Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:20

General

  • Target

    500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe

  • Size

    2.3MB

  • MD5

    97177514cab51539083ef130f005bbd1

  • SHA1

    49e2661ee3e8f6fd6b06334b00543590ed8fe208

  • SHA256

    500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015

  • SHA512

    7ce6e7255d482b7c78f759098f9744f5f0ef462a79ad061d19f8036061b807963c924665bbe66e23e26a36990b5849d527b750ab6d0e9f6010cf4d665ec3d897

  • SSDEEP

    49152:2QZEVRb3qgQujSIZijBW7vrGGzt2q5je54Ng3q1qrFBZT4:2GEVRagQujSei5GpZJCmqrZT

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe
    "C:\Users\Admin\AppData\Local\Temp\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe
      "C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2104
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2616
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\system\audiodg.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\system\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\system\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2868
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2788
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a8690155" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2564
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015" /sc ONLOGON /tr "'C:\Users\Default User\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2532
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a8690155" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1308
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1028
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:536
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\TAPI\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2368

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Default\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe

          Filesize

          2.3MB

          MD5

          97177514cab51539083ef130f005bbd1

          SHA1

          49e2661ee3e8f6fd6b06334b00543590ed8fe208

          SHA256

          500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015

          SHA512

          7ce6e7255d482b7c78f759098f9744f5f0ef462a79ad061d19f8036061b807963c924665bbe66e23e26a36990b5849d527b750ab6d0e9f6010cf4d665ec3d897

        • memory/1384-6-0x0000000000180000-0x0000000000192000-memory.dmp

          Filesize

          72KB

        • memory/1384-2-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

          Filesize

          9.9MB

        • memory/1384-3-0x0000000000160000-0x000000000017C000-memory.dmp

          Filesize

          112KB

        • memory/1384-4-0x0000000000390000-0x00000000003A6000-memory.dmp

          Filesize

          88KB

        • memory/1384-5-0x00000000021C0000-0x0000000002216000-memory.dmp

          Filesize

          344KB

        • memory/1384-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

          Filesize

          4KB

        • memory/1384-7-0x00000000003D0000-0x00000000003DE000-memory.dmp

          Filesize

          56KB

        • memory/1384-8-0x00000000003E0000-0x00000000003E8000-memory.dmp

          Filesize

          32KB

        • memory/1384-9-0x0000000002210000-0x0000000002218000-memory.dmp

          Filesize

          32KB

        • memory/1384-1-0x00000000003F0000-0x0000000000642000-memory.dmp

          Filesize

          2.3MB

        • memory/1384-37-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

          Filesize

          9.9MB

        • memory/2352-36-0x0000000000FA0000-0x00000000011F2000-memory.dmp

          Filesize

          2.3MB