Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 02:06
Behavioral task
behavioral1
Sample
69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe
Resource
win10v2004-20241007-en
General
-
Target
69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe
-
Size
828KB
-
MD5
c6b30f794dcf67851d13e3335ef57088
-
SHA1
e97b575fc270d97d1e2df38291fd44dc70ff95ab
-
SHA256
69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7
-
SHA512
28dc37c57408fa9e6e3a14a99d602e6c0f937e259f21eefd016424d03d40066e6b518c9b0bcbae8039c1691ce43ba8803c568ad69df163938e4ff2235c55188b
-
SSDEEP
12288:K5jHYVjmobNqsKDsSvjbHQVtVZJizDxRxhDsGALvbI6bnY6a2Xuk:1b4sKDZUZJuR/ALvbLnY8Xuk
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2388 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2388 schtasks.exe 30 -
resource yara_rule behavioral1/memory/1992-1-0x0000000000F90000-0x0000000001066000-memory.dmp dcrat behavioral1/files/0x0006000000017409-11.dat dcrat behavioral1/memory/2912-21-0x0000000001220000-0x00000000012F6000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2912 wininit.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\ja-JP\wininit.exe 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe File opened for modification C:\Program Files\Windows Sidebar\ja-JP\wininit.exe 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe File created C:\Program Files\Windows Sidebar\ja-JP\56085415360792 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\PLA\System\69ddcba757bf72 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe File created C:\Windows\Migration\smss.exe 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe File created C:\Windows\Migration\69ddcba757bf72 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe File created C:\Windows\RemotePackages\RemoteApps\smss.exe 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe File created C:\Windows\RemotePackages\RemoteApps\69ddcba757bf72 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe File created C:\Windows\PLA\System\smss.exe 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2760 schtasks.exe 2332 schtasks.exe 1956 schtasks.exe 1976 schtasks.exe 2272 schtasks.exe 2604 schtasks.exe 2636 schtasks.exe 2900 schtasks.exe 1164 schtasks.exe 2828 schtasks.exe 2768 schtasks.exe 2800 schtasks.exe 2976 schtasks.exe 2824 schtasks.exe 2776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1992 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe 2912 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1992 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe Token: SeDebugPrivilege 2912 wininit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2364 1992 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe 46 PID 1992 wrote to memory of 2364 1992 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe 46 PID 1992 wrote to memory of 2364 1992 69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe 46 PID 2364 wrote to memory of 1728 2364 cmd.exe 48 PID 2364 wrote to memory of 1728 2364 cmd.exe 48 PID 2364 wrote to memory of 1728 2364 cmd.exe 48 PID 2364 wrote to memory of 2912 2364 cmd.exe 49 PID 2364 wrote to memory of 2912 2364 cmd.exe 49 PID 2364 wrote to memory of 2912 2364 cmd.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe"C:\Users\Admin\AppData\Local\Temp\69ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CyxGcg3L6d.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1728
-
-
C:\Program Files\Windows Sidebar\ja-JP\wininit.exe"C:\Program Files\Windows Sidebar\ja-JP\wininit.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\System\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\System\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\System\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Migration\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD56efc3e111bdabdc6c2fd4d696fd2458a
SHA17ba1e3c7b2265c3deb0f865c2a50e01f4ede08a5
SHA25641182c86e044ae7ecc0bae97b214ba96661f473c0468852bd44c72c4c869a617
SHA512aea032b99602f34656511e2783e88dc5dd0482bee278f647bf670fc1dedae367873b5c25f2a8795d6e3275a1ccd2d379a0f2ce9b1a75cd901f77296bc61d713d
-
Filesize
828KB
MD5c6b30f794dcf67851d13e3335ef57088
SHA1e97b575fc270d97d1e2df38291fd44dc70ff95ab
SHA25669ff8a0bc37e646c87c138131da225d134464a806fea55d265ee5813756340d7
SHA51228dc37c57408fa9e6e3a14a99d602e6c0f937e259f21eefd016424d03d40066e6b518c9b0bcbae8039c1691ce43ba8803c568ad69df163938e4ff2235c55188b