Analysis
-
max time kernel
54s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 16:16
Behavioral task
behavioral1
Sample
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
Resource
win10v2004-20241007-en
General
-
Target
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
-
Size
827KB
-
MD5
8dd4d6bc11e00b92762a60413bff8ccb
-
SHA1
b7e060163ea51cabb60aa11bbd1ec5cfb856a933
-
SHA256
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707
-
SHA512
6bb31fbe4e5d8f13b4f243257b5f1fdb21de2526deba4081d1de1e43f0d3b37a21bc00390db6ecce19456d34db9bde01af5867e74433648c85482d3ef7c50a97
-
SSDEEP
24576:8mkzClvITluS4gHdPvqh0utgaHDS+6nf/Z:8/aIT2gtzYgajSf
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2240 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2240 schtasks.exe 30 -
resource yara_rule behavioral1/memory/1832-1-0x00000000010E0000-0x00000000011B6000-memory.dmp dcrat behavioral1/files/0x000500000001941a-11.dat dcrat behavioral1/memory/2056-21-0x00000000009C0000-0x0000000000A96000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2056 sppsvc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Help\mui\0410\6cb0b6c459d5d3 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\taskhost.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\b75386f1303e64 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\en-US\dwm.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\en-US\6cb0b6c459d5d3 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\Help\mui\0410\dwm.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\taskhost.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\security\audit\WmiPrvSE.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Windows\security\audit\24dbde2999530e 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe 2872 schtasks.exe 2684 schtasks.exe 2796 schtasks.exe 832 schtasks.exe 2636 schtasks.exe 2776 schtasks.exe 2756 schtasks.exe 2660 schtasks.exe 2652 schtasks.exe 2792 schtasks.exe 3060 schtasks.exe 2468 schtasks.exe 2944 schtasks.exe 624 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2056 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1832 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1832 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1832 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1832 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 1832 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 2056 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1832 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe Token: SeDebugPrivilege 2056 sppsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1108 1832 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 46 PID 1832 wrote to memory of 1108 1832 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 46 PID 1832 wrote to memory of 1108 1832 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 46 PID 1108 wrote to memory of 1212 1108 cmd.exe 48 PID 1108 wrote to memory of 1212 1108 cmd.exe 48 PID 1108 wrote to memory of 1212 1108 cmd.exe 48 PID 1108 wrote to memory of 2056 1108 cmd.exe 49 PID 1108 wrote to memory of 2056 1108 cmd.exe 49 PID 1108 wrote to memory of 2056 1108 cmd.exe 49 PID 1108 wrote to memory of 2056 1108 cmd.exe 49 PID 1108 wrote to memory of 2056 1108 cmd.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe"C:\Users\Admin\AppData\Local\Temp\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uDBdOCHS8U.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1212
-
-
C:\Users\All Users\sppsvc.exe"C:\Users\All Users\sppsvc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\security\audit\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\security\audit\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\security\audit\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0410\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Help\mui\0410\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\mui\0410\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194B
MD5646c315aeebb309cacfc666015b0e568
SHA107b4bf43f6e635b71fbae10f5213dc4e26e7e6e5
SHA256840794c373f11653c609ae93f447b510e0ce55a7316475f1040e04f2a5299ec0
SHA512fff14ee5eb8f140ef2a82f652ede4d4f0525a33d9c368e15ff39b1b1e1abdb69d033126ac5953975079bf572b57d2e4ea5c91f8256e862ad72b27cae6a33f6e4
-
Filesize
827KB
MD58dd4d6bc11e00b92762a60413bff8ccb
SHA1b7e060163ea51cabb60aa11bbd1ec5cfb856a933
SHA256495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707
SHA5126bb31fbe4e5d8f13b4f243257b5f1fdb21de2526deba4081d1de1e43f0d3b37a21bc00390db6ecce19456d34db9bde01af5867e74433648c85482d3ef7c50a97