Analysis
-
max time kernel
122s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
23-03-2023 23:06
General
-
Target
1ebda5cfb762d7884f46792cb1d12adb.exe
-
Size
8.0MB
-
MD5
1ebda5cfb762d7884f46792cb1d12adb
-
SHA1
22f9c3c64dd3d13c2453a1872e3ad59491f6d101
-
SHA256
bec2656a4413d2cb9d64f99d3b72472989197434a637ed136858ed782b293a50
-
SHA512
ec700ceb9af2b0eea226d3f1f0b2ed46dfe60a0364f4b676f524db4d2a542db1eb961d466c59bb0e3a2fcbfc9521d8d354ac607c528b90ebd1787edd0126437a
-
SSDEEP
196608:0PbgMfpayqnxbAQ5owejuJDUX47dwdW0vnFwBTYPERR+:KzYyoxCaUX47d4XnwZQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ebda5cfb762d7884f46792cb1d12adb.exe"C:\Users\Admin\AppData\Local\Temp\1ebda5cfb762d7884f46792cb1d12adb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1ebda5cfb762d7884f46792cb1d12adb.exe"C:\Users\Admin\AppData\Local\Temp\1ebda5cfb762d7884f46792cb1d12adb.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c echo %temp%3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INST.exeC:\Users\Admin\AppData\Local\Temp\INST.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\mshyperSurrogatewebdll\r29x1UikXJ.vbe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\mshyperSurrogatewebdll\ExpQO8XM2UsA8U.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\mshyperSurrogatewebdll\containercomponentcrt.exe"C:\mshyperSurrogatewebdll\containercomponentcrt.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YnO59MeEL3.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
C:\mshyperSurrogatewebdll\sppsvc.exe"C:\mshyperSurrogatewebdll\sppsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\mshyperSurrogatewebdll\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\mshyperSurrogatewebdll\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\mshyperSurrogatewebdll\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Pictures\Saved Pictures\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\Saved Pictures\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\mshyperSurrogatewebdll\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\mshyperSurrogatewebdll\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\mshyperSurrogatewebdll\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\PrintHood\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\INST.exeFilesize
1.1MB
MD5647ee4600c15dba14d7a7215eb0530e9
SHA18b694f3b61311fd1a9619a37eff1d5818d6f2b33
SHA25620ed06ddbb4bcb44ab39de5dd74d277c02594eda6e19f3e5e8b693652e4bf621
SHA5126378049eacbf0a9a25194e92eb033e5944324abf7fd5cc1afc7b71b17af40df23e0756df86ed660c3a8ce160a398a101d35bbf323551f5dae5f646288c5b5986
-
C:\Users\Admin\AppData\Local\Temp\INST.exeFilesize
1.1MB
MD5647ee4600c15dba14d7a7215eb0530e9
SHA18b694f3b61311fd1a9619a37eff1d5818d6f2b33
SHA25620ed06ddbb4bcb44ab39de5dd74d277c02594eda6e19f3e5e8b693652e4bf621
SHA5126378049eacbf0a9a25194e92eb033e5944324abf7fd5cc1afc7b71b17af40df23e0756df86ed660c3a8ce160a398a101d35bbf323551f5dae5f646288c5b5986
-
C:\Users\Admin\AppData\Local\Temp\YnO59MeEL3.batFilesize
201B
MD5b3b4ef13fba10aa852be7ad3e9134fd9
SHA1712e5ab8882300b5e523c006a06622dfbac80fd4
SHA2562bd5c6ebb4768ec6ef058c9a1723dd458fbe869c7ae15cdbcd7a1f7d8c03f31d
SHA512947286c70768fbd4e0e6b9c94f374d147f4c0f538a04f4e4b6875e56768d34f83774df42cdd5cf8511e80e4188d3a8851f3e7ef22b920e417dbbb7191e713e41
-
C:\Users\Admin\AppData\Local\Temp\_MEI45442\VCRUNTIME140.dllFilesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
C:\Users\Admin\AppData\Local\Temp\_MEI45442\VCRUNTIME140.dllFilesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
C:\Users\Admin\AppData\Local\Temp\_MEI45442\base_library.zipFilesize
1.7MB
MD5948430bbba768d83a37fc725d7d31fbb
SHA1e00d912fe85156f61fd8cd109d840d2d69b9629b
SHA25665ebc074b147d65841a467a49f30a5f2f54659a0cc5dc31411467263a37c02df
SHA512aad73403964228ed690ce3c5383e672b76690f776d4ff38792544c67e6d7b54eb56dd6653f4a89f7954752dae78ca35f738e000ffff07fdfb8ef2af708643186
-
C:\Users\Admin\AppData\Local\Temp\_MEI45442\python311.dllFilesize
5.5MB
MD51fe47c83669491bf38a949253d7d960f
SHA1de5cc181c0e26cbcb31309fe00d9f2f5264d2b25
SHA2560a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae
SHA51205cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4
-
C:\Users\Admin\AppData\Local\Temp\_MEI45442\python311.dllFilesize
5.5MB
MD51fe47c83669491bf38a949253d7d960f
SHA1de5cc181c0e26cbcb31309fe00d9f2f5264d2b25
SHA2560a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae
SHA51205cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4
-
C:\Users\Admin\AppData\Local\Temp\_MEI45442\ucrtbase.dllFilesize
993KB
MD59679f79d724bcdbd3338824ffe8b00c7
SHA15ded91cc6e3346f689d079594cf3a9bf1200bd61
SHA256962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36
SHA51274ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd
-
C:\Users\Admin\AppData\Local\Temp\_MEI45442\ucrtbase.dllFilesize
993KB
MD59679f79d724bcdbd3338824ffe8b00c7
SHA15ded91cc6e3346f689d079594cf3a9bf1200bd61
SHA256962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36
SHA51274ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd
-
C:\mshyperSurrogatewebdll\ExpQO8XM2UsA8U.batFilesize
53B
MD528da2fe7d9e6e148f4bd076437674da0
SHA1bfa422e68f83b704f45e6ac9d347e54a3987d1af
SHA2561375428ee07dd79dfd1075b1fb9af0426095b52fb6ea34531d6eee58ed4455b8
SHA51210285de9c1006c470b1eb9f56bf0ea5ace31a07e1c4a2e5e0fe611eacfb74014cc6917e6855456a5a4916e04d75d012cb6a888696d78c1a1b5d9a4d7f3f129b5
-
C:\mshyperSurrogatewebdll\containercomponentcrt.exeFilesize
828KB
MD553dee3a4b4231beb405a8bdbea635aeb
SHA18ad1eba33de9a663de6e3e6244420735a06ef69d
SHA2567956af9a9f6c06a01251031eaa07ec95e2ca8f84bb2f8d07968a03c784fb1a35
SHA5122e92dd691572da551645d071140250686471b79e5bc94c3042a8eef70069cdf1358f22430c9b2de523230f933ff7a9ec4ce04df80c28a464feb3f7dc21e7be0e
-
C:\mshyperSurrogatewebdll\containercomponentcrt.exeFilesize
828KB
MD553dee3a4b4231beb405a8bdbea635aeb
SHA18ad1eba33de9a663de6e3e6244420735a06ef69d
SHA2567956af9a9f6c06a01251031eaa07ec95e2ca8f84bb2f8d07968a03c784fb1a35
SHA5122e92dd691572da551645d071140250686471b79e5bc94c3042a8eef70069cdf1358f22430c9b2de523230f933ff7a9ec4ce04df80c28a464feb3f7dc21e7be0e
-
C:\mshyperSurrogatewebdll\dwm.exeFilesize
828KB
MD553dee3a4b4231beb405a8bdbea635aeb
SHA18ad1eba33de9a663de6e3e6244420735a06ef69d
SHA2567956af9a9f6c06a01251031eaa07ec95e2ca8f84bb2f8d07968a03c784fb1a35
SHA5122e92dd691572da551645d071140250686471b79e5bc94c3042a8eef70069cdf1358f22430c9b2de523230f933ff7a9ec4ce04df80c28a464feb3f7dc21e7be0e
-
C:\mshyperSurrogatewebdll\r29x1UikXJ.vbeFilesize
213B
MD5da7e75e2f652053670953d37fa81a712
SHA11a992cbe4cb8f43967f176803a733d10f154a0a9
SHA25664f891a1682340493ecbef9d02c54b33ccd808947f3c5e9a03ba4c04211c0ba5
SHA51290f6bcfd4723abbe947367c1063bdad541b612e9242a0b8d22f28375020feaf9c9c6129a59563ebaa27793fbbfd096201315c2fad1cf29c879abb6451a6e467d
-
C:\mshyperSurrogatewebdll\sppsvc.exeFilesize
828KB
MD553dee3a4b4231beb405a8bdbea635aeb
SHA18ad1eba33de9a663de6e3e6244420735a06ef69d
SHA2567956af9a9f6c06a01251031eaa07ec95e2ca8f84bb2f8d07968a03c784fb1a35
SHA5122e92dd691572da551645d071140250686471b79e5bc94c3042a8eef70069cdf1358f22430c9b2de523230f933ff7a9ec4ce04df80c28a464feb3f7dc21e7be0e
-
C:\mshyperSurrogatewebdll\sppsvc.exeFilesize
828KB
MD553dee3a4b4231beb405a8bdbea635aeb
SHA18ad1eba33de9a663de6e3e6244420735a06ef69d
SHA2567956af9a9f6c06a01251031eaa07ec95e2ca8f84bb2f8d07968a03c784fb1a35
SHA5122e92dd691572da551645d071140250686471b79e5bc94c3042a8eef70069cdf1358f22430c9b2de523230f933ff7a9ec4ce04df80c28a464feb3f7dc21e7be0e
-
memory/2340-287-0x0000000002C80000-0x0000000002C90000-memory.dmpFilesize
64KB
-
memory/4036-256-0x0000000000350000-0x0000000000426000-memory.dmpFilesize
856KB
-
memory/4036-259-0x000000001B0A0000-0x000000001B0B0000-memory.dmpFilesize
64KB