Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
31-08-2024 01:07
General
-
Target
6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d.exe
-
Size
1.7MB
-
MD5
1d98bb52c2eeac75f2e83e8b0b88459f
-
SHA1
ab0db0eca10717ad295b4c015db9d51c20bda41d
-
SHA256
6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d
-
SHA512
bb05cf51b6b7b4318bf81b9cc5831e558018d7f2347429ca4513454f06ff3ba5c77b90f82fe533dd5ca60139b059daf65d752b5648c702d2ff4af6e648421e26
-
SSDEEP
24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d.exe"C:\Users\Admin\AppData\Local\Temp\6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c4V3lt5QzV.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76b057a9-4801-4c3e-8725-f801a005b202.vbs"4⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45d364d0-fee7-43df-a11c-c1273336b17c.vbs"4⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12128/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD51d98bb52c2eeac75f2e83e8b0b88459f
SHA1ab0db0eca10717ad295b4c015db9d51c20bda41d
SHA2566cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d
SHA512bb05cf51b6b7b4318bf81b9cc5831e558018d7f2347429ca4513454f06ff3ba5c77b90f82fe533dd5ca60139b059daf65d752b5648c702d2ff4af6e648421e26
-
Filesize
342B
MD5c051ef8034717af6e49b1379c7257c50
SHA10d6a9ad1f93093593c997c1bda684854c4bf4ccb
SHA256fcc5723d43c0eb4017a63183979d65c32a77db8d8b04ce0f4f5591be49a7d175
SHA512e89418ece626ab39d470209ef2a39862db639377ae82afb51f1abb899576fff8862a0fa233a45ea5e17fd4a1ecc2bd8e6cf791b3f5b678f3754ff743b1de64b6
-
Filesize
342B
MD5edb53d28fec67111f9ee1b97821b3b17
SHA1df29e74fafd270c0de6c6047ad7b81ed1e0cf7fd
SHA25640bc0102d0477d9ffacfa0dd24bf53082fb6d540282a324e59e40aac4a4395ff
SHA5125579901fe462124d22487acf0bbd7d2014bda975b30ba53e0d9d5cf1cbb62927888dc622ef8a326c08ffcdfd2552428c477d746b97548172b93764bbace8ea5a
-
Filesize
342B
MD5a2e5a69157994fe1f2c6de8b1ff29f2f
SHA144ca0a79eb5b0909a38131e6d371735c4b4f531e
SHA25614a7c1d202ae2ad5d8e52fdbe19ba768149fea6f6e446f7e64b039b615d2b21e
SHA5128aaeb2dec5de2eaacda22e3bb61b32139a269d64ab6394be815ec4a589d19837396d07512f3b48092d99998059580a10c488e012b70fe8577d87c217dc8fc1bf
-
Filesize
342B
MD59b3377dcccd80e36c0b8841cbba8096d
SHA17e3f063f6f546517614c1824d9a7e703d02f4ca9
SHA25687b4f47ff4ceb43354ae456d8e8b29fa98d886ed3c671c75b967c21d00becf4c
SHA512e8f66aae40c6a63953337884d5c4b2965621fc5950abc727145d46a680f6ab0d7b2641baaaea122256d2407b32ac60d52c02d17aa5cefc52849e2ebb16fad5b4
-
Filesize
342B
MD590e0af214d6d98d2f5b74f247c03e79e
SHA1ec09d5cbec3f1bdb3032a1421c9c07bd4c46c6d5
SHA2562a87b0ce0ae5c9e047038bd927635773b984cdbbc24e58739ad251ee89e6a2b0
SHA512506d43f62d88e2ae86f0e4cb12bfaa221ee70ae539c1caa3d9e35a3062acb6db649bf1b61d9eaa0b14dfee2b2a8f3a8ca21cc274b95f59cc02f6af2637e53214
-
Filesize
342B
MD5701830a096de5543e7574a3ef8a4bea3
SHA102b4ef8d8e9952866b2d74e39ba2e34e88195fa6
SHA25647333cf34e70e2507ac55f11ceeef91b93fa6d27fb23762f085cf8dddc61cebb
SHA5122448c7b0ab1b7213fdf5e24816a96b408ef968416f955b71cb7f96e995381eb8590c918dc06a272d63983a3380957a3874321563d39bd221d5976a38898d1c65
-
Filesize
342B
MD50d3c688a90074f6ec034418f57df1b68
SHA16da414249497327111b016440259fd96b15e1ba1
SHA256a41b37ae08f3f9477ec043804bc8eb66f68746d671640e3ed861c58118a02ba7
SHA5126a4efab95b7843fd8c788d4d572d47aa592f1f9c921290e2fee61de9847b4229df7e86aa6b7491c82fc014f9435e386797b7956e96353dd8037d7c9350e40a04
-
Filesize
342B
MD50e5b4ca297052d474dd3ff3ac4fab15b
SHA178ee7dbd0c296ca9e4d027957f166387792bf39e
SHA256149053cdf7fd9e41292eab49f55ce48c0bc26b0addca630a99742315b6405582
SHA512f957f0b0195bf63a2491a9801b849d05800ddc8a8592f590dec37b3e4b58ec0657aff786cd1597e628b1a76a849473bf70926b7407641c94102febbc38e92a02
-
Filesize
342B
MD574147e09c1c7ddb38c486d9a2280ef0e
SHA1208fb6b78e3543da9f4c3197317d52063f621aad
SHA2565de435eb11fac7aea78b6648e97b1291101c7a21608e7bdc370c0434de3d8ec1
SHA5122aaf2724bed6e808d2c6e0a63ef6233fff38c7e237fde69d7374a5d6518c46dbc24ec35ef33129ec891fedb98cb05cac84aa0f158d2e6da0dc667276e1bbc806
-
Filesize
342B
MD5caf58816f726cadbcb5f8c47056f50b7
SHA19aaed60c1dac6f0bb681a5b4518380a7a45dc5d4
SHA256a24427ca0b1ceae224813366f9ae00537a28c4147769815d337ec312c2fd0f02
SHA512858b556e60467ba0a09d06dd55b62873352ffab0a636aa150371c6e9bbbb5cd5c4c6f157a896164ea1874922bdc9b81f18b8b764901819a453c0175aa904fd5e
-
Filesize
342B
MD5f889988945a473798563c862a9de0cd4
SHA1dc0f9a3dc140cd70ae4a7c2117c701dd3280713e
SHA256ee1738d8e659e0c23e0f9353b01083c75960c754ca0fe8568d803d9bf9dbf31c
SHA512bdd3e5d21482cc0db0b59152b763c8dd23bab35db15bec6e946c595e74657465acf82579a87f1875c3cb2f97439bcee57db2a1e29af7c6b874768ff0d24686e7
-
Filesize
342B
MD5e9ca774965557c93b6a6a6f7889b9882
SHA1f1e59d31add8320f9f39ac766d7be29917eb15ff
SHA25686637e9d08fa4247c518a86bd7d56e0b855538715433f879af0e836363117621
SHA5128630e04393df916faaa755829b1e3a66c480a9ec5556258dd9c94c7258eadaf395f6164c1306f3a9f124b5970e35ec175e4be732224207c85b617d2c33b8c306
-
Filesize
342B
MD5ee5ee4d8f14ad5d4c3862e0cd2843cff
SHA1e4a2a8a90d7834f913d3436e6f32be67a085d41d
SHA25690dbf4f0efb6521492d3b946c386f55c7e9fd0aa1a8b51fbb39ab3165c0d2c88
SHA512ad19a1fe426a46e133a6aa2e7c627be6e3219c2ce43d9401d7be443d0dc608881456d736af51c3724facd434187f28b8006b6555dfd37c3c0550ce0751f8c05f
-
Filesize
342B
MD5d064a1681d4a3c381a3c1e730f1ffd1e
SHA138ead02afc8747e70eea05dc87c8cee9ce62f6b9
SHA256d284f1f7969400a7a4c6714da36fc71e2caa443002cf325059ef83151e92968c
SHA5128c78dcdc11743624d0f2c1921a0468d936e4affc275fd579809f995c01bf29bbf4b497388caa5c5305e6799290e06d0af5177c1c4e5d230a20a4ff09bdb2c25c
-
Filesize
342B
MD5b581ba1e4f0a9bba75016e36d7731da2
SHA1037cfa1ad546ccae93499421a6e3134f2e9f0cf5
SHA256298d27dd4d5ee2d5f3d05fceb1a5c567614fb19f9c32c4a64de9ebb3d46cdf6f
SHA5128fdd6376462ab4a33354c831e35c3ad4184f77ea84a7c9029708ae75b5de0b24cb64522320f5129c7b5c9006868fb6ac084b20db9a5871902f192c4058f4c838
-
Filesize
342B
MD5cce03b0158bfc5a5fb70bb250dd69d44
SHA17df15d250f301dd93000499e24d64f353502c55a
SHA25613f23326e8d97233490e0196d317816a77d0844250deb91b8f410c6fa2f3480a
SHA51230c29779f47d5ba46a1c006dfb160457c2957568a4ea793ce87d60026ea8b4ae63a1a0dbf8b74c6136ecfc3267c4a0a3a3c67df218109c4d34f69197b71fe42d
-
Filesize
342B
MD5e3f69ffc8aa08a62dd86b0b4a9d01456
SHA159b0d6a11a39a759cbca706c44f9886ddb8a661f
SHA25655848df8cb5044c0b3541010582df1e3c0d60b81515c450baa756c0dfb90ef72
SHA5122e0554b5030678f56ef8289a985c8507395acc8d108fe38ca097e081a1c32b6eceb11264c90ba7baccde900a4003f349cad9b9f572bd892624d9915eb9d5f55d
-
Filesize
342B
MD517f4a2d43bf227019d6fbc2f71c2dae7
SHA1748ccfbb367230ff15a2e83d81bea9d6f7e4aeb4
SHA2564e86bd7d3af8c1cd850a55ab55d6a7eae8e0c186cc00c3bed9c7dab50a248aca
SHA512f356a8a3c8604e7f6c0f1369043eb78ef66bb31c122e8e0affb026087c3fdb55006fb6594cf96a0e77365abc85ec16317b3e44e2bf35251f7845e306178f0f75
-
Filesize
342B
MD52bd4e668c40d5271eb2da19940a58864
SHA1cdb45bab2761e2e1137153b1687752de83fca6ae
SHA256c95442e515719d136b0256a784bc07cc2b5a02b5381e5fded099358aa179fcd3
SHA51203dcd53726085c7d7e7f3ac346c95fc98f6f18c10114df347b4dbbfc865d013938c8fad61cc8f9562dc9059578467a27855ed5933d7e40fbddde650b84297054
-
Filesize
342B
MD5661ff082fdca347a006167a9ac9a88ae
SHA1e2c9d714e32177d2424ea6f9eee228e641a310a6
SHA25672e694540ed7d4a881362a4c00e6e6604cdcabdec6f5a6178f10779e2b38866a
SHA5120a3920e8680704db0798fde5e3f273c1b5e70c15394d83ad1ed3b9ce57959cbc505e28053fd212a41b7c5fc2d69702737caaf83bcd420676fe267cb961bcb10d
-
Filesize
523B
MD5296e17553404fc4a098d179a71366371
SHA11a3893b91be42fce11dd2f43c933e5ee7e33a5d6
SHA25610d0a0f652c3f8235f61486a3b823cb2c703593fa496eeba5536a80013bff474
SHA512e48bf5d77697e8bde298d888acb05a210a1de16a864430ec54a9c05a20c3155782380c1bc5f38deb0de47c43f42df63af8787fa13dd4d0524b36754bd8923aad
-
Filesize
746B
MD546119df602473af0d0bf4b749f1dd9d6
SHA131fb3e3be23646386502d2293ce58ffe0a473db3
SHA256cea4901c4bf293a91d9f40eb0cd7583f89d937fc8c8d9f3de7d028ae2b7178a7
SHA512862b2a75cb7f0fc837b7091c9cb562829adbde32362788cb627e843492748a51f5091720088a70f9a06a5d4beb6ec0f40eb5243b80f2ce2e63806315f3ada7ea
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
236B
MD5af1882a3582484bd38720007ec4cf175
SHA13abd2216bc32e544336795fb5a606058ce3f027a
SHA256c0cc180684ebd7f0e082c165060170b055fcb3ea30b89680ea4f8d357d5ecc31
SHA512c3444f6b9dd92ff10ae5e821a8dfdd574a93e4b3bc2c1d3c4f4c3bf9eeabe040fcc5b3e0dca7b2596e46c02873a360e264ed443cd86e0d776bb77a9b4965aebb
-
Filesize
1.7MB
MD5274aec1dc6b1373db8691f5ebee16129
SHA146b6476c005cacd0585473d9ffdc64584d4903ea
SHA256127d3aaf0e2c58393e4faf95ab608ea0153366e54fc6060a7f651af0e89636bc
SHA5127fba986a6ffae4d5b8f426fd5f3eb02878199fbca2edb7b8e586c1faca13517daee3712d763f78c455fe990cbcf1b9bbffc2ea7075cf48f6e1e4605d0d5ea116
-
Filesize
1.7MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
1.7MB