Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 03:02
Static task
static1
Behavioral task
behavioral1
Sample
854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe
Resource
win10v2004-20241007-en
General
-
Target
854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe
-
Size
1.1MB
-
MD5
1c40d9e61fbbd5d9054638b98b10e1cf
-
SHA1
145119e649cabc6c60200643b3cc347fc4b164cc
-
SHA256
854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af
-
SHA512
970eade0dce9dfaf5acdaf88721e55071fc48c4570c9a9b78c875d81fba54b047aed93412e331466a461662e065020f189b1dc1ec324b9394dd531ab2e3b3cf1
-
SSDEEP
24576:TE9h8YY4mB7WnMSTdTvX+5pdKj30HZQHEGP:TeGYDmBcBpvEpdKj3W/i
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2784 schtasks.exe 34 -
Processes:
resource yara_rule behavioral1/files/0x0007000000012117-19.dat dcrat behavioral1/memory/2516-41-0x0000000001370000-0x0000000001406000-memory.dmp dcrat behavioral1/memory/828-72-0x0000000000230000-0x00000000002C6000-memory.dmp dcrat -
Executes dropped EXE 3 IoCs
Processes:
savesbrokerDriverSavesbroker.exeFPS Booster 2.0.7.exedllhost.exepid Process 2516 savesbrokerDriverSavesbroker.exe 2296 FPS Booster 2.0.7.exe 828 dllhost.exe -
Loads dropped DLL 5 IoCs
Processes:
854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exeFPS Booster 2.0.7.exepid Process 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 2296 FPS Booster 2.0.7.exe 2296 FPS Booster 2.0.7.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
savesbrokerDriverSavesbroker.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\xolehlp\\dllhost.exe\"" savesbrokerDriverSavesbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Start Menu\\csrss.exe\"" savesbrokerDriverSavesbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Application Data\\csrss.exe\"" savesbrokerDriverSavesbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\efscore\\csrss.exe\"" savesbrokerDriverSavesbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Libraries\\sppsvc.exe\"" savesbrokerDriverSavesbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\fdPHost\\WmiPrvSE.exe\"" savesbrokerDriverSavesbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WerFault = "\"C:\\Users\\Default User\\WerFault.exe\"" savesbrokerDriverSavesbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\mshtmled\\dllhost.exe\"" savesbrokerDriverSavesbroker.exe -
Drops file in System32 directory 9 IoCs
Processes:
savesbrokerDriverSavesbroker.exedescription ioc Process File opened for modification C:\Windows\System32\mshtmled\dllhost.exe savesbrokerDriverSavesbroker.exe File created C:\Windows\System32\xolehlp\dllhost.exe savesbrokerDriverSavesbroker.exe File created C:\Windows\System32\xolehlp\5940a34987c99120d96dace90a3f93f329dcad63 savesbrokerDriverSavesbroker.exe File created C:\Windows\System32\wbem\fdPHost\WmiPrvSE.exe savesbrokerDriverSavesbroker.exe File created C:\Windows\System32\wbem\fdPHost\24dbde2999530ef5fd907494bc374d663924116c savesbrokerDriverSavesbroker.exe File created C:\Windows\System32\mshtmled\dllhost.exe savesbrokerDriverSavesbroker.exe File created C:\Windows\System32\efscore\csrss.exe savesbrokerDriverSavesbroker.exe File created C:\Windows\System32\efscore\886983d96e3d3e31032c679b2d4ea91b6c05afef savesbrokerDriverSavesbroker.exe File created C:\Windows\System32\mshtmled\5940a34987c99120d96dace90a3f93f329dcad63 savesbrokerDriverSavesbroker.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exedescription pid Process procid_target PID 2380 set thread context of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3036 2380 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exeFPS Booster 2.0.7.exe854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FPS Booster 2.0.7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 2264 schtasks.exe 1632 schtasks.exe 564 schtasks.exe 1824 schtasks.exe 1756 schtasks.exe 1864 schtasks.exe 2612 schtasks.exe 2740 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
savesbrokerDriverSavesbroker.exedllhost.exepid Process 2516 savesbrokerDriverSavesbroker.exe 2516 savesbrokerDriverSavesbroker.exe 2516 savesbrokerDriverSavesbroker.exe 2516 savesbrokerDriverSavesbroker.exe 2516 savesbrokerDriverSavesbroker.exe 828 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
FPS Booster 2.0.7.exepid Process 2296 FPS Booster 2.0.7.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exesavesbrokerDriverSavesbroker.exedllhost.exedescription pid Process Token: SeDebugPrivilege 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe Token: SeDebugPrivilege 2516 savesbrokerDriverSavesbroker.exe Token: SeDebugPrivilege 828 dllhost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exesavesbrokerDriverSavesbroker.exedescription pid Process procid_target PID 2380 wrote to memory of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 PID 2380 wrote to memory of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 PID 2380 wrote to memory of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 PID 2380 wrote to memory of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 PID 2380 wrote to memory of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 PID 2380 wrote to memory of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 PID 2380 wrote to memory of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 PID 2380 wrote to memory of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 PID 2380 wrote to memory of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 PID 2380 wrote to memory of 2156 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 30 PID 2380 wrote to memory of 3036 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 31 PID 2380 wrote to memory of 3036 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 31 PID 2380 wrote to memory of 3036 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 31 PID 2380 wrote to memory of 3036 2380 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 31 PID 2156 wrote to memory of 2516 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 32 PID 2156 wrote to memory of 2516 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 32 PID 2156 wrote to memory of 2516 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 32 PID 2156 wrote to memory of 2516 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 32 PID 2156 wrote to memory of 2296 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 33 PID 2156 wrote to memory of 2296 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 33 PID 2156 wrote to memory of 2296 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 33 PID 2156 wrote to memory of 2296 2156 854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe 33 PID 2516 wrote to memory of 828 2516 savesbrokerDriverSavesbroker.exe 43 PID 2516 wrote to memory of 828 2516 savesbrokerDriverSavesbroker.exe 43 PID 2516 wrote to memory of 828 2516 savesbrokerDriverSavesbroker.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe"C:\Users\Admin\AppData\Local\Temp\854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe"C:\Users\Admin\AppData\Local\Temp\854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe"C:\Users\Admin\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\System32\mshtmled\dllhost.exe"C:\Windows\System32\mshtmled\dllhost.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
-
C:\Users\Admin\AppData\Local\Temp\FPS Booster 2.0.7.exe"C:\Users\Admin\AppData\Local\Temp\FPS Booster 2.0.7.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2296
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 6162⤵
- Program crash
PID:3036
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\mshtmled\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\xolehlp\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\efscore\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\fdPHost\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Users\Default User\WerFault.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
429KB
MD574be806e27a351565f2ec136dcb5232c
SHA10ec9fc48c5c290014958c05940bc340eed942e15
SHA25633b5e6ff81c482b3b62f8ed847fd25e39724dc6eb6c2a3881b1004dc75c170b6
SHA5120ece93924e569718eb7dca19474f2cde1199bac8ead206a01a65dcf33e7718fcc7c668d6d891dd164f011ae9fb53272003bbc5db54ebe6de62c3b01d4986dd4d
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
9KB
MD54ccc4a742d4423f2f0ed744fd9c81f63
SHA1704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
Filesize
572KB
MD5222edc84e2d32948f2639554b23e7b04
SHA122cedf83a69b08259db3c2f3618df067dd7c7522
SHA25655ab1b21734f31815058fa1e2841e8b62e6e4f04e635a4b51ebea3fde646e920
SHA51295dd51cf8be6461955b867b853d58eab7bf6ac363e9f99f5c8c8f13046daa373ed845db3531e9f765515e43f8955955ec4ea83f19807a2b3c04f2c1f6a0c6855