Analysis
-
max time kernel
122s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
31/12/2023, 12:50
General
-
Target
15949a8ac89553949278777a580044ac.exe
-
Size
2.7MB
-
MD5
15949a8ac89553949278777a580044ac
-
SHA1
d04205fde4db2c89e556d2f023b6b83e4c37360b
-
SHA256
ac0c0dbb347d0ed2096610d72ef708415f29ecc0bb560ff62bffd31675637fd4
-
SHA512
4d81e608d024480c4e6dd695a80c5114298e870a92540138ba92b169e1f921f348f191841c01a1b511406f65c2cb0f3ac2e0a32e240e2387c5689f577cbbaace
-
SSDEEP
49152:3b8iGewegzYlAyJ0rxJcq7oAVEKt6ZfBd8NDFZ6yDoJNdTZw7UJk2byImVXsyyO:3QhrbaIxCq7oASDfBdELhEJ2wz+syb
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15949a8ac89553949278777a580044ac.exe"C:\Users\Admin\AppData\Local\Temp\15949a8ac89553949278777a580044ac.exe"1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jEEliCGCGs.bat"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
-
-
C:\Windows\SysWOW64\wbem\pnpsetup\WmiPrvSE.exe"C:\Windows\System32\wbem\pnpsetup\WmiPrvSE.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\WPDShextAutoplay\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\pnpsetup\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0022\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD53698d97cea8f207a36aeacc3b0e42891
SHA163a2ea25aca4d5b98cd4eb53a1c5d20f1cbc8e2e
SHA256d86412066ef7ea5a4a8ff48708365cf24f35d21ad32ed8f9498bae94b4320ff7
SHA5127498dd3081cff4c5a40d115edbff2c992a45060efc00c33ab0e598f46b1d25288e72e7079cf64d160cb68aacc9c70ec949c8ae6073eb9d75ca48afe4a9363377
-
Filesize
262B
MD542333da004e6147de181759467e067de
SHA12d4af4536712cd0deb141d48d5d28e4fd377dfd8
SHA2567d52802a8bf9536525c57e454ea971ac051dad0825a7ae6161e1a6c48405a5e5
SHA5126c414803af0dee5ee2692f52a05abc45d242d495ea77eb6cf4c99ccf55b128710e0c24ef26a144f97d2a0efd5e2a85f64f0dfbabccd8b35619abfd122ec4fb8f
-
Filesize
327KB
MD5ddfcee45f505bbe4c00eceb9b6b64d10
SHA16f692b9e267b86a2db2fa45b34abe79e8d31bd17
SHA256728f356142f20f2ea1be244a994c698862873195f6e038fef8d106227cd698f7
SHA51231c9951708e7ec50ade27b88c7758d7babbdf84c1f207a3b0fd13cf15f940342946e2fb61ca9448d5356847f354e1cf9fe2d6f5c6cc167cd3d71ae371600d1b6
-
Filesize
436KB
MD5debc42373576093a23c4156d049adefd
SHA176965e79486a6b3e67af859f7b15f5910ac86b88
SHA25672caa7b370ea5ccfdf517a79cc3c16d5fe2f21c85ca6622c5d23d3b7e6c0bad1
SHA5120fd602394c55313bc1060d12a507db6dda24ce2ffbe48c0e62efaf9516ab083c713070c804dcf6e4eb66977e00ec974d334eac9962392418d28efd3ac459bbca
-
Filesize
454KB
MD50e05ea8a06db1f416ecfc6d06b473465
SHA1f7faf2c10a7f65272c558907abfeb8ef16cee91c
SHA2562c2f94a3abef0a3854592358e8a5d3aa224599ce7e7879cb2ceb4645bb5184a2
SHA51222f828df383ce26a53d5eef4646c432028cf81e1bc369a1e896a121af1872ea60db7d6d0c517cab6bce2e4859f05e8bc362e88262c3e1c8f9026b8982e52411a
-
Filesize
608KB
MD58851e7fb6c89ceba6b81500bc58ffa98
SHA14d6601d3ce1b369d59971282af469088d1494677
SHA256dbee9af7a82c9b109a5e2f0d56dbe02a6b6fad824ea8d96d2cc98f9d164b539e
SHA512279203ba8021eb2cef34597a7bfe59fcd1ccab382f7d7a54c632cdbe3628f85f4edde5b3e41fd2dc4b4214c13b5968adb97d88ae5136062d6c9e75253765c517
-
Filesize
92KB
-
Filesize
512KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
328KB
-
Filesize
52KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
7.2MB
-
Filesize
256KB
-
Filesize
156KB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
56KB
-
Filesize
296KB
-
Filesize
36KB
-
Filesize
6.9MB
-
Filesize
960KB
-
Filesize
816KB
-
Filesize
296KB
-
Filesize
960KB
-
Filesize
44KB
-
Filesize
6.9MB
-
Filesize
512KB
-
Filesize
7.2MB
-
Filesize
256KB
-
Filesize
60KB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
512KB
-
Filesize
816KB
-
Filesize
44KB
-
Filesize
7.2MB
-
Filesize
92KB
-
Filesize
56KB
-
Filesize
6.9MB
-
Filesize
60KB
-
Filesize
1.6MB
-
Filesize
524KB
-
Filesize
184KB
-
Filesize
296KB
-
Filesize
960KB
-
Filesize
36KB
-
Filesize
184KB
-
Filesize
1.6MB
-
Filesize
92KB
-
Filesize
296KB
-
Filesize
7.2MB
-
Filesize
524KB
-
Filesize
92KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
256KB
-
Filesize
92KB
-
Filesize
960KB
-
Filesize
816KB
-
Filesize
7.2MB
-
Filesize
512KB
-
Filesize
6.9MB
-
Filesize
7.2MB
-
Filesize
36KB
-
Filesize
296KB
-
Filesize
44KB
-
Filesize
8KB