Analysis

  • max time kernel
    123s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 06:38

General

  • Target

    NEAS.8b63b4a62f39fe51f04bad846500d900.exe

  • Size

    1.6MB

  • MD5

    8b63b4a62f39fe51f04bad846500d900

  • SHA1

    cd57f895dfbdef71daaec73832d686e25c4a9443

  • SHA256

    12d85b878dd9e2e4bf577444948bc0a1db87009f5d51e6e79403d1d8c2b5861d

  • SHA512

    8eb64ea0b612c306eba388c733b2e65ffa93111b6062d2034d4733352be8721c0450f1a130dbcbf9c17510612f2374017a1597ed90a20d5d9dd99d6b4c7c09d5

  • SSDEEP

    24576:dPMYXSRYoY64PXxohpNzb44qv/x8GMpmIB8VDLjyfH4VYiwzcHA8csX1OA:dPCRI+NoHwqRCY2cHAMF

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.8b63b4a62f39fe51f04bad846500d900.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.8b63b4a62f39fe51f04bad846500d900.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cKDdDiVJTa.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1656
        • C:\Recovery\WindowsRE\explorer.exe
          "C:\Recovery\WindowsRE\explorer.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\twain_32\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Videos\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4152
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4908

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Recovery\WindowsRE\explorer.exe

            Filesize

            1.6MB

            MD5

            ec45ca9d44ff82d269fb8b1f2eef36cd

            SHA1

            9eae712d2d2c826a2bf6ee40a0da0895efeef436

            SHA256

            96c9c02744b4cacc75d9eee867e24b4eef30a597d143b8edc070d59b51f00586

            SHA512

            406b6a6a707778f2fdeb3ee392653ef8cb1489e62617801a1735888c3baad98bf8966c913509db65cc5b9004cc2b86156fd3409a39bf8770990f5a6ccde724dd

          • C:\Recovery\WindowsRE\explorer.exe

            Filesize

            1.6MB

            MD5

            ec45ca9d44ff82d269fb8b1f2eef36cd

            SHA1

            9eae712d2d2c826a2bf6ee40a0da0895efeef436

            SHA256

            96c9c02744b4cacc75d9eee867e24b4eef30a597d143b8edc070d59b51f00586

            SHA512

            406b6a6a707778f2fdeb3ee392653ef8cb1489e62617801a1735888c3baad98bf8966c913509db65cc5b9004cc2b86156fd3409a39bf8770990f5a6ccde724dd

          • C:\Users\Admin\AppData\Local\Temp\cKDdDiVJTa.bat

            Filesize

            199B

            MD5

            6aa467dff9134de9626e316a2eb99ee5

            SHA1

            c649acceeb6e83c277704bdab20d8d17b5e0b492

            SHA256

            0f670a58c4e0b16e24d96c1fc59e533d08163be1debd4cb209ee7b3f2382fd03

            SHA512

            3dc6cb1fe5be705b97142052140bb67aab1b848e107aa7b2cb97e6d06186c69a9796b3d591ea51d5bda248f2e46035187bf8716a2e881446211d65526c5bfe6a

          • C:\Users\Public\Videos\explorer.exe

            Filesize

            1.6MB

            MD5

            8b63b4a62f39fe51f04bad846500d900

            SHA1

            cd57f895dfbdef71daaec73832d686e25c4a9443

            SHA256

            12d85b878dd9e2e4bf577444948bc0a1db87009f5d51e6e79403d1d8c2b5861d

            SHA512

            8eb64ea0b612c306eba388c733b2e65ffa93111b6062d2034d4733352be8721c0450f1a130dbcbf9c17510612f2374017a1597ed90a20d5d9dd99d6b4c7c09d5

          • memory/3468-102-0x00007FF8E8EC0000-0x00007FF8E9981000-memory.dmp

            Filesize

            10.8MB

          • memory/3468-100-0x0000000000C10000-0x0000000000C20000-memory.dmp

            Filesize

            64KB

          • memory/3468-99-0x00007FF8E8EC0000-0x00007FF8E9981000-memory.dmp

            Filesize

            10.8MB

          • memory/3468-98-0x00000000002D0000-0x000000000046E000-memory.dmp

            Filesize

            1.6MB

          • memory/5008-12-0x000000001AEE0000-0x000000001AEEC000-memory.dmp

            Filesize

            48KB

          • memory/5008-5-0x0000000002420000-0x0000000002430000-memory.dmp

            Filesize

            64KB

          • memory/5008-10-0x000000001AEB0000-0x000000001AEC2000-memory.dmp

            Filesize

            72KB

          • memory/5008-11-0x000000001BBC0000-0x000000001C0E8000-memory.dmp

            Filesize

            5.2MB

          • memory/5008-0-0x0000000000150000-0x00000000002EE000-memory.dmp

            Filesize

            1.6MB

          • memory/5008-13-0x000000001AEF0000-0x000000001AEF8000-memory.dmp

            Filesize

            32KB

          • memory/5008-14-0x000000001AF00000-0x000000001AF0C000-memory.dmp

            Filesize

            48KB

          • memory/5008-15-0x000000001AF10000-0x000000001AF1A000-memory.dmp

            Filesize

            40KB

          • memory/5008-8-0x0000000002470000-0x0000000002480000-memory.dmp

            Filesize

            64KB

          • memory/5008-9-0x0000000002460000-0x000000000246C000-memory.dmp

            Filesize

            48KB

          • memory/5008-94-0x00007FF8E8EC0000-0x00007FF8E9981000-memory.dmp

            Filesize

            10.8MB

          • memory/5008-6-0x0000000002430000-0x0000000002446000-memory.dmp

            Filesize

            88KB

          • memory/5008-7-0x0000000002450000-0x0000000002458000-memory.dmp

            Filesize

            32KB

          • memory/5008-4-0x000000001AE60000-0x000000001AEB0000-memory.dmp

            Filesize

            320KB

          • memory/5008-3-0x0000000002400000-0x000000000241C000-memory.dmp

            Filesize

            112KB

          • memory/5008-2-0x000000001AF40000-0x000000001AF50000-memory.dmp

            Filesize

            64KB

          • memory/5008-1-0x00007FF8E8EC0000-0x00007FF8E9981000-memory.dmp

            Filesize

            10.8MB