.exe Token: SeDebugPrivilege 2428 dllhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2380 2748 $RH9VZ2N.exe 49 PID 2748 wrote to memory of 2380 2748 $RH9VZ2N.exe 49 PID 2748 wrote to memory of 2380 2748 $RH9VZ2N.exe 49 PID 2380 wrote to memory of 636 2380 cmd.exe 51 PID 2380 wrote to memory of 636 2380 cmd.exe 51 PID 2380 wrote to memory of 636 2380 cmd.exe 51 PID 2380 wrote to memory of 3060 2380 cmd.exe 52 PID 2380 wrote to memory of 3060 2380 cmd.exe 52 PID 2380 wrote to memory of 3060 2380 cmd.exe 52 PID 2380 wrote to memory of 2428 2380 cmd.exe 53 PID 2380 wrote to memory of 2428 2380 cmd.exe 53 PID 2380 wrote to memory of 2428 2380 cmd.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\$RH9VZ2N.exe"C:\Users\Admin\AppData\Local\Temp\$RH9VZ2N.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dcwLLrydpZ.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:636
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3060
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "$RH9VZ2N$" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\$RH9VZ2N.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "$RH9VZ2N" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\$RH9VZ2N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "$RH9VZ2N$" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\$RH9VZ2N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "$RH9VZ2N$" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\$RH9VZ2N.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "$RH9VZ2N" /sc ONLOGON /tr "'C:\Users\Admin\$RH9VZ2N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "$RH9VZ2N$" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\$RH9VZ2N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "$RH9VZ2N$" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\$RH9VZ2N.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "$RH9VZ2N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\$RH9VZ2N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "$RH9VZ2N$" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\$RH9VZ2N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD542b89874d3138f40f32285be945f2ceb
SHA11766b4c4a040ba19afc4318e9b2eab775fee88d7
SHA256619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
SHA512df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
-
Filesize
250B
MD54eb75ebb4709574af921f078032c0d6a
SHA1ec72a9913bca9ab5ccfba3d03943abdcbd903e37
SHA25600e250efa519aea2316201e97059a3948551e1ee7c62d0628184fe7b3c3a81a2
SHA512486f7b99e3b22195d82c83f0e5be8120392dbae492d7ee6cd742002455ff83b01d77ff0ee3020c0394abc3c5a540a6a8df763b8eaf690c49b57735d2ee4789e5