Analysis

  • max time kernel
    132s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2024, 12:46

General

  • Target

    EC4891EC2E1E54B6E32D1E1B3BDB5915.exe

  • Size

    1.8MB

  • MD5

    ec4891ec2e1e54b6e32d1e1b3bdb5915

  • SHA1

    c30c1fad6115013e814e288a1d06d2523aec6d95

  • SHA256

    44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6

  • SHA512

    3ab4c039d3cf22c55dedf8506851ec3ea221849eb4e132928eb314c67c38a650b403afc4270874c2d2c46875f1a9ec668b83f7619793ef75758bc2398b4cc7cc

  • SSDEEP

    24576:juhBQp12QFQP7U9QlUrNGWsm5wtgeZBN+HE3r13P+doHExf27vH/h6kcWqnxqlM:jMWYoQlUr4M4geZ2ktP+dCEeghxql

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 5 IoCs
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EC4891EC2E1E54B6E32D1E1B3BDB5915.exe
    "C:\Users\Admin\AppData\Local\Temp\EC4891EC2E1E54B6E32D1E1B3BDB5915.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2900
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\EC4891EC2E1E54B6E32D1E1B3BDB5915.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sHVAvVQ2lR.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:676
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3016
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2580
        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe
          "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2952

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe

      Filesize

      1.8MB

      MD5

      ec4891ec2e1e54b6e32d1e1b3bdb5915

      SHA1

      c30c1fad6115013e814e288a1d06d2523aec6d95

      SHA256

      44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6

      SHA512

      3ab4c039d3cf22c55dedf8506851ec3ea221849eb4e132928eb314c67c38a650b403afc4270874c2d2c46875f1a9ec668b83f7619793ef75758bc2398b4cc7cc

    • C:\Users\Admin\AppData\Local\Temp\sHVAvVQ2lR.bat

      Filesize

      209B

      MD5

      d2163df0578e80c3508127cfed05b98b

      SHA1

      820826cbd4b6f3f312b4d428b4d7ef4962e213dd

      SHA256

      8b5a553bc4dfd56a16e289175a84fa49d678ba1153d8a9ff6619616ff0ff425e

      SHA512

      7f30c5fb6af6c2c2976ef86a5c35f002fdfc93014456402e129aa6cc5e7373585a5592fe3ad56cfd0fb346ed9b71b41ac4f55105806ce46d53ddb3392bb7ae27

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      d6a76ab1d5de92fd2d35417635b857ed

      SHA1

      6473e1661886a84219f8cec77fa5ed3929ae7014

      SHA256

      ffa62b26c700701c2155691ee1b0ac7e4a65e1969058ded432d75bb93fe98d91

      SHA512

      d2d180b082d6ee741da289d44e886c48b3ec71449e18e6bbad08b0269daec51f392d8283cf8bbab57202284a30963436db571cbb6ccdffc7d1a7488592491b36

    • memory/2088-6-0x0000000000170000-0x000000000017E000-memory.dmp

      Filesize

      56KB

    • memory/2088-16-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

    • memory/2088-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

      Filesize

      4KB

    • memory/2088-7-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

    • memory/2088-8-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

    • memory/2088-11-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

    • memory/2088-10-0x0000000000180000-0x000000000019C000-memory.dmp

      Filesize

      112KB

    • memory/2088-13-0x00000000003D0000-0x00000000003E8000-memory.dmp

      Filesize

      96KB

    • memory/2088-17-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

    • memory/2088-4-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

    • memory/2088-15-0x00000000001A0000-0x00000000001AC000-memory.dmp

      Filesize

      48KB

    • memory/2088-19-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

    • memory/2088-3-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

    • memory/2088-43-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

    • memory/2088-1-0x0000000000920000-0x0000000000AFA000-memory.dmp

      Filesize

      1.9MB

    • memory/2088-2-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

      Filesize

      9.9MB

    • memory/2900-58-0x000000001B710000-0x000000001B9F2000-memory.dmp

      Filesize

      2.9MB

    • memory/2900-60-0x0000000002340000-0x0000000002348000-memory.dmp

      Filesize

      32KB

    • memory/2952-129-0x00000000013A0000-0x000000000157A000-memory.dmp

      Filesize

      1.9MB