Analysis
-
max time kernel
31s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
29-01-2023 20:24
General
-
Target
892555689233c21dfdfc0fb10a8241b92d36dd7b2831b28331b2efb6b219fd66.exe
-
Size
382KB
-
MD5
e341dce8ea14c62cdb2c2a0082c06e6f
-
SHA1
40e13801d6e48317eac0019a5d69b5385afe4cd7
-
SHA256
892555689233c21dfdfc0fb10a8241b92d36dd7b2831b28331b2efb6b219fd66
-
SHA512
d9722cea91e6d4268b4b799c33022978eef8a70f5fb8056b13c60ca2fbe5772423141f94e7ef58095fc49eefb6e0a217a11903e7d23d0c9e8838502225d07b69
-
SSDEEP
6144:Nhg8RILt0ndjMKoeHUSI8zNqjFNa4Xn2J+TiqqDL:NZndjZVVwk5J0Xqn
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\892555689233c21dfdfc0fb10a8241b92d36dd7b2831b28331b2efb6b219fd66.exe"C:\Users\Admin\AppData\Local\Temp\892555689233c21dfdfc0fb10a8241b92d36dd7b2831b28331b2efb6b219fd66.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\smss.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exeFilesize
382KB
MD5e341dce8ea14c62cdb2c2a0082c06e6f
SHA140e13801d6e48317eac0019a5d69b5385afe4cd7
SHA256892555689233c21dfdfc0fb10a8241b92d36dd7b2831b28331b2efb6b219fd66
SHA512d9722cea91e6d4268b4b799c33022978eef8a70f5fb8056b13c60ca2fbe5772423141f94e7ef58095fc49eefb6e0a217a11903e7d23d0c9e8838502225d07b69
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exeFilesize
382KB
MD5e341dce8ea14c62cdb2c2a0082c06e6f
SHA140e13801d6e48317eac0019a5d69b5385afe4cd7
SHA256892555689233c21dfdfc0fb10a8241b92d36dd7b2831b28331b2efb6b219fd66
SHA512d9722cea91e6d4268b4b799c33022978eef8a70f5fb8056b13c60ca2fbe5772423141f94e7ef58095fc49eefb6e0a217a11903e7d23d0c9e8838502225d07b69
-
memory/560-55-0x0000000000000000-mapping.dmp
-
memory/1212-57-0x0000000000000000-mapping.dmp
-
memory/1228-54-0x0000000000120000-0x0000000000188000-memory.dmpFilesize
416KB
-
memory/1696-58-0x0000000000000000-mapping.dmp
-
memory/1696-61-0x0000000000940000-0x00000000009A8000-memory.dmpFilesize
416KB
-
memory/1916-56-0x0000000000000000-mapping.dmp