Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 16:27
Behavioral task
behavioral1
Sample
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
Resource
win10v2004-20241007-en
General
-
Target
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
-
Size
827KB
-
MD5
8dd4d6bc11e00b92762a60413bff8ccb
-
SHA1
b7e060163ea51cabb60aa11bbd1ec5cfb856a933
-
SHA256
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707
-
SHA512
6bb31fbe4e5d8f13b4f243257b5f1fdb21de2526deba4081d1de1e43f0d3b37a21bc00390db6ecce19456d34db9bde01af5867e74433648c85482d3ef7c50a97
-
SSDEEP
24576:8mkzClvITluS4gHdPvqh0utgaHDS+6nf/Z:8/aIT2gtzYgajSf
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2416 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2416 schtasks.exe 30 -
resource yara_rule behavioral1/memory/2232-1-0x0000000000350000-0x0000000000426000-memory.dmp dcrat behavioral1/files/0x000600000001930d-11.dat dcrat behavioral1/memory/2400-17-0x00000000002B0000-0x0000000000386000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2400 csrss.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\DVD Maker\Shared\wininit.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File opened for modification C:\Program Files\DVD Maker\Shared\wininit.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files\DVD Maker\Shared\56085415360792 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files\Uninstall Information\services.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files\Uninstall Information\c5b4cb5e9653cc 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\886983d96e3d3e 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2828 schtasks.exe 2776 schtasks.exe 3040 schtasks.exe 2816 schtasks.exe 2872 schtasks.exe 2960 schtasks.exe 2892 schtasks.exe 1168 schtasks.exe 1208 schtasks.exe 2192 schtasks.exe 2876 schtasks.exe 2664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2232 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 2400 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2232 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe Token: SeDebugPrivilege 2400 csrss.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2400 2232 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 43 PID 2232 wrote to memory of 2400 2232 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 43 PID 2232 wrote to memory of 2400 2232 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe"C:\Users\Admin\AppData\Local\Temp\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\Shared\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\Shared\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD58dd4d6bc11e00b92762a60413bff8ccb
SHA1b7e060163ea51cabb60aa11bbd1ec5cfb856a933
SHA256495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707
SHA5126bb31fbe4e5d8f13b4f243257b5f1fdb21de2526deba4081d1de1e43f0d3b37a21bc00390db6ecce19456d34db9bde01af5867e74433648c85482d3ef7c50a97