Analysis
-
max time kernel
31s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
17/10/2022, 05:31
General
-
Target
1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3.exe
-
Size
4.9MB
-
MD5
37aa26e9208b0930fb1068d718d2e32e
-
SHA1
89a3c8a1f0288b0cb6797d0e17ddaa7961d65acc
-
SHA256
1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3
-
SHA512
5c2645f16f8a0ba54c31128fc5f0f8b7b5e81ce208f42798904d39fd6de08e6f1378f9665e70412f5ba6b575dd90ca90191a8cbcdbf24511337a0ecf422d7fc8
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 3 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 17 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3.exe"C:\Users\Admin\AppData\Local\Temp\1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Architecture\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Architecture\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Architecture\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Cityscape\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Media\Cityscape\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Cityscape\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\fr-FR\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\fr-FR\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Reports\fr-FR\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD51cec5815fc17f874c042e17094c42eba
SHA194e76434beecd751f9d4a2bda16b4e64da228a2e
SHA256492a448b083ccdf8784f41876baf5f6cdfcea8d726b1696612d61b78798f5ed7
SHA51291d9e60c8e3527f9beb6b48319ea521b1a96492dbcdc7dc268bcc110e85b4a199544b0b8ba17641b12d1c04208aa30240291e3e291324fb0d8a61600f27fd0c5
-
Filesize
7KB
MD51cec5815fc17f874c042e17094c42eba
SHA194e76434beecd751f9d4a2bda16b4e64da228a2e
SHA256492a448b083ccdf8784f41876baf5f6cdfcea8d726b1696612d61b78798f5ed7
SHA51291d9e60c8e3527f9beb6b48319ea521b1a96492dbcdc7dc268bcc110e85b4a199544b0b8ba17641b12d1c04208aa30240291e3e291324fb0d8a61600f27fd0c5
-
Filesize
7KB
MD51cec5815fc17f874c042e17094c42eba
SHA194e76434beecd751f9d4a2bda16b4e64da228a2e
SHA256492a448b083ccdf8784f41876baf5f6cdfcea8d726b1696612d61b78798f5ed7
SHA51291d9e60c8e3527f9beb6b48319ea521b1a96492dbcdc7dc268bcc110e85b4a199544b0b8ba17641b12d1c04208aa30240291e3e291324fb0d8a61600f27fd0c5
-
Filesize
7KB
MD51cec5815fc17f874c042e17094c42eba
SHA194e76434beecd751f9d4a2bda16b4e64da228a2e
SHA256492a448b083ccdf8784f41876baf5f6cdfcea8d726b1696612d61b78798f5ed7
SHA51291d9e60c8e3527f9beb6b48319ea521b1a96492dbcdc7dc268bcc110e85b4a199544b0b8ba17641b12d1c04208aa30240291e3e291324fb0d8a61600f27fd0c5
-
Filesize
7KB
MD51cec5815fc17f874c042e17094c42eba
SHA194e76434beecd751f9d4a2bda16b4e64da228a2e
SHA256492a448b083ccdf8784f41876baf5f6cdfcea8d726b1696612d61b78798f5ed7
SHA51291d9e60c8e3527f9beb6b48319ea521b1a96492dbcdc7dc268bcc110e85b4a199544b0b8ba17641b12d1c04208aa30240291e3e291324fb0d8a61600f27fd0c5
-
Filesize
7KB
MD51cec5815fc17f874c042e17094c42eba
SHA194e76434beecd751f9d4a2bda16b4e64da228a2e
SHA256492a448b083ccdf8784f41876baf5f6cdfcea8d726b1696612d61b78798f5ed7
SHA51291d9e60c8e3527f9beb6b48319ea521b1a96492dbcdc7dc268bcc110e85b4a199544b0b8ba17641b12d1c04208aa30240291e3e291324fb0d8a61600f27fd0c5
-
Filesize
7KB
MD51cec5815fc17f874c042e17094c42eba
SHA194e76434beecd751f9d4a2bda16b4e64da228a2e
SHA256492a448b083ccdf8784f41876baf5f6cdfcea8d726b1696612d61b78798f5ed7
SHA51291d9e60c8e3527f9beb6b48319ea521b1a96492dbcdc7dc268bcc110e85b4a199544b0b8ba17641b12d1c04208aa30240291e3e291324fb0d8a61600f27fd0c5
-
Filesize
7KB
MD51cec5815fc17f874c042e17094c42eba
SHA194e76434beecd751f9d4a2bda16b4e64da228a2e
SHA256492a448b083ccdf8784f41876baf5f6cdfcea8d726b1696612d61b78798f5ed7
SHA51291d9e60c8e3527f9beb6b48319ea521b1a96492dbcdc7dc268bcc110e85b4a199544b0b8ba17641b12d1c04208aa30240291e3e291324fb0d8a61600f27fd0c5
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
5.0MB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
1.2MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB