Analysis
-
max time kernel
129s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
31-10-2023 08:59
General
-
Target
NEAS.deae068c77a6e63c6d74307f353e5e40.exe
-
Size
784KB
-
MD5
deae068c77a6e63c6d74307f353e5e40
-
SHA1
cb740abd0c89cd3cb20356f6e5777f879372f906
-
SHA256
c3b511d889528a52823649518bf1f0227f28c5d76f252bbaea8a3f31578f86a7
-
SHA512
4c506b647042da604aa3f96a30538874218daf4960e4fb11048a7f4a7f998a020928fb2374e27073fe4bf5fd9be80bf0f3d218108bcb0a513467991057115166
-
SSDEEP
12288:eqnO8YpD1oOJp+Ce1PSiG2jfIBoI5DyDwYMDxFesH0ioBw7oKk2:e+ORToOWSi5gBoS4wYUJ0eo2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 3 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.deae068c77a6e63c6d74307f353e5e40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.deae068c77a6e63c6d74307f353e5e40.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\dmcsps\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-3125601242-331447593-1512828465-1000\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\provplatformdesktop\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5deae068c77a6e63c6d74307f353e5e40
SHA1cb740abd0c89cd3cb20356f6e5777f879372f906
SHA256c3b511d889528a52823649518bf1f0227f28c5d76f252bbaea8a3f31578f86a7
SHA5124c506b647042da604aa3f96a30538874218daf4960e4fb11048a7f4a7f998a020928fb2374e27073fe4bf5fd9be80bf0f3d218108bcb0a513467991057115166
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
808KB