Overview

overview

10

Static

static

3

gamingservices.exe

windows7-x64

10

gamingservices.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gamingservices.exe

  • Size

    1.8MB

  • MD5

    7e1cbd229ae163375fc55065690e27b4

  • SHA1

    f1cecafde4f843b03f3defffcac7fd6950b582a6

  • SHA256

    4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559

  • SHA512

    545c246f2d0159f5c2f7631b891c19166505c525b0a6d66f2338460dfda94679da283aa3e8dffa7fc6fec5752cedbce753f731a7064cff8754970d8968d3c882

  • SSDEEP

    24576:7Sgle/EPZ5XpxBeonQxcYHgC+aviVZZmQ5NnL+MIWRbtHU4aClCbs8HF7Kz9jxG:7AsZWHgReoP7nyWtHPaB37S9jx

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\gamingservices.exe
    "C:\Users\Admin\AppData\Local\Temp\gamingservices.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2hPvxNmRGn.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1204
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:1320
          • C:\Program Files\Uninstall Information\csrss.exe
            "C:\Program Files\Uninstall Information\csrss.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2884
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\en-US\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2840
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2828
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2284
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2204
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2108
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1860
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "gamingservicesg" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "gamingservices" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "gamingservicesg" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1928

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2hPvxNmRGn.bat
        Filesize

        224B

        MD5

        68900517305e20ea258104f0ebddf03b

        SHA1

        e3eaea85e58f4d00ea13dd9f6b973d9b127ea485

        SHA256

        7791a6410dd11a591de762378856d07834762131b2fa638e28e4695d25e6d3d5

        SHA512

        ec9c4290dbcbe931a706705f45c891b751e5ab30d0e6113067323c82d408b4a552ce331ec6db324f9307a48bf123148052718f53a617d396e1c92aef38244d1f

        Download Submit

      • C:\Windows\en-US\smss.exe
        Filesize

        1.8MB

        MD5

        7e1cbd229ae163375fc55065690e27b4

        SHA1

        f1cecafde4f843b03f3defffcac7fd6950b582a6

        SHA256

        4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559

        SHA512

        545c246f2d0159f5c2f7631b891c19166505c525b0a6d66f2338460dfda94679da283aa3e8dffa7fc6fec5752cedbce753f731a7064cff8754970d8968d3c882

        Download Submit

      • memory/2860-8-0x0000000000560000-0x000000000057C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2860-3-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2860-4-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2860-6-0x0000000000280000-0x000000000028E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2860-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2860-9-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2860-12-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2860-11-0x0000000000580000-0x0000000000598000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2860-14-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2860-2-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2860-1-0x0000000001070000-0x0000000001242000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2860-29-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2884-33-0x0000000000340000-0x0000000000512000-memory.dmp

        Filesize

        1.8MB

        Download