Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
06-11-2024 02:33
General
-
Target
3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe
-
Size
1.9MB
-
MD5
059dd6a8cb2d31871bb82dbb158965fa
-
SHA1
10507debf7b1a88791b65fc08a5b995f9b873aee
-
SHA256
3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb
-
SHA512
3a9e138d8682f6e22ddcdd480da8cd6893d86cf1e48b7e4232c1cd87a9abe2a3e29577201ace85cf551739c33855352c081c85a2992eb60c2947a1524634580e
-
SSDEEP
24576:2TbBv5rUyXVfKEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6c:IBJfp1JAz5cjb6k4cFdaNjTXfa/h
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe"C:\Users\Admin\AppData\Local\Temp\3d92f050fc88966bd639d315d04fa9fb686ba5f61b2ac81c1e47449125a5a9cb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperContaineragent\6TX15s3o3dST68MJkEj7bgGxU9zvefDuKPar5COcqC66esPk.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperContaineragent\CYWN6IDJqLBtl0YjSrMSw1hYURgrvXzRLx.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\hyperContaineragent\Bridgecommon.exe"C:\hyperContaineragent/Bridgecommon.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ftamehrm\ftamehrm.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE82D.tmp" "c:\Windows\System32\CSCF6ECCE25E2E14ADC94B1354114821B4A.TMP"6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperContaineragent\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\en-US\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\hyperContaineragent\Bridgecommon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7zvV458Lk5.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\hyperContaineragent\OSPPSVC.exe"C:\hyperContaineragent\OSPPSVC.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\hyperContaineragent\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\hyperContaineragent\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\hyperContaineragent\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\en-US\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 7 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bridgecommon" /sc ONLOGON /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgecommonB" /sc MINUTE /mo 14 /tr "'C:\hyperContaineragent\Bridgecommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD574da0233000aa115cffdb413b7669e85
SHA12cd0221fc4c506c9dc8426af0d31d3407db13704
SHA2569548ede331a818f6aed140027da7a5c2059cbc54a0dbd6c98c6df5c4bdf1f063
SHA512950eb66188f35873552876dd080c05722d525fd97d6ef8895385869469be8efe2bdfa0e4199c868f274f71f9ba4ff7446bb70d7bfd3e4ef588f70eb26c3ba10a
-
Filesize
1KB
MD50b3927b8a5b875017cff6120afc21d1b
SHA1eae98e2bc8a4ee53052d7b7fd13e5f94a78a6e42
SHA2569b11b0bf57627fb7de11859a3da5a6a51a96a0695804e7f5af3c8a44a6875730
SHA512205248cb3bb4fd491da082c842c577e45c8487d20d8b2ab29be0c6f495ba263a366865c6994e6986278a618de78e3a7bbe31d362ab29c393f56347ef7cf88179
-
Filesize
7KB
MD5a4d0a0a96a0706d61289fc17334a0044
SHA1189ba2c96cd897bed57a265be9c916cdd7a24137
SHA2565785250d6e6723eb3eac38643be37390bf04ae022303060d7e4eecd945c67a9f
SHA512b68b50d8fcc7a4ab0103cb2d67aafc639571441e0ef3e2d0eb8ce81352fc2e43d0947c175fb38e0d330de09af749e63ff486a5f97f172938cd235c94d5107bb6
-
Filesize
232B
MD5321b2b59ad9c31cf688937ac999a85af
SHA14e427aaa9f2ef8a56da4c78bef071c28db269c36
SHA2565758fd0e39dc256b30ed578041ca918d92a69b9df7e4ad7808a925619fde3f85
SHA5122e77990658a9602e1da837fbc4754f7629df1b6fb6c0a41fb5a1250a924d30fa564c2b3c69c1582d0062244da480e293ea906d30b4c04cc57016d7b3f3ca30e2
-
Filesize
83B
MD5df218c1160a79b119167d4dd812857ea
SHA1e0adece134e3ab420a5eb152b98f89f8b15399bb
SHA256e5cf111b8b8722e4c2ef307e6de857530b48ea2c52a18819424bbbeb8f23a0db
SHA512aeaefbbaee7da588e16ff9f6928b001ed9cfcfa60fe54705f5c4705526b010039a92c6dd34dab4b592e5d24a044525e5e2c3ba4b4acac7d07c10f7e4c5488f17
-
Filesize
366B
MD51288223eba76fb79f6b3daf746ac139e
SHA1f1d63ae7021feaa22a5b44b746b38a95f497263e
SHA256c9262f00ef8c6ffbd39744f43a03131146e27d07af1134b2fd3d6340be16f5c0
SHA512d5768dfab74c37abea045a8251e5c3c34e23a249a8b2e64176946218439f47bc8fdd53ea40bf3f829d2aa78944d2e286146a3d63de52b61886344f7512f32e12
-
Filesize
235B
MD57433e3646559dca7a0a40e0825589302
SHA1ba52089ece733367471347fca02d60d259bd40cb
SHA256bee0ef7dd71de72784a4df179c7d2cae2f2c5a52b19e3e6b7035ff277e512ea4
SHA512313467e90b1fd47586131b021b15ca5ebf3900d4ec044f8c40453bf5c57eced5cb3b0c109aabf2620f01df1d3d1dddf09a43625bfbaebd7a85b841edf8f46d89
-
Filesize
1KB
MD5fccbcfaf29fdccaabada579f7aaf3ae7
SHA1f9b179b6aab6b96908d89b35aab3f503478a956d
SHA256e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02
SHA512ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10
-
Filesize
1.6MB
MD5477db3de46b7779b63495a8bdb279f2c
SHA177dc3f7d83728294c49298db82dd0e668adc3a73
SHA2568b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366
SHA5124ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.7MB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
1.7MB