Overview

overview

10

Static

static

3

gamingservices.exe

windows7-x64

10

gamingservices.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gamingservices.exe

  • Size

    1.8MB

  • MD5

    7e1cbd229ae163375fc55065690e27b4

  • SHA1

    f1cecafde4f843b03f3defffcac7fd6950b582a6

  • SHA256

    4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559

  • SHA512

    545c246f2d0159f5c2f7631b891c19166505c525b0a6d66f2338460dfda94679da283aa3e8dffa7fc6fec5752cedbce753f731a7064cff8754970d8968d3c882

  • SSDEEP

    24576:7Sgle/EPZ5XpxBeonQxcYHgC+aviVZZmQ5NnL+MIWRbtHU4aClCbs8HF7Kz9jxG:7AsZWHgReoP7nyWtHPaB37S9jx

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\gamingservices.exe
    "C:\Users\Admin\AppData\Local\Temp\gamingservices.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4iFVyw2zu.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3200
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:2016
          • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
            "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4440
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsAdminFlowUIThreshold\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1344
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.SettingsAdminFlowUIThreshold\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsAdminFlowUIThreshold\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2596
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "gamingservicesg" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4148
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "gamingservices" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "gamingservicesg" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3956

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\B4iFVyw2zu.bat
        Filesize

        247B

        MD5

        2c4f22d0bfa167ce49cee6a2be889d33

        SHA1

        2849740ee768f559ed3f0a3f1ec3ba3ee891afc4

        SHA256

        276d1e3e5a8563e5b97ca3166b9c13d93abb3a88f925a4f6d62a17dd56a399cd

        SHA512

        f431b1e948e8ee3b431def5eae99dd9463ba0b041541f46faced17555bc57f7297cac48fa943feb6f08978d41af13277d4d28ac2e01bdc70ce672080e055f360

        Download Submit

      • C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe
        Filesize

        1.8MB

        MD5

        7e1cbd229ae163375fc55065690e27b4

        SHA1

        f1cecafde4f843b03f3defffcac7fd6950b582a6

        SHA256

        4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559

        SHA512

        545c246f2d0159f5c2f7631b891c19166505c525b0a6d66f2338460dfda94679da283aa3e8dffa7fc6fec5752cedbce753f731a7064cff8754970d8968d3c882

        Download Submit

      • memory/2000-4-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-14-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-0-0x00007FFCFBDB3000-0x00007FFCFBDB5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2000-6-0x00000000032B0000-0x00000000032BE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2000-7-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-9-0x000000001BED0000-0x000000001BEEC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2000-10-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-11-0x000000001C150000-0x000000001C1A0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2000-13-0x000000001BEF0000-0x000000001BF08000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2000-3-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-2-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-26-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-27-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-28-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-29-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-35-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-1-0x0000000000FC0000-0x0000000001192000-memory.dmp

        Filesize

        1.8MB

        Download