Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 03:36

General

  • Target

    ed4e123b6451095714644fcf1367ba60.exe

  • Size

    1.1MB

  • MD5

    ed4e123b6451095714644fcf1367ba60

  • SHA1

    12a24314c6d55271d040f3a62703f6669ef51b61

  • SHA256

    b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7

  • SHA512

    a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

  • SSDEEP

    24576:6ADdteLS1VO6wLVqq0aJSw69voIN7y7Di0:cE86MVX/SwHmf

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe
    "C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe
      "C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5461879b-51ee-4964-b48c-e8b7ed8070ac.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:392
        • C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe
          "C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25da8d3a-7c51-45d4-a4bf-f8eb4a4f446d.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2896
            • C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe
              "C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1720
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1b701b4-3746-45b1-9109-ca2773514631.vbs"
                7⤵
                  PID:1532
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77ecb74e-7b0e-4e98-a78e-65ae5b0ecb93.vbs"
                  7⤵
                    PID:3048
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24538454-b5c4-4b27-9292-f4f248a20288.vbs"
                5⤵
                  PID:4716
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\936ae47a-fe93-4320-aad7-c4a11ff10c46.vbs"
              3⤵
                PID:1048
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SppExtComObj.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2368
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3196
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3908
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3300
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4764
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4420
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4336
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\odt\backgroundTaskHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4212
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4372
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:468
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3148
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2176
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2416

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

                  Filesize

                  1.1MB

                  MD5

                  ed4e123b6451095714644fcf1367ba60

                  SHA1

                  12a24314c6d55271d040f3a62703f6669ef51b61

                  SHA256

                  b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7

                  SHA512

                  a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

                • C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

                  Filesize

                  1.1MB

                  MD5

                  ed4e123b6451095714644fcf1367ba60

                  SHA1

                  12a24314c6d55271d040f3a62703f6669ef51b61

                  SHA256

                  b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7

                  SHA512

                  a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

                • C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

                  Filesize

                  1.1MB

                  MD5

                  ed4e123b6451095714644fcf1367ba60

                  SHA1

                  12a24314c6d55271d040f3a62703f6669ef51b61

                  SHA256

                  b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7

                  SHA512

                  a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

                • C:\Program Files\Common Files\microsoft shared\MSInfo\csrss.exe

                  Filesize

                  1.1MB

                  MD5

                  ed4e123b6451095714644fcf1367ba60

                  SHA1

                  12a24314c6d55271d040f3a62703f6669ef51b61

                  SHA256

                  b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7

                  SHA512

                  a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

                  Filesize

                  1KB

                  MD5

                  4a667f150a4d1d02f53a9f24d89d53d1

                  SHA1

                  306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                  SHA256

                  414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                  SHA512

                  4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                • C:\Users\Admin\AppData\Local\Temp\24538454-b5c4-4b27-9292-f4f248a20288.vbs

                  Filesize

                  515B

                  MD5

                  c22ae86abc18e9b7eab3024376910623

                  SHA1

                  7f49061ff232126e2e6986b8d4ea050383e3959e

                  SHA256

                  360b17b76317753aa4db244da54ee3e9471cf8dc71ee4203ada0f526dfcaac47

                  SHA512

                  08526cb8b3c5e191f95ae8fc5beaaba03fc13e6ff34df461dad2a154a0071317225c0d7ab3ff5661c06f7c31bc985d32ecfe0a827ef6e620a25f1e1ba532e314

                • C:\Users\Admin\AppData\Local\Temp\24538454-b5c4-4b27-9292-f4f248a20288.vbs

                  Filesize

                  515B

                  MD5

                  c22ae86abc18e9b7eab3024376910623

                  SHA1

                  7f49061ff232126e2e6986b8d4ea050383e3959e

                  SHA256

                  360b17b76317753aa4db244da54ee3e9471cf8dc71ee4203ada0f526dfcaac47

                  SHA512

                  08526cb8b3c5e191f95ae8fc5beaaba03fc13e6ff34df461dad2a154a0071317225c0d7ab3ff5661c06f7c31bc985d32ecfe0a827ef6e620a25f1e1ba532e314

                • C:\Users\Admin\AppData\Local\Temp\25da8d3a-7c51-45d4-a4bf-f8eb4a4f446d.vbs

                  Filesize

                  739B

                  MD5

                  0f74eaf42150a1425dc8e1369e4e5113

                  SHA1

                  a831fc2bc3b42ec84464ccaf6cfa9a02b7b12cb7

                  SHA256

                  79f6e53ab48e2347dfda94464102c893842d9805ff86d337693eb090c0f9364f

                  SHA512

                  c00dd06265e7e6978a7218ae30b0132007168e99cf2307ddee896928c0456141797d8bee112ded1a83960c3b60b0800bfde3ab335b0d045da4afefaf91cf28a3

                • C:\Users\Admin\AppData\Local\Temp\5461879b-51ee-4964-b48c-e8b7ed8070ac.vbs

                  Filesize

                  738B

                  MD5

                  fe7a84bf0da8c0441eda74720a399f62

                  SHA1

                  059e26c10220067c15c08898105c0ad232e074fa

                  SHA256

                  b02822eb75ff2292c21d21aeafce029bb7e8f230c13d08e1677fc150c6ffb4a9

                  SHA512

                  b6f635d0cba6ee44fb9ae3c9d111e4c4aeaa24779f6a3fc56a9f0356029190da34df5250e7bd89a155979466bc1781f2f60d4efca6ac5c1058e2af2e6ccb20c2

                • C:\Users\Admin\AppData\Local\Temp\77ecb74e-7b0e-4e98-a78e-65ae5b0ecb93.vbs

                  Filesize

                  515B

                  MD5

                  c22ae86abc18e9b7eab3024376910623

                  SHA1

                  7f49061ff232126e2e6986b8d4ea050383e3959e

                  SHA256

                  360b17b76317753aa4db244da54ee3e9471cf8dc71ee4203ada0f526dfcaac47

                  SHA512

                  08526cb8b3c5e191f95ae8fc5beaaba03fc13e6ff34df461dad2a154a0071317225c0d7ab3ff5661c06f7c31bc985d32ecfe0a827ef6e620a25f1e1ba532e314

                • C:\Users\Admin\AppData\Local\Temp\936ae47a-fe93-4320-aad7-c4a11ff10c46.vbs

                  Filesize

                  515B

                  MD5

                  c22ae86abc18e9b7eab3024376910623

                  SHA1

                  7f49061ff232126e2e6986b8d4ea050383e3959e

                  SHA256

                  360b17b76317753aa4db244da54ee3e9471cf8dc71ee4203ada0f526dfcaac47

                  SHA512

                  08526cb8b3c5e191f95ae8fc5beaaba03fc13e6ff34df461dad2a154a0071317225c0d7ab3ff5661c06f7c31bc985d32ecfe0a827ef6e620a25f1e1ba532e314

                • C:\Users\Admin\AppData\Local\Temp\f1b701b4-3746-45b1-9109-ca2773514631.vbs

                  Filesize

                  739B

                  MD5

                  661296456da6507ea13c581dce664ea3

                  SHA1

                  9c82c50080f9483b25373adbd84413c4715e5c38

                  SHA256

                  14d70338eb8be83b8f7f8b7427cd6557fff655413534873971c19ca52cd0918f

                  SHA512

                  1159f2372c8d6de28b56b48fab060cebe861b5e5e95fec8131f4327537bc39f068a34061a331577f51643f7d503765bc884d125d1633caacc17bd8a4407bb0f3

                • C:\Users\Admin\AppData\Local\Temp\f8901282d4c602a9b5b95cb5aeb411efc3b72249.exe

                  Filesize

                  1.1MB

                  MD5

                  ed4e123b6451095714644fcf1367ba60

                  SHA1

                  12a24314c6d55271d040f3a62703f6669ef51b61

                  SHA256

                  b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7

                  SHA512

                  a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

                • C:\Users\Admin\AppData\Local\Temp\f8901282d4c602a9b5b95cb5aeb411efc3b72249.exe

                  Filesize

                  1.1MB

                  MD5

                  ed4e123b6451095714644fcf1367ba60

                  SHA1

                  12a24314c6d55271d040f3a62703f6669ef51b61

                  SHA256

                  b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7

                  SHA512

                  a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

                • C:\odt\backgroundTaskHost.exe

                  Filesize

                  1.1MB

                  MD5

                  ed4e123b6451095714644fcf1367ba60

                  SHA1

                  12a24314c6d55271d040f3a62703f6669ef51b61

                  SHA256

                  b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7

                  SHA512

                  a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5

                • memory/968-149-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

                  Filesize

                  10.8MB

                • memory/968-137-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

                  Filesize

                  10.8MB

                • memory/968-147-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1720-166-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1728-6-0x00000000029D0000-0x00000000029E6000-memory.dmp

                  Filesize

                  88KB

                • memory/1728-3-0x00000000029B0000-0x00000000029CC000-memory.dmp

                  Filesize

                  112KB

                • memory/1728-8-0x000000001CE90000-0x000000001D3B8000-memory.dmp

                  Filesize

                  5.2MB

                • memory/1728-1-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1728-0-0x0000000000660000-0x000000000078C000-memory.dmp

                  Filesize

                  1.2MB

                • memory/1728-5-0x0000000002890000-0x00000000028A0000-memory.dmp

                  Filesize

                  64KB

                • memory/1728-4-0x000000001B340000-0x000000001B390000-memory.dmp

                  Filesize

                  320KB

                • memory/1728-7-0x00000000029F0000-0x0000000002A02000-memory.dmp

                  Filesize

                  72KB

                • memory/1728-10-0x0000000002A30000-0x0000000002A3E000-memory.dmp

                  Filesize

                  56KB

                • memory/1728-9-0x0000000002A20000-0x0000000002A2A000-memory.dmp

                  Filesize

                  40KB

                • memory/1728-2-0x000000001B410000-0x000000001B420000-memory.dmp

                  Filesize

                  64KB

                • memory/1728-136-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2544-164-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2544-163-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2544-152-0x00007FF9359D0000-0x00007FF936491000-memory.dmp

                  Filesize

                  10.8MB