Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 22:51

General

  • Target

    059DD6A8CB2D31871BB82DBB158965FA.exe

  • Size

    1.9MB

  • MD5

    059dd6a8cb2d31871bb82dbb158965fa

  • SHA1

    10507debf7b1a88791b65fc08a5b995f9b873aee

  • SHA256

    3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb

  • SHA512

    3a9e138d8682f6e22ddcdd480da8cd6893d86cf1e48b7e4232c1cd87a9abe2a3e29577201ace85cf551739c33855352c081c85a2992eb60c2947a1524634580e

  • SSDEEP

    24576:2TbBv5rUyXVfKEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6c:IBJfp1JAz5cjb6k4cFdaNjTXfa/h

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\059DD6A8CB2D31871BB82DBB158965FA.exe
    "C:\Users\Admin\AppData\Local\Temp\059DD6A8CB2D31871BB82DBB158965FA.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hyperContaineragent\6TX15s3o3dST68MJkEj7bgGxU9zvefDuKPar5COcqC66esPk.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\hyperContaineragent\CYWN6IDJqLBtl0YjSrMSw1hYURgrvXzRLx.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1176
        • C:\hyperContaineragent\Bridgecommon.exe
          "C:\hyperContaineragent/Bridgecommon.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3408
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bykkela2\bykkela2.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2432
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BED.tmp" "c:\Windows\System32\CSCE7147E7D37045AABAE7E2E0A2B8234E.TMP"
              6⤵
                PID:552
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\MoUsoCoreWorker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2172
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\RuntimeBroker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1488
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Idle.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2336
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4036
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\conhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4644
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperContaineragent\Bridgecommon.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3588
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFz9ci6xjk.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4812
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4912
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:2652
                  • C:\Users\All Users\Microsoft\conhost.exe
                    "C:\Users\All Users\Microsoft\conhost.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\MoUsoCoreWorker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5060
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\Globalization\MoUsoCoreWorker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\MoUsoCoreWorker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2888
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3652
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2652
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3132
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4380
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2660
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4556
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4340
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 9 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Bridgecommon" /sc ONLOGON /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 5 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4772

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          2e907f77659a6601fcc408274894da2e

          SHA1

          9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

          SHA256

          385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

          SHA512

          34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          d28a889fd956d5cb3accfbaf1143eb6f

          SHA1

          157ba54b365341f8ff06707d996b3635da8446f7

          SHA256

          21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

          SHA512

          0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

        • C:\Users\Admin\AppData\Local\Temp\RES2BED.tmp

          Filesize

          1KB

          MD5

          9f44400badd0a127f1460c63e1a5f0a9

          SHA1

          9a7dfda8720c9c406047bc24208798aa0ea66250

          SHA256

          906dcc64e69e8558864633e3bf41d05d29025c7dadc337b3e1873ec2e8fa1a42

          SHA512

          a84167cb9d64fdd57f01d56c5334c9e054e31d149d21f4d161a2410c98d6514e5342315ad1a9a9cd331c5472233da26077525e3c96ef518e9df863f6bd8bbbba

        • C:\Users\Admin\AppData\Local\Temp\XFz9ci6xjk.bat

          Filesize

          216B

          MD5

          20e3d37622e665b6da04a28b783a5945

          SHA1

          a6823f520cb3768d05ebf4ea4cf4b59aa3bd5212

          SHA256

          10cff66efb55ffbf4f6a01d4651a9c7ef03e9ff4d0fef876e82bcd3524f2d142

          SHA512

          4160ba411253bde5a1406ead43b684c900a25cde2b6532e5ffc4eb469e44bd0d8fa863864d0e3b1f4f2e77184b8787a7b64616894813a2ca01e550bde5197780

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkf0nbzx.rcy.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\hyperContaineragent\6TX15s3o3dST68MJkEj7bgGxU9zvefDuKPar5COcqC66esPk.vbe

          Filesize

          232B

          MD5

          321b2b59ad9c31cf688937ac999a85af

          SHA1

          4e427aaa9f2ef8a56da4c78bef071c28db269c36

          SHA256

          5758fd0e39dc256b30ed578041ca918d92a69b9df7e4ad7808a925619fde3f85

          SHA512

          2e77990658a9602e1da837fbc4754f7629df1b6fb6c0a41fb5a1250a924d30fa564c2b3c69c1582d0062244da480e293ea906d30b4c04cc57016d7b3f3ca30e2

        • C:\hyperContaineragent\Bridgecommon.exe

          Filesize

          1.6MB

          MD5

          477db3de46b7779b63495a8bdb279f2c

          SHA1

          77dc3f7d83728294c49298db82dd0e668adc3a73

          SHA256

          8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

          SHA512

          4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956

        • C:\hyperContaineragent\CYWN6IDJqLBtl0YjSrMSw1hYURgrvXzRLx.bat

          Filesize

          83B

          MD5

          df218c1160a79b119167d4dd812857ea

          SHA1

          e0adece134e3ab420a5eb152b98f89f8b15399bb

          SHA256

          e5cf111b8b8722e4c2ef307e6de857530b48ea2c52a18819424bbbeb8f23a0db

          SHA512

          aeaefbbaee7da588e16ff9f6928b001ed9cfcfa60fe54705f5c4705526b010039a92c6dd34dab4b592e5d24a044525e5e2c3ba4b4acac7d07c10f7e4c5488f17

        • \??\c:\Users\Admin\AppData\Local\Temp\bykkela2\bykkela2.0.cs

          Filesize

          376B

          MD5

          b2eed57b050f4d77623059909d61afd1

          SHA1

          71a1fdec9770dd9fec238ee0427916c7b07d6ef1

          SHA256

          67bb5e90bfeef9a7d6c0325c1c152c1d7c372447ef12f6c93fb1b8d66fbfff76

          SHA512

          d9cacd17f8dd0ed31af7700ad39d1147fc1890243b4306e693fbb629933bd784810ebc9873a0d4ba4251ca419906480dd0e0a4c7abb5a688b271bc8d089cc3be

        • \??\c:\Users\Admin\AppData\Local\Temp\bykkela2\bykkela2.cmdline

          Filesize

          235B

          MD5

          1b44085b60db1b1e8dd653b34a7128b3

          SHA1

          9429fda7df09d45346e84863ccc74545bd814820

          SHA256

          526218a51ac2a6558e0dd98a26a8e97d613a51b09663c9afcd3b8924d69c6d41

          SHA512

          7e5f7fb5ddea6057d13a01038cc4e8ce6c723cffc9f84fe913e36390dc752ce9f862acc7c628dd8f2e0130ae3dfd356d06245fbb3929979e059c8e24d83007ea

        • \??\c:\Windows\System32\CSCE7147E7D37045AABAE7E2E0A2B8234E.TMP

          Filesize

          1KB

          MD5

          1c519e4618f2b468d0f490d4a716da11

          SHA1

          1a693d0046e48fa813e4fa3bb94ccd20d43e3106

          SHA256

          4dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438

          SHA512

          99f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd

        • memory/3408-17-0x00000000030A0000-0x00000000030AC000-memory.dmp

          Filesize

          48KB

        • memory/3408-15-0x0000000003090000-0x000000000309E000-memory.dmp

          Filesize

          56KB

        • memory/3408-13-0x0000000000D50000-0x0000000000EFA000-memory.dmp

          Filesize

          1.7MB

        • memory/3408-12-0x00007FFBBC3E3000-0x00007FFBBC3E5000-memory.dmp

          Filesize

          8KB

        • memory/3588-50-0x000001F87F660000-0x000001F87F682000-memory.dmp

          Filesize

          136KB