Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 16:09

General

  • Target

    59270817698c2fc74aae016ca53a3581.exe

  • Size

    1.1MB

  • MD5

    59270817698c2fc74aae016ca53a3581

  • SHA1

    e421c4756e386756abccd6d2e24d0c4be51ebf55

  • SHA256

    70ece10d965f55c1109a70afd1ea09b6e9d7275e96b3e20c62f944620b851b9e

  • SHA512

    2625e5fe1f3de61fad379e92d55a89131ddb8c2959d600957691e716749d21d2c67957c4abbc7662974e7855471ef32f8e7b415e8866294cae37a3e190c0e0f1

  • SSDEEP

    24576:8b2q0wZs+tAigfOeQTAcPpAWjHK/3BFHI2qCc3QPJA+4:8LFP21I2yQF

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\59270817698c2fc74aae016ca53a3581.exe
    "C:\Users\Admin\AppData\Local\Temp\59270817698c2fc74aae016ca53a3581.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\463aa442-9b96-11ee-b087-e6b52eba4e86\smss.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2156
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\winlogon.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2816
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\imgutil\winlogon.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2988
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "59270817698c2fc74aae016ca53a3581" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\jawshtml\59270817698c2fc74aae016ca53a3581.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2804
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\rdpendp\smss.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2976
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bPkSIxSaU1.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2728
        • C:\Windows\system32\PING.EXE
          ping -n 5 localhost
          3⤵
          • Runs ping.exe
          PID:2616
        • C:\Windows\System32\imgutil\winlogon.exe
          "C:\Windows\System32\imgutil\winlogon.exe"
          3⤵
          • Executes dropped EXE
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2200

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Cab36FA.tmp

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\bPkSIxSaU1.bat

            Filesize

            206B

            MD5

            3422172eac250a6564bdb246aad636cc

            SHA1

            462b2448df637fd79adc6de7dfcccd151aad880d

            SHA256

            ab3b01f631ddefb044c60321a219df4596cb2656d0d21dd654714677902b5c5e

            SHA512

            9d4dd2b84614df312addc62b2ae75e8ab87a7deddd1d6289759d97275597e6b4b90d6cbd55feb0cdb4f6106029620029f1a730f2bb84e8b306691e5fce6d9326

          • C:\Windows\System32\imgutil\winlogon.exe

            Filesize

            1.0MB

            MD5

            4c35f71c21c0a0412a535e9bd9026e90

            SHA1

            927d757b3d6a8ddda94621ab9038ee3d8e41c99f

            SHA256

            293f1c6fce38602a75572edb5cf51bc156799ba9e33f3f4b47124a89e43b42cf

            SHA512

            fe799d8b84d082dda5c3570cffaa34a0908f6014d6fce4930502e49ac7fa36e26d04d5ff9d643f03644c7b9dd90d98597cb46c4d20db3a9578ece9dcf4c2aba2

          • C:\Windows\System32\rdpendp\smss.exe

            Filesize

            1.1MB

            MD5

            59270817698c2fc74aae016ca53a3581

            SHA1

            e421c4756e386756abccd6d2e24d0c4be51ebf55

            SHA256

            70ece10d965f55c1109a70afd1ea09b6e9d7275e96b3e20c62f944620b851b9e

            SHA512

            2625e5fe1f3de61fad379e92d55a89131ddb8c2959d600957691e716749d21d2c67957c4abbc7662974e7855471ef32f8e7b415e8866294cae37a3e190c0e0f1

          • memory/2200-21-0x0000000001280000-0x0000000001394000-memory.dmp

            Filesize

            1.1MB

          • memory/2200-22-0x000007FEF4D60000-0x000007FEF574C000-memory.dmp

            Filesize

            9.9MB

          • memory/2200-23-0x000000001B0B0000-0x000000001B130000-memory.dmp

            Filesize

            512KB

          • memory/2200-103-0x000007FEF4D60000-0x000007FEF574C000-memory.dmp

            Filesize

            9.9MB

          • memory/2800-0-0x0000000001010000-0x0000000001124000-memory.dmp

            Filesize

            1.1MB

          • memory/2800-1-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

            Filesize

            9.9MB

          • memory/2800-2-0x0000000000F30000-0x0000000000FB0000-memory.dmp

            Filesize

            512KB

          • memory/2800-18-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

            Filesize

            9.9MB