Analysis
-
max time kernel
118s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
12/02/2024, 04:31
General
-
Target
e5c7522853714ce5cca752c45b5d7537e912efd1c932e5eac2084acab9fbece6.exe
-
Size
1.1MB
-
MD5
aeee28f5cccb12c0baffe8364f4ef4e8
-
SHA1
78fd4b83385c715f99365a5e0466f2223a4d6c0e
-
SHA256
e5c7522853714ce5cca752c45b5d7537e912efd1c932e5eac2084acab9fbece6
-
SHA512
d3dbfdd3cb4ed9d7efca9b8f55061169dec99c05dd2605e36cf5e7d5350a2b41de37647f9fb6226574971723c819eff80829dead87fcce71f631ec35dbc2abde
-
SSDEEP
24576:U2G/nvxW3Ww0torEh1W5f2qBEADinMGbndR1bADL:UbA30QEXWrBEo4AX
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5c7522853714ce5cca752c45b5d7537e912efd1c932e5eac2084acab9fbece6.exe"C:\Users\Admin\AppData\Local\Temp\e5c7522853714ce5cca752c45b5d7537e912efd1c932e5eac2084acab9fbece6.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeAgentfontcrt\s0XMUjAK41RpNiJ6U.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeAgentfontcrt\InKRj4szlYdZ2uThb4zCJjSF9.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\bridgeAgentfontcrt\RefPerf.exe"C:\bridgeAgentfontcrt\RefPerf.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1f43gTtQUl.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Program Files (x86)\Windows Defender\ja-JP\spoolsv.exe"C:\Program Files (x86)\Windows Defender\ja-JP\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\bridgeAgentfontcrt\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\bridgeAgentfontcrt\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\bridgeAgentfontcrt\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222B
MD5d01bce42928c6e34680a8a1a0e647ed8
SHA18a47e0d2323bcbccba42e45f24edcc2cc32d2f72
SHA25677b5363011a4f9d5fe154cb8511d7ffa93e0cef9d3d986d5b646d57c30770891
SHA512d62fb5d7c69512b2b26508a65bc86e67cba60f4a34b9c259c1f6590d9d03b100a53f100f6df0b0dc19c2fa962f302ca11063f96764c9b4599b0af23eb80a755f
-
Filesize
35B
MD5e3999627b8bf467571542854b1ecd409
SHA109fbd8050ff0d635c2d64aa1f6d6279419407b72
SHA256014aab0584ac828de2644a514742760d9506c6b62caabae7b8ec8a1c4ee22b39
SHA5125cf0b2cda3f6521523c15dd4bb343526b844d923db46d2d385387f5387ddeed88367efb3deb2b322b847be4235b5658f8c0a129e933b849a35d46f02a142e1c7
-
Filesize
828KB
MD553b6d311de2f96c5439a175203e93185
SHA1414089dc5a8144fcd7e998908e9ffc5963dde376
SHA2568b925bde228f5865b099429a6aea7d8191de00538a01dc153e4de92c2fa266ae
SHA5128b32c041d7089ac0423089970da2e8b0b8e677ffa9d1f9e74abc8b0ab19f21950fa5a58f109d9323e495f8305a2958583eb6dfeb7ede7b35712480716126742a
-
Filesize
220B
MD5045f8ad7d4d32dfdf1833fc4c312aa11
SHA1e4fa08179322dc64c90e11854001179d5b357b78
SHA25611e769525c182658dd75b22c0c1e0443f9ef22d70ef1b8fffc855c864d937c8c
SHA512ffc3f56d9e079344d97953c840f37f3deaa6b5d8a88d775f8ecbe4e9743ad8ab7301fd9b04b8c8d4d6ffb54c512bc69a4047425d8ae4a5bfa6328ad209723701
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
856KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB