Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:20
Behavioral task
behavioral1
Sample
500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe
Resource
win10v2004-20241007-en
General
-
Target
500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe
-
Size
2.3MB
-
MD5
97177514cab51539083ef130f005bbd1
-
SHA1
49e2661ee3e8f6fd6b06334b00543590ed8fe208
-
SHA256
500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015
-
SHA512
7ce6e7255d482b7c78f759098f9744f5f0ef462a79ad061d19f8036061b807963c924665bbe66e23e26a36990b5849d527b750ab6d0e9f6010cf4d665ec3d897
-
SSDEEP
49152:2QZEVRb3qgQujSIZijBW7vrGGzt2q5je54Ng3q1qrFBZT4:2GEVRagQujSei5GpZJCmqrZT
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2080 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2080 schtasks.exe 31 -
resource yara_rule behavioral1/memory/1384-1-0x00000000003F0000-0x0000000000642000-memory.dmp dcrat behavioral1/files/0x0005000000019cba-18.dat dcrat behavioral1/memory/2352-36-0x0000000000FA0000-0x00000000011F2000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2352 WMIADAP.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\cc11b995f2a76d 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files (x86)\Adobe\services.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files (x86)\Adobe\c5b4cb5e9653cc 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files\Reference Assemblies\Microsoft\75a57c1bdf437c 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Program Files\Internet Explorer\winlogon.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\system\audiodg.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Windows\system\42af1c969fbb7b 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Windows\TAPI\taskhost.exe 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe File created C:\Windows\TAPI\b75386f1303e64 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3008 schtasks.exe 3068 schtasks.exe 2500 schtasks.exe 1936 schtasks.exe 2868 schtasks.exe 2656 schtasks.exe 2600 schtasks.exe 332 schtasks.exe 2640 schtasks.exe 1028 schtasks.exe 1796 schtasks.exe 1944 schtasks.exe 2368 schtasks.exe 2948 schtasks.exe 1308 schtasks.exe 536 schtasks.exe 1764 schtasks.exe 2844 schtasks.exe 2104 schtasks.exe 2616 schtasks.exe 2624 schtasks.exe 1856 schtasks.exe 2476 schtasks.exe 2756 schtasks.exe 2788 schtasks.exe 2564 schtasks.exe 2532 schtasks.exe 320 schtasks.exe 1760 schtasks.exe 2800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1384 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1384 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 1384 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 2352 WMIADAP.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1384 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe Token: SeDebugPrivilege 2352 WMIADAP.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1384 wrote to memory of 2352 1384 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 62 PID 1384 wrote to memory of 2352 1384 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 62 PID 1384 wrote to memory of 2352 1384 500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe 62 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe"C:\Users\Admin\AppData\Local\Temp\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe"C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\system\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\system\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\system\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a8690155" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015" /sc ONLOGON /tr "'C:\Users\Default User\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a8690155" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\TAPI\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD597177514cab51539083ef130f005bbd1
SHA149e2661ee3e8f6fd6b06334b00543590ed8fe208
SHA256500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015
SHA5127ce6e7255d482b7c78f759098f9744f5f0ef462a79ad061d19f8036061b807963c924665bbe66e23e26a36990b5849d527b750ab6d0e9f6010cf4d665ec3d897