Analysis
-
max time kernel
50s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 04:55
Behavioral task
behavioral1
Sample
c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe
Resource
win10v2004-20241007-en
General
-
Target
c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe
-
Size
737KB
-
MD5
05f1f2214c8b7b660817c4849fdf5537
-
SHA1
6af7aeb3078376bff17f06cd4c53993b31a48475
-
SHA256
c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5
-
SHA512
58f46b2840f2165d4b51cbb1d39146929587c7d95de9711e0dec11a9c44b446429a7a49bd0c68473e97cb0880f9fb80b0466c75ffccfa848b655af91689eec23
-
SSDEEP
12288:y+Tn9t4LxmlM9Itv2/JJMA+UpW3Ari4VVyZC0+1cqwNZ6:y+TnQmxv2BJMA+U3iE0nqY6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 3028 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 3028 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 3028 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 3028 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 3028 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 3028 schtasks.exe 30 -
DCRat payload 3 IoCs
resource yara_rule behavioral1/memory/1552-1-0x0000000000A10000-0x0000000000ACE000-memory.dmp family_dcrat_v2 behavioral1/files/0x0008000000016ce9-22.dat family_dcrat_v2 behavioral1/memory/2092-24-0x0000000000EF0000-0x0000000000FAE000-memory.dmp family_dcrat_v2 -
Executes dropped EXE 1 IoCs
pid Process 2092 wininit.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2600 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2600 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2172 schtasks.exe 2776 schtasks.exe 2904 schtasks.exe 2912 schtasks.exe 2896 schtasks.exe 2916 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe 2092 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe Token: SeDebugPrivilege 2092 wininit.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1552 wrote to memory of 2288 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 37 PID 1552 wrote to memory of 2288 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 37 PID 1552 wrote to memory of 2288 1552 c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe 37 PID 2288 wrote to memory of 2168 2288 cmd.exe 39 PID 2288 wrote to memory of 2168 2288 cmd.exe 39 PID 2288 wrote to memory of 2168 2288 cmd.exe 39 PID 2288 wrote to memory of 2600 2288 cmd.exe 40 PID 2288 wrote to memory of 2600 2288 cmd.exe 40 PID 2288 wrote to memory of 2600 2288 cmd.exe 40 PID 2288 wrote to memory of 2092 2288 cmd.exe 41 PID 2288 wrote to memory of 2092 2288 cmd.exe 41 PID 2288 wrote to memory of 2092 2288 cmd.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe"C:\Users\Admin\AppData\Local\Temp\c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CHbNzddoi6.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2168
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2600
-
-
C:\Users\Admin\AppData\Local\MsWebView2\wininit.exe"C:\Users\Admin\AppData\Local\MsWebView2\wininit.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\MsWebView2\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\MsWebView2\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\MsWebView2\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5c" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5c" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737KB
MD505f1f2214c8b7b660817c4849fdf5537
SHA16af7aeb3078376bff17f06cd4c53993b31a48475
SHA256c4abef44de234ff0d02add4b4a79084c2e1362944059a7207e621432e395b9a5
SHA51258f46b2840f2165d4b51cbb1d39146929587c7d95de9711e0dec11a9c44b446429a7a49bd0c68473e97cb0880f9fb80b0466c75ffccfa848b655af91689eec23
-
Filesize
179B
MD5f6f7b2f3dcd24dcf5c93f5a2c3a92dbf
SHA143ba17cbf438a5b57b64ecfabd8ffc907ba6b541
SHA2563ea6060e1d0dea923e25d4ad7d2e2118e460057be5c4a04736d9a2fd09f410c9
SHA5120f5885e94a8a59c61eae4a94e55800c42c3e1341d3b48836cac7cba497ceed5382f235445c55d03eb8729aee8a7d95e8aa4c6993af8eca0105c8e0ad85b0d265