Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2024 09:41

General

  • Target

    8ed351e42a16628f6ed3c2d8c7b46d9f.exe

  • Size

    1.6MB

  • MD5

    8ed351e42a16628f6ed3c2d8c7b46d9f

  • SHA1

    91812e5337d42ace0794b5d85b84205ba460ef22

  • SHA256

    8df81f1dd45838d93492643da45db3beecf6e3f37bc3a6f5644f94f89d2d7d11

  • SHA512

    1b25ad4ea4011d72c6982069e651a5e460c36f562f9af8be395a7f0d2a180a07815e3d20a42e953f7082228c93b34e01c88f54af39cec2aa4bbfae1e7d2e7a39

  • SSDEEP

    49152:utv5FSXcj3BwQI0PKr3OJPiin3qcaif7M4avroP:upSMjRwQIa2ORJ3HaieoP

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ed351e42a16628f6ed3c2d8c7b46d9f.exe
    "C:\Users\Admin\AppData\Local\Temp\8ed351e42a16628f6ed3c2d8c7b46d9f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1924
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wscenter\WmiPrvSE.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4512
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\dhcpcsvc\fontdrvhost.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2600
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wpdcomp\WmiPrvSE.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4200
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4896
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\icg1wVJtlk.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\odt\OfficeClickToRun.exe
        "C:\odt\OfficeClickToRun.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4080
  • C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    1⤵
    • Runs ping.exe
    PID:2860
  • C:\Windows\SysWOW64\chcp.com
    chcp 65001
    1⤵
      PID:1948

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\icg1wVJtlk.bat

      Filesize

      193B

      MD5

      3b242e4155acbe2c93d48ba09b2f1fcb

      SHA1

      56e3e1070e79f0442fef98d91fc40a6a2278315e

      SHA256

      d63fa1f86452bfe5a31560df41ffdcaf35402c79edb8e6cb2b75ac6601e9e42e

      SHA512

      2c4444b4e80c606cc3507da73fca498a9aa55f4237c1a9d32726088adb2edcfd3043fe43ec70d763daaae3cf7f1a4a7e599691e53c2c909a196b462ee6842e5d

    • C:\odt\OfficeClickToRun.exe

      Filesize

      1.1MB

      MD5

      fba59b146a036da519a3a8efa67bcdfc

      SHA1

      3f544a1323190e9cfd97044051ab241c1c1d7f05

      SHA256

      40652cbcf0b11bbdd9541e7bd81c81ef9467d4a5e6f982b276cd4ae08db067ba

      SHA512

      1988af39c3f46888c268688defade7231a02302ae601923ede84500198b8afd4bf5e5e8f7a767445e72c5abb1e4f488a9a14726c79964fd08a923b2bd95a19ee

    • C:\odt\OfficeClickToRun.exe

      Filesize

      122KB

      MD5

      c5392478ea58aa9cc7ab220ab1cddbfb

      SHA1

      59e8e7aaab9e96c32dfc6b816e216c53b457c343

      SHA256

      b3690e08a497b72af16d90c91a7e47b91148236aa2a48cb25daaf4b426793b4b

      SHA512

      60bac1f98d8a5b73f04cf3fd56415936f0c0a9d07c997d38c15bb7b24c663be3f3a3e928b805a0d232c8dcfce535e36518c28e329561c1a0f0da305396f593d2

    • C:\odt\OfficeClickToRun.exe

      Filesize

      77KB

      MD5

      cc9b5a9263071846026c20b3c843c9b7

      SHA1

      58cda6288cef6e257763f01b92ab1c4221cd34ba

      SHA256

      84880d8c20cd5c257588254d6daf01d67ed652e5da9b81fc56a2fed658e073eb

      SHA512

      f7903aa06b00461aa5e6a73e57dc1c09465a8fc49c569d12d282892953765de01c3b542a376cf06eeef668a52faa8b8c7c064d614ef7d62eed3e540a52817f7d

    • memory/4080-32-0x0000000000070000-0x00000000004B0000-memory.dmp

      Filesize

      4.2MB

    • memory/4080-29-0x0000000000070000-0x00000000004B0000-memory.dmp

      Filesize

      4.2MB

    • memory/4080-37-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

    • memory/4080-36-0x0000000000070000-0x00000000004B0000-memory.dmp

      Filesize

      4.2MB

    • memory/4080-33-0x00000000055C0000-0x00000000055D0000-memory.dmp

      Filesize

      64KB

    • memory/4080-30-0x0000000000070000-0x00000000004B0000-memory.dmp

      Filesize

      4.2MB

    • memory/4080-31-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

    • memory/4416-25-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

    • memory/4416-1-0x0000000000760000-0x0000000000BA0000-memory.dmp

      Filesize

      4.2MB

    • memory/4416-2-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

    • memory/4416-3-0x0000000006220000-0x00000000067C4000-memory.dmp

      Filesize

      5.6MB

    • memory/4416-0-0x0000000000760000-0x0000000000BA0000-memory.dmp

      Filesize

      4.2MB

    • memory/4416-24-0x0000000000760000-0x0000000000BA0000-memory.dmp

      Filesize

      4.2MB

    • memory/4416-5-0x0000000005C60000-0x0000000005C70000-memory.dmp

      Filesize

      64KB

    • memory/4416-4-0x0000000005B60000-0x0000000005BC6000-memory.dmp

      Filesize

      408KB

    • memory/4416-6-0x00000000069D0000-0x0000000006A6C000-memory.dmp

      Filesize

      624KB