Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 13:09

General

  • Target

    9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

  • Size

    1.6MB

  • MD5

    844679e76d8254bedd67c98610f7d7ac

  • SHA1

    4222ebbb055830096b829f072783423dbe255932

  • SHA256

    9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942

  • SHA512

    fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05

  • SSDEEP

    24576:2ztKoZmCJ4YrujnaOBDEzKt3pJqc7BnA8js2TvgAts0qB0FjbpcKSzQy8v1:O995MUzKNac7BnbbTvgCFTYQy+

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
    "C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FL2oLVzmVW.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1952
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:1592
          • C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
            "C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2420
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2748
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\en-US\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2372
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1152
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1056

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe

        Filesize

        1.6MB

        MD5

        844679e76d8254bedd67c98610f7d7ac

        SHA1

        4222ebbb055830096b829f072783423dbe255932

        SHA256

        9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942

        SHA512

        fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05

      • C:\Users\Admin\AppData\Local\Temp\FL2oLVzmVW.bat

        Filesize

        278B

        MD5

        3788b169ad711a29f6f2e95ea3b7b1dd

        SHA1

        1f63b6ae6830e3969d58462b193d88e052d45db4

        SHA256

        2723955f4be423a2120272bcc01105058a9868f4d1cb080a92c69dbc556064b5

        SHA512

        6b0d5c03c9c3b899672ce339b80d21169f08da6a83e426c9553826976c8850d73c140325724597ac73c19f2ee175ae202e3dca1c9b9f2f2b6bc541d1da33fb40

      • memory/2224-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

        Filesize

        4KB

      • memory/2224-1-0x0000000000D10000-0x0000000000EB2000-memory.dmp

        Filesize

        1.6MB

      • memory/2224-2-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

        Filesize

        9.9MB

      • memory/2224-3-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

        Filesize

        9.9MB

      • memory/2224-4-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

        Filesize

        9.9MB

      • memory/2224-7-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

        Filesize

        9.9MB

      • memory/2224-6-0x00000000003F0000-0x00000000003FE000-memory.dmp

        Filesize

        56KB

      • memory/2224-23-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

        Filesize

        9.9MB