Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
27-01-2025 18:22
General
-
Target
Serversvc.exe
-
Size
827KB
-
MD5
2b1b671bc3ef38079bfc62e0383258e8
-
SHA1
1231c2d534a55d0e0923953e3d238a2052d6fad7
-
SHA256
50ba49f457fa7dad0a39dbf75d14570d5308b33b1c4141e37223dda5c731f4b9
-
SHA512
0552db872a39c27e069a6526db6046368887fc2fc42534ab63fb30ed235388cf831b52bec5234b2fb2bec50f774fe17d31a27323b702f03029233d6a1b9d5f23
-
SSDEEP
12288:YlMOe0Zu4AanEAlKOP6dE1qAmpBfcjYbg4EEgIGSXx9GI:Ye0Zu4AarrP2OCm4g41Zf
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Serversvc.exe"C:\Users\Admin\AppData\Local\Temp\Serversvc.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\dllhost.exe"C:\Users\Admin\AppData\Local\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:/Users/Admin/AppData/Local/\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:/Users/Admin/AppData/Local/\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD52b1b671bc3ef38079bfc62e0383258e8
SHA11231c2d534a55d0e0923953e3d238a2052d6fad7
SHA25650ba49f457fa7dad0a39dbf75d14570d5308b33b1c4141e37223dda5c731f4b9
SHA5120552db872a39c27e069a6526db6046368887fc2fc42534ab63fb30ed235388cf831b52bec5234b2fb2bec50f774fe17d31a27323b702f03029233d6a1b9d5f23
-
Filesize
4KB
-
Filesize
856KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
856KB