Analysis
-
max time kernel
93s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
26-01-2023 23:51
General
-
Target
00009e23a8bcbb7323c15448165dc6cc.exe
-
Size
2.3MB
-
MD5
00009e23a8bcbb7323c15448165dc6cc
-
SHA1
2b5050619a50c63d487ed07651be88d1a8ab92d6
-
SHA256
bceca4720a9dfb62bf4f5130f9443e6fe40f24fb440df17a51b29340575805c0
-
SHA512
e5f88177c022f80bef16a225679211484f8b12a6f7fdf41c9b94a7a6604578ab413d8a9020231bb55f54a4233c912a7d10837207fce69ce157f4da8717878a41
-
SSDEEP
49152:oEAW6oV1uWgMzCAKcNqGAonnXvjGt8YxKIh3i2L:LADWgmNqGAKKBli
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Drops file in Program Files directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\00009e23a8bcbb7323c15448165dc6cc.exe"C:\Users\Admin\AppData\Local\Temp\00009e23a8bcbb7323c15448165dc6cc.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\00009e23a8bcbb7323c15448165dc6cc.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2LbMAw3De.bat"2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5aadbcd4682e4e568a2b891e5a9d57808
SHA1432ce9a93dc149f1e4b67df2e6af06aa0646f038
SHA256846be7b95d4dbfd0292ea3e0116356638d3279f54fc6914a12ef39a256025ea2
SHA512e4abfc07934db9a0e4453fbc471790ebe84777aee33a210c1297f4c8f69ef3a3bba141e30dcfce98a0259c5fc366b085f0fcb0936273002910b3776b545aae80
-
Filesize
7KB
MD5aadbcd4682e4e568a2b891e5a9d57808
SHA1432ce9a93dc149f1e4b67df2e6af06aa0646f038
SHA256846be7b95d4dbfd0292ea3e0116356638d3279f54fc6914a12ef39a256025ea2
SHA512e4abfc07934db9a0e4453fbc471790ebe84777aee33a210c1297f4c8f69ef3a3bba141e30dcfce98a0259c5fc366b085f0fcb0936273002910b3776b545aae80
-
Filesize
7KB
MD5aadbcd4682e4e568a2b891e5a9d57808
SHA1432ce9a93dc149f1e4b67df2e6af06aa0646f038
SHA256846be7b95d4dbfd0292ea3e0116356638d3279f54fc6914a12ef39a256025ea2
SHA512e4abfc07934db9a0e4453fbc471790ebe84777aee33a210c1297f4c8f69ef3a3bba141e30dcfce98a0259c5fc366b085f0fcb0936273002910b3776b545aae80
-
Filesize
7KB
MD5aadbcd4682e4e568a2b891e5a9d57808
SHA1432ce9a93dc149f1e4b67df2e6af06aa0646f038
SHA256846be7b95d4dbfd0292ea3e0116356638d3279f54fc6914a12ef39a256025ea2
SHA512e4abfc07934db9a0e4453fbc471790ebe84777aee33a210c1297f4c8f69ef3a3bba141e30dcfce98a0259c5fc366b085f0fcb0936273002910b3776b545aae80
-
Filesize
7KB
MD5aadbcd4682e4e568a2b891e5a9d57808
SHA1432ce9a93dc149f1e4b67df2e6af06aa0646f038
SHA256846be7b95d4dbfd0292ea3e0116356638d3279f54fc6914a12ef39a256025ea2
SHA512e4abfc07934db9a0e4453fbc471790ebe84777aee33a210c1297f4c8f69ef3a3bba141e30dcfce98a0259c5fc366b085f0fcb0936273002910b3776b545aae80
-
Filesize
2.3MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
344KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
12KB
-
-
Filesize
3.0MB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
12KB
-
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
12KB
-
-
Filesize
8KB
-
Filesize
10.1MB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
12KB
-
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
124KB
-
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
3.0MB
-
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
3.0MB
-
Filesize
10.1MB
-
Filesize
12KB
-
-
Filesize
124KB