Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 13:09
Static task
static1
Behavioral task
behavioral1
Sample
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
Resource
win10v2004-20241007-en
General
-
Target
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
-
Size
1.6MB
-
MD5
844679e76d8254bedd67c98610f7d7ac
-
SHA1
4222ebbb055830096b829f072783423dbe255932
-
SHA256
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942
-
SHA512
fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05
-
SSDEEP
24576:2ztKoZmCJ4YrujnaOBDEzKt3pJqc7BnA8js2TvgAts0qB0FjbpcKSzQy8v1:O995MUzKNac7BnbbTvgCFTYQy+
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2736 schtasks.exe -
Drops file in Program Files directory 5 IoCs
Processes:
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exedescription ioc process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\886983d96e3d3e 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe File created C:\Program Files\Uninstall Information\audiodg.exe 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe File opened for modification C:\Program Files\Uninstall Information\audiodg.exe 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe File created C:\Program Files\Uninstall Information\42af1c969fbb7b 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe -
Drops file in Windows directory 4 IoCs
Processes:
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exedescription ioc process File created C:\Windows\en-US\explorer.exe 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe File created C:\Windows\en-US\7a0fd90576e088 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe File created C:\Windows\AppCompat\Programs\wininit.exe 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe File created C:\Windows\AppCompat\Programs\56085415360792 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2372 schtasks.exe 2760 schtasks.exe 2740 schtasks.exe 1868 schtasks.exe 592 schtasks.exe 1152 schtasks.exe 380 schtasks.exe 1908 schtasks.exe 2748 schtasks.exe 2616 schtasks.exe 1468 schtasks.exe 1396 schtasks.exe 1472 schtasks.exe 1056 schtasks.exe 2000 schtasks.exe 1660 schtasks.exe 2172 schtasks.exe 2880 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exepid process 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exepid process 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exedescription pid process Token: SeDebugPrivilege 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe Token: SeDebugPrivilege 2420 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.execmd.exedescription pid process target process PID 2224 wrote to memory of 2384 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe cmd.exe PID 2224 wrote to memory of 2384 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe cmd.exe PID 2224 wrote to memory of 2384 2224 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe cmd.exe PID 2384 wrote to memory of 1952 2384 cmd.exe chcp.com PID 2384 wrote to memory of 1952 2384 cmd.exe chcp.com PID 2384 wrote to memory of 1952 2384 cmd.exe chcp.com PID 2384 wrote to memory of 1592 2384 cmd.exe w32tm.exe PID 2384 wrote to memory of 1592 2384 cmd.exe w32tm.exe PID 2384 wrote to memory of 1592 2384 cmd.exe w32tm.exe PID 2384 wrote to memory of 2420 2384 cmd.exe 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe PID 2384 wrote to memory of 2420 2384 cmd.exe 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe PID 2384 wrote to memory of 2420 2384 cmd.exe 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FL2oLVzmVW.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1952
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5844679e76d8254bedd67c98610f7d7ac
SHA14222ebbb055830096b829f072783423dbe255932
SHA2569b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942
SHA512fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05
-
Filesize
278B
MD53788b169ad711a29f6f2e95ea3b7b1dd
SHA11f63b6ae6830e3969d58462b193d88e052d45db4
SHA2562723955f4be423a2120272bcc01105058a9868f4d1cb080a92c69dbc556064b5
SHA5126b0d5c03c9c3b899672ce339b80d21169f08da6a83e426c9553826976c8850d73c140325724597ac73c19f2ee175ae202e3dca1c9b9f2f2b6bc541d1da33fb40