Analysis
-
max time kernel
7s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
25-01-2023 13:00
General
-
Target
file.exe
-
Size
1.2MB
-
MD5
3e821d4b4af33a23f64c69db57770955
-
SHA1
019742e345c39bd10f6c9bc4c1af4c2e94a5fca0
-
SHA256
5ad5f24becf8b8653b7708edc35779128eb8cc84ddebf362121c603fd2caed04
-
SHA512
6e7f8ea74092bbb4659f24ec629e1483fb95cf682f5eda65300cc38369848cd60512ce79cd7aa5ae70d09fba420e8de6be3841306cf3302317a69d143c114160
-
SSDEEP
24576:U2G/nvxW3Ww0teLTGJTb/Ka2FVx0Q5eRvuiNLzrejv:UbA30yTGF/KvVd5eTNS7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 7 IoCs
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 14 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\BridgeWin\kBRJ5zb6pFGWil.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\BridgeWin\containerRuntime.exe"C:\BridgeWin\containerRuntime.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\containerRuntime.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\lsass.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\smss.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\containerRuntime.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\containerRuntime.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'5⤵
-
C:\BridgeWin\smss.exe"C:\BridgeWin\smss.exe"5⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\BridgeWin\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\BridgeWin\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\BridgeWin\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 6 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\containerRuntime.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\containerRuntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 12 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\containerRuntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\containerRuntime.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\containerRuntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\containerRuntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BridgeWin\containerRuntime.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
C:\BridgeWin\containerRuntime.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
C:\BridgeWin\kBRJ5zb6pFGWil.batFilesize
35B
MD5064d44ddf49217a25ad5ec14b334e0f8
SHA1092f4a63df14672e90e8001a9bb6000315fb29d6
SHA256a1962a0cd9c290da9a9d7bb34828fae854a8994127fcbe219e4d6a7b499274c4
SHA512342448a993e8f8713918fe64c15f1c117ee1dd5e80de3ea78a026802895733b5024169ea9daf2eaf102005b27a6b48772b6122d28875d686d305cfd412c17acb
-
C:\BridgeWin\smss.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
C:\BridgeWin\smss.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbeFilesize
200B
MD5c33c80ec8b8c3cdef3f528ea621be889
SHA110b010cc2b37daf6fd01031c4d2af8d684cc6953
SHA256a2492c835a66b1e833bfebfa669e8366d66ae7ac9b6aedf35adf5c24b2bd6fdc
SHA512d947f93f0f86d1c02b791c932febe41b2c0e58cc3842ca361d006ad79cffff3b0313be31eaaaa8610216ae936b1a24e680d97e0ad7da0ccf28f6804e63a156af
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55696348491a371c35bc47ad4e12ae1c5
SHA1d7df902f9bdbb5f6df6cecbe5f08959b4e7d8b9f
SHA256f5e6ff827630a4eca858af144f6f989ba09952cc1ee8a5b1ee09b92335de8125
SHA51249a08a47abb30c372c14dabff5903d3f6e1c813b4812726722254b78f459ee9059fd8d4e420ffd0d417c076cc5ff031a261651ee13c87b6d98a4fcfafce97325
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55696348491a371c35bc47ad4e12ae1c5
SHA1d7df902f9bdbb5f6df6cecbe5f08959b4e7d8b9f
SHA256f5e6ff827630a4eca858af144f6f989ba09952cc1ee8a5b1ee09b92335de8125
SHA51249a08a47abb30c372c14dabff5903d3f6e1c813b4812726722254b78f459ee9059fd8d4e420ffd0d417c076cc5ff031a261651ee13c87b6d98a4fcfafce97325
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55696348491a371c35bc47ad4e12ae1c5
SHA1d7df902f9bdbb5f6df6cecbe5f08959b4e7d8b9f
SHA256f5e6ff827630a4eca858af144f6f989ba09952cc1ee8a5b1ee09b92335de8125
SHA51249a08a47abb30c372c14dabff5903d3f6e1c813b4812726722254b78f459ee9059fd8d4e420ffd0d417c076cc5ff031a261651ee13c87b6d98a4fcfafce97325
-
\BridgeWin\containerRuntime.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
\BridgeWin\containerRuntime.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
memory/388-73-0x0000000000000000-mapping.dmp
-
memory/468-59-0x0000000000000000-mapping.dmp
-
memory/824-112-0x00000000028E4000-0x00000000028E7000-memory.dmpFilesize
12KB
-
memory/824-100-0x00000000028E4000-0x00000000028E7000-memory.dmpFilesize
12KB
-
memory/824-105-0x000000001B6F0000-0x000000001B9EF000-memory.dmpFilesize
3.0MB
-
memory/824-102-0x000007FEEB090000-0x000007FEEBBED000-memory.dmpFilesize
11.4MB
-
memory/824-72-0x0000000000000000-mapping.dmp
-
memory/824-94-0x000007FEEBBF0000-0x000007FEEC613000-memory.dmpFilesize
10.1MB
-
memory/824-110-0x00000000028E4000-0x00000000028E7000-memory.dmpFilesize
12KB
-
memory/824-111-0x00000000028EB000-0x000000000290A000-memory.dmpFilesize
124KB
-
memory/824-115-0x00000000028EB000-0x000000000290A000-memory.dmpFilesize
124KB
-
memory/944-55-0x0000000000000000-mapping.dmp
-
memory/1156-116-0x000000000265B000-0x000000000267A000-memory.dmpFilesize
124KB
-
memory/1156-69-0x0000000000000000-mapping.dmp
-
memory/1156-117-0x0000000002654000-0x0000000002657000-memory.dmpFilesize
12KB
-
memory/1156-113-0x000000000265B000-0x000000000267A000-memory.dmpFilesize
124KB
-
memory/1156-106-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/1156-108-0x0000000002654000-0x0000000002657000-memory.dmpFilesize
12KB
-
memory/1156-92-0x000007FEEBBF0000-0x000007FEEC613000-memory.dmpFilesize
10.1MB
-
memory/1156-98-0x0000000002654000-0x0000000002657000-memory.dmpFilesize
12KB
-
memory/1156-96-0x000007FEEB090000-0x000007FEEBBED000-memory.dmpFilesize
11.4MB
-
memory/1180-74-0x0000000000000000-mapping.dmp
-
memory/1508-88-0x0000000001120000-0x0000000001210000-memory.dmpFilesize
960KB
-
memory/1508-78-0x0000000000000000-mapping.dmp
-
memory/1552-70-0x0000000000000000-mapping.dmp
-
memory/1588-109-0x00000000027F4000-0x00000000027F7000-memory.dmpFilesize
12KB
-
memory/1588-76-0x0000000000000000-mapping.dmp
-
memory/1588-101-0x000007FEEB090000-0x000007FEEBBED000-memory.dmpFilesize
11.4MB
-
memory/1588-99-0x00000000027F4000-0x00000000027F7000-memory.dmpFilesize
12KB
-
memory/1588-119-0x00000000027F4000-0x00000000027F7000-memory.dmpFilesize
12KB
-
memory/1588-118-0x00000000027FB000-0x000000000281A000-memory.dmpFilesize
124KB
-
memory/1588-114-0x00000000027FB000-0x000000000281A000-memory.dmpFilesize
124KB
-
memory/1588-104-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/1588-93-0x000007FEEBBF0000-0x000007FEEC613000-memory.dmpFilesize
10.1MB
-
memory/1724-75-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/1724-95-0x000007FEEB090000-0x000007FEEBBED000-memory.dmpFilesize
11.4MB
-
memory/1724-103-0x000000001B7B0000-0x000000001BAAF000-memory.dmpFilesize
3.0MB
-
memory/1724-68-0x0000000000000000-mapping.dmp
-
memory/1724-80-0x000007FEEBBF0000-0x000007FEEC613000-memory.dmpFilesize
10.1MB
-
memory/1724-107-0x0000000002330000-0x00000000023B0000-memory.dmpFilesize
512KB
-
memory/1724-97-0x0000000002330000-0x00000000023B0000-memory.dmpFilesize
512KB
-
memory/1872-67-0x0000000000350000-0x000000000035C000-memory.dmpFilesize
48KB
-
memory/1872-66-0x0000000000340000-0x000000000034C000-memory.dmpFilesize
48KB
-
memory/1872-65-0x0000000000B80000-0x0000000000C70000-memory.dmpFilesize
960KB
-
memory/1872-63-0x0000000000000000-mapping.dmp
-
memory/1992-71-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB