Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
19-03-2024 17:37
General
-
Target
d6b8c1db03cd0f282e1718daf0dc35cf.exe
-
Size
978KB
-
MD5
d6b8c1db03cd0f282e1718daf0dc35cf
-
SHA1
33435de2eb5be3e242bc75d3c6722e6e1a9b866c
-
SHA256
7849b02c1912451ca4703361443e161953750e9783ee237985db9cafaff76c04
-
SHA512
fa8bc7754009e447c1a87bd1e8183e5138eb2a637a6a3853f546af48a3564522b634341f2ed09117048f549953010c7fc4d67a72194121e23171f5f3f8746c27
-
SSDEEP
24576:gHmSroFu1bU2XbykgUD5G5/XjaTG5lgUChKw9NQLH:gH7k4lyzBdToG5Wj9U
Malware Config
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Windows security bypass 2 TTPs 3 IoCs
-
DCRat payload 7 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Nirsoft 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 9 IoCs
-
Windows security modification 2 TTPs 9 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe"C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe"1⤵
- DcRat
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1c50edc5-174f-4f17-96da-6204a8fcfb97\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\1c50edc5-174f-4f17-96da-6204a8fcfb97\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\1c50edc5-174f-4f17-96da-6204a8fcfb97\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1c50edc5-174f-4f17-96da-6204a8fcfb97\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\1c50edc5-174f-4f17-96da-6204a8fcfb97\AdvancedRun.exe" /SpecialRun 4101d8 21963⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe"C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsm.exe"C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsm.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\13c88ef5-8944-45d2-8419-31e431942fa3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\13c88ef5-8944-45d2-8419-31e431942fa3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\13c88ef5-8944-45d2-8419-31e431942fa3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\13c88ef5-8944-45d2-8419-31e431942fa3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\13c88ef5-8944-45d2-8419-31e431942fa3\AdvancedRun.exe" /SpecialRun 4101d8 18725⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsm.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsm.exe"C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsm.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
978KB
MD5d6b8c1db03cd0f282e1718daf0dc35cf
SHA133435de2eb5be3e242bc75d3c6722e6e1a9b866c
SHA2567849b02c1912451ca4703361443e161953750e9783ee237985db9cafaff76c04
SHA512fa8bc7754009e447c1a87bd1e8183e5138eb2a637a6a3853f546af48a3564522b634341f2ed09117048f549953010c7fc4d67a72194121e23171f5f3f8746c27
-
Filesize
7KB
MD5bdba9413728dfc09d545d42eec6a2693
SHA14e5ecbd218cf15f287adee13f0f6c9fa630df3f1
SHA256ef4ac00f906905334f2f1f702d146b84cb238c0e458efe0fe6587a1be4dea314
SHA5124cff7988b20c4b31185ebdf8624c10f0eea408ce9a05e5a6e0970a0a9f406477433d43edca066f503b471224ad151b46621c1c19f3af15c53ccd7726534550c1
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
1000KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
688KB
-
Filesize
688KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
688KB
-
Filesize
688KB
-
Filesize
688KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
688KB
-
Filesize
688KB
-
Filesize
1000KB
-
Filesize
6.9MB
-
Filesize
984KB
-
Filesize
256KB
-
Filesize
6.9MB