Analysis
-
max time kernel
150s -
max time network
165s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
10-08-2024 17:49
General
-
Target
1026da21d95ab9bc3a5dff5163d8029ea6ca3413e586272074105e4727ab1342.exe
-
Size
3.6MB
-
MD5
4cf736359926f19077a4c21300613900
-
SHA1
ccadc053294ab749b8588e96d970b2b9f68673eb
-
SHA256
1026da21d95ab9bc3a5dff5163d8029ea6ca3413e586272074105e4727ab1342
-
SHA512
f06470ccf1777ae0b4dbf1fb55af6804178bb18bd92eb2da5d091acdadc93206ab94358698bf272353462cc56cee9a5453b0f8a251f989805a55ce76190dc64b
-
SSDEEP
98304:ubzJfmjiWIkSsHIDR6ToISNCEVmC0LyZG7:ulmjPZSsoYoISNV0BLI2
Malware Config
Signatures
-
DcRat 14 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1026da21d95ab9bc3a5dff5163d8029ea6ca3413e586272074105e4727ab1342.exe"C:\Users\Admin\AppData\Local\Temp\1026da21d95ab9bc3a5dff5163d8029ea6ca3413e586272074105e4727ab1342.exe"1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperChaincrtdhcp\W484khEzBTOw1PD2BkAq8Rq.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperChaincrtdhcp\6ThdyFOhxVnd16OS.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\hyperChaincrtdhcp\surrogatenetsvc.exe"C:\hyperChaincrtdhcp\surrogatenetsvc.exe"4⤵
- DcRat
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\URQljcfPtk.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Users\Default\Desktop\csrss.exe"C:\Users\Default\Desktop\csrss.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec41b82c-e465-4557-87f6-aa0e536adc8b.vbs"7⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a7852c7-aa85-4825-8a70-582de4ad4ba3.vbs"7⤵
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperChaincrtdhcp\file.vbs"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\en-US\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\hyperChaincrtdhcp\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\hyperChaincrtdhcp\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\hyperChaincrtdhcp\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
486B
MD584970241ca7650b46e9f1ecdfc692e4e
SHA167c093f88f817ffaec93bb2ae49ed6661810b4df
SHA256ca2c387518755296d8718e68fa201559868ea8282dbb2527a9e38c4c9dda6a17
SHA51259440e73ebc800c6bacda91eeb1ad52dd1ad5d4a72ca0cdd7acc137531d0cffa41d71969cf2eee6665c47fa456e5805d04bd7efad0c263c6ade758894f402bd4
-
Filesize
199B
MD5ce5aad0abbc7733980295bb8e5653d7d
SHA186dcd0a6162e47a19e6806d94a27cb7d5cd6fc8c
SHA25664b33ce5c3c4ed49f925cac38fbedeba7554960202452c34eb9bc82822ed449c
SHA512dd371f2e334817be1c834b2cacc3511643dcf81c3124e08dffe30ca3976c0fd2bc56060e2e6177cee13ed1ba34b75cba57a30d9f50fab4be1f605a43b5e26dec
-
Filesize
709B
MD5dab95fd326d52d71931c7c332e869b3b
SHA1b694fda2ebecf39f798a833f7a2f0d79864446ad
SHA2568a9d04b5aef6161155b2f8233d161cf277246d4bf6f9a029f705152ef4c0e240
SHA51255a4b636d85c30c19bc375df75867cb08c619376dc48bf7590cc16661624732a44ad256c414952b7c1dc28f1d3c2f88b95918c6b2236a752a842e691e890ec55
-
Filesize
165B
MD5b3a5b424617b3b0c12b97a029f703e70
SHA12cf751234ee9482ba6478d277c7485c70663cc3f
SHA25637f84b4794429f2dbb20d445d7e643940819168923b3698fec1a66dfbef1529a
SHA512f07fc8ce678b8e11bb86afc69531b16d905d04bc3bb6ac138d3a57bd225775ee47dbbc25ef6b62010a59e21fb6bcaa0ed990fa08725114c0c3f347720d8ee397
-
Filesize
221B
MD5f7f659a7d4d5e1d041b9bb28858d3424
SHA13b35c04183e961d87d3cde33225677eabca19783
SHA256d06e295ba89042d20c86a71cf3840117afaac582ce6353c4f94f7be4d67cb298
SHA5129ed6fab84e566e119a7ad6af57f6876a40d1a6abea3c9c2e1dd08dcf7823d15e0365be4b5b7158a26edfb1f8be8180a3633d2fb2b32932b15aaedd5605f8e8b3
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
3.3MB
MD565c542e08ee66cd5954e6cd63a71b352
SHA1b1e4e2ee05e63e084ec06300706b55f8f2267303
SHA25631d1c930871005d4da7e67478a2a44faef8842a135769114cb1ff65488671a2e
SHA5128d626876d0709c9ed5514d02841620dd612f1d496a14dea595f2069c1eac352678cccd4ebccde6b5d430c42d3161d9fae29f59d9ce31251051e8090d8cfe9335
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
5.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
3.4MB