Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05/11/2024, 22:51
General
-
Target
059DD6A8CB2D31871BB82DBB158965FA.exe
-
Size
1.9MB
-
MD5
059dd6a8cb2d31871bb82dbb158965fa
-
SHA1
10507debf7b1a88791b65fc08a5b995f9b873aee
-
SHA256
3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb
-
SHA512
3a9e138d8682f6e22ddcdd480da8cd6893d86cf1e48b7e4232c1cd87a9abe2a3e29577201ace85cf551739c33855352c081c85a2992eb60c2947a1524634580e
-
SSDEEP
24576:2TbBv5rUyXVfKEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6c:IBJfp1JAz5cjb6k4cFdaNjTXfa/h
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\059DD6A8CB2D31871BB82DBB158965FA.exe"C:\Users\Admin\AppData\Local\Temp\059DD6A8CB2D31871BB82DBB158965FA.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperContaineragent\6TX15s3o3dST68MJkEj7bgGxU9zvefDuKPar5COcqC66esPk.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hyperContaineragent\CYWN6IDJqLBtl0YjSrMSw1hYURgrvXzRLx.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\hyperContaineragent\Bridgecommon.exe"C:\hyperContaineragent/Bridgecommon.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bykkela2\bykkela2.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BED.tmp" "c:\Windows\System32\CSCE7147E7D37045AABAE7E2E0A2B8234E.TMP"6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\MoUsoCoreWorker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperContaineragent\Bridgecommon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFz9ci6xjk.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Users\All Users\Microsoft\conhost.exe"C:\Users\All Users\Microsoft\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\Globalization\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 9 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bridgecommon" /sc ONLOGON /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 5 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
1KB
MD59f44400badd0a127f1460c63e1a5f0a9
SHA19a7dfda8720c9c406047bc24208798aa0ea66250
SHA256906dcc64e69e8558864633e3bf41d05d29025c7dadc337b3e1873ec2e8fa1a42
SHA512a84167cb9d64fdd57f01d56c5334c9e054e31d149d21f4d161a2410c98d6514e5342315ad1a9a9cd331c5472233da26077525e3c96ef518e9df863f6bd8bbbba
-
Filesize
216B
MD520e3d37622e665b6da04a28b783a5945
SHA1a6823f520cb3768d05ebf4ea4cf4b59aa3bd5212
SHA25610cff66efb55ffbf4f6a01d4651a9c7ef03e9ff4d0fef876e82bcd3524f2d142
SHA5124160ba411253bde5a1406ead43b684c900a25cde2b6532e5ffc4eb469e44bd0d8fa863864d0e3b1f4f2e77184b8787a7b64616894813a2ca01e550bde5197780
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
232B
MD5321b2b59ad9c31cf688937ac999a85af
SHA14e427aaa9f2ef8a56da4c78bef071c28db269c36
SHA2565758fd0e39dc256b30ed578041ca918d92a69b9df7e4ad7808a925619fde3f85
SHA5122e77990658a9602e1da837fbc4754f7629df1b6fb6c0a41fb5a1250a924d30fa564c2b3c69c1582d0062244da480e293ea906d30b4c04cc57016d7b3f3ca30e2
-
Filesize
1.6MB
MD5477db3de46b7779b63495a8bdb279f2c
SHA177dc3f7d83728294c49298db82dd0e668adc3a73
SHA2568b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366
SHA5124ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956
-
Filesize
83B
MD5df218c1160a79b119167d4dd812857ea
SHA1e0adece134e3ab420a5eb152b98f89f8b15399bb
SHA256e5cf111b8b8722e4c2ef307e6de857530b48ea2c52a18819424bbbeb8f23a0db
SHA512aeaefbbaee7da588e16ff9f6928b001ed9cfcfa60fe54705f5c4705526b010039a92c6dd34dab4b592e5d24a044525e5e2c3ba4b4acac7d07c10f7e4c5488f17
-
Filesize
376B
MD5b2eed57b050f4d77623059909d61afd1
SHA171a1fdec9770dd9fec238ee0427916c7b07d6ef1
SHA25667bb5e90bfeef9a7d6c0325c1c152c1d7c372447ef12f6c93fb1b8d66fbfff76
SHA512d9cacd17f8dd0ed31af7700ad39d1147fc1890243b4306e693fbb629933bd784810ebc9873a0d4ba4251ca419906480dd0e0a4c7abb5a688b271bc8d089cc3be
-
Filesize
235B
MD51b44085b60db1b1e8dd653b34a7128b3
SHA19429fda7df09d45346e84863ccc74545bd814820
SHA256526218a51ac2a6558e0dd98a26a8e97d613a51b09663c9afcd3b8924d69c6d41
SHA5127e5f7fb5ddea6057d13a01038cc4e8ce6c723cffc9f84fe913e36390dc752ce9f862acc7c628dd8f2e0130ae3dfd356d06245fbb3929979e059c8e24d83007ea
-
Filesize
1KB
MD51c519e4618f2b468d0f490d4a716da11
SHA11a693d0046e48fa813e4fa3bb94ccd20d43e3106
SHA2564dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438
SHA51299f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
1.7MB
-
Filesize
8KB
-
Filesize
136KB