Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
23-05-2024 01:08
General
-
Target
13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe
-
Size
1.6MB
-
MD5
a0fc62e3b7ee3716781698677ef0a315
-
SHA1
679ee9e6c503af58943768fac7801a0c85149728
-
SHA256
13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc
-
SHA512
6d5f5cde273aebea5e97561c94e3a068e3b966dc0d8455d90f0bedcefbe2cd888457c60f639e77cdd3e6bd2b79b45fe1467f6eded81ddaf92ff6fde1bd2ba30b
-
SSDEEP
49152:BI3GKRB71HIfHaM+j4av2JIZF9YvOaXdFi:qPRB5HISGauJIn95eo
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Detects executables packed with SmartAssembly 3 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe"C:\Users\Admin\AppData\Local\Temp\13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\JFcWz5uGBCcQNylIeBn.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\FCDPQha3l1059hFdl7xiPA.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe"C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\MSOCache\All Users\ComContainer.exe"C:\MSOCache\All Users\ComContainer.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07085f87-a864-4eda-baf9-96ef83e90f37.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94c71a51-516e-4497-b394-68692f2d15d9.vbs"7⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComContainerC" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ComContainer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComContainer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ComContainer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComContainerC" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ComContainer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Music\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Music\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComContainerC" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\ComContainer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComContainer" /sc ONLOGON /tr "'C:\MSOCache\All Users\ComContainer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComContainerC" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\ComContainer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\07085f87-a864-4eda-baf9-96ef83e90f37.vbsFilesize
714B
MD520916b8531cfc8e7ee4b05a83503cd28
SHA1916b49c4024443f6bbe2695c0b56bebf3944a108
SHA256823da829c8409896596a129361ab012651ccf8f15d471eae8a1cd506385f125e
SHA5123d2ad76e218bdf18250c145b0b96a4e918f29fa7a3ab7c17ea9a913525ed18d234947dfec865b8e07cd7d4f9f9baaad35c16490ee5b2891676032856e46aa4e2
-
C:\Users\Admin\AppData\Local\Temp\94c71a51-516e-4497-b394-68692f2d15d9.vbsFilesize
490B
MD5eb6efd5b22857df0e548b94a109bfa81
SHA13273203e0475259819d4d456ea628acaf77387ba
SHA25663452b2e563758abeaf6ebffe818af242cb955919157625f8a7b5fae76d3419c
SHA512a6dba916abda712518e447a2767abe74d87fba1472384b0eceb480bea40331dc180949b0db43a9518db1432b9b5b2dc0b7af6e79939199f3a6c87af8ffef97d9
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exeFilesize
2.1MB
MD584c02f6e1108d21bc6d871d4f0e67dd1
SHA1fc46781b941cb8b9493d1f89a835e60eebad1fe1
SHA2560b3af1714c58b112a179b1efe5d9b381cba0c06450860ae8134b386fe2fe5e8f
SHA512c4ca21b5b571eaaa58f63134337b2d01f9aba2dd1684a5ca2e57c8df34cf266b846fddc21f2b567cec3c714d08d47103059cb848a1a5e9efcaf6b3efde069510
-
C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\FCDPQha3l1059hFdl7xiPA.batFilesize
52B
MD5b56593dfa47cd5d585cf8f8d88c11b05
SHA1c70b8eec01fe9102c2e7cd3605dab47756f9643e
SHA256bae7494aa08a5d634830c205febb819b546b1633d2d2c74be6b78eee19c5514c
SHA512402da79f69e08391217210a273eb735036760ebfd5115537c8965128e11640071ba76438d7d236b6c93db697e90f9a994a2fcc29fed02edcb7ef6195a703c7b4
-
C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\JFcWz5uGBCcQNylIeBn.vbeFilesize
229B
MD58f6a53617f67becfab8753b32ce07e70
SHA1111bfba12a529a29baf5c80300dd5f4432be5c20
SHA256146e2cc8c7a342377dde4a2d323fba53afa9833e66539de23d120f414c4ffd4e
SHA512e40ee02738f686db97275ab9c87c2b96081d7395c3fe6365ee19c3348dd3f09ee3d423ad686af4e2f9214a0e1e3078bd4e7e4c2030ea87545b2b57cc60f531dc
-
\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exeFilesize
1.8MB
MD5d4d11ed815db57efe9580e29900df34e
SHA114b275d8df38bad245b92c1980a1e0eb6491dbce
SHA256fb41a0fd339ab301f2f33eb97a562af1876e394493fe9f114fa6ff5f9f7d82b8
SHA512375d489af26b7c48e8d73f31e2105bab5f84e80e7f8c32813a6ca574583c3ace0dfc23720964fc10000b3eeda70ab34ca692b22c9c696fc046c6509f38f8263b
-
memory/2072-73-0x0000000000EE0000-0x00000000010AE000-memory.dmpFilesize
1.8MB
-
memory/2236-0-0x000007FEF5483000-0x000007FEF5484000-memory.dmpFilesize
4KB
-
memory/2236-1-0x0000000000090000-0x0000000000226000-memory.dmpFilesize
1.6MB
-
memory/2236-3-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmpFilesize
9.9MB
-
memory/2236-8-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmpFilesize
9.9MB
-
memory/2756-29-0x0000000000B50000-0x0000000000B5C000-memory.dmpFilesize
48KB
-
memory/2756-35-0x0000000000E50000-0x0000000000E5C000-memory.dmpFilesize
48KB
-
memory/2756-28-0x0000000000B40000-0x0000000000B4A000-memory.dmpFilesize
40KB
-
memory/2756-26-0x0000000000B20000-0x0000000000B36000-memory.dmpFilesize
88KB
-
memory/2756-30-0x0000000000B60000-0x0000000000B68000-memory.dmpFilesize
32KB
-
memory/2756-31-0x0000000000D70000-0x0000000000D7C000-memory.dmpFilesize
48KB
-
memory/2756-32-0x0000000000E00000-0x0000000000E12000-memory.dmpFilesize
72KB
-
memory/2756-33-0x0000000000E30000-0x0000000000E3C000-memory.dmpFilesize
48KB
-
memory/2756-34-0x0000000000E40000-0x0000000000E48000-memory.dmpFilesize
32KB
-
memory/2756-27-0x0000000000A10000-0x0000000000A20000-memory.dmpFilesize
64KB
-
memory/2756-36-0x0000000000E60000-0x0000000000E6A000-memory.dmpFilesize
40KB
-
memory/2756-37-0x0000000000EF0000-0x0000000000EFE000-memory.dmpFilesize
56KB
-
memory/2756-38-0x0000000000F00000-0x0000000000F08000-memory.dmpFilesize
32KB
-
memory/2756-39-0x0000000000F10000-0x0000000000F1E000-memory.dmpFilesize
56KB
-
memory/2756-25-0x00000000009D0000-0x00000000009EC000-memory.dmpFilesize
112KB
-
memory/2756-24-0x00000000009C0000-0x00000000009CE000-memory.dmpFilesize
56KB
-
memory/2756-23-0x0000000001100000-0x00000000012CE000-memory.dmpFilesize
1.8MB