Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
10-11-2024 17:03
General
-
Target
e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
-
Size
1.8MB
-
MD5
a2e72e24af123d7c43c0b2a998f829f0
-
SHA1
31d2f614def3942ca91743f6006ff1dc90f1ce94
-
SHA256
e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80
-
SHA512
1a3df078ec2c913ea60b091ef2e7e46cd30c742d0a4325d11412d58b432474a1d7f2cd86e549ee6dc27a1f776c2eed88092874205ac98d463765bd13db867d9b
-
SSDEEP
49152:OhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:OgVTVXYNX9mOWSkM
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 21 IoCs
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 14 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
-
System policy modification 1 TTPs 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe"C:\Users\Admin\AppData\Local\Temp\e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system\OSPPSVC.exe"C:\Windows\system\OSPPSVC.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e30788f0-b2cc-4472-a4e4-4537c9407837.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\OSPPSVC.exeC:\Windows\system\OSPPSVC.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8418fe1-ff6d-491c-bb3c-414edce14406.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\OSPPSVC.exeC:\Windows\system\OSPPSVC.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9c80d69-27f7-411c-9afd-37fa4f03675a.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\OSPPSVC.exeC:\Windows\system\OSPPSVC.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\780aaead-354b-4847-a6ef-d75fe857503b.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\OSPPSVC.exeC:\Windows\system\OSPPSVC.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0328c20c-ce8a-4426-ae94-7bf22cd6fbb2.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\OSPPSVC.exeC:\Windows\system\OSPPSVC.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ef9cda0-5905-4948-a8a0-22cf2a9615d4.vbs"13⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\369b4521-c8bb-45b5-bf80-c4f504a264ae.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d66f3b9c-b4d9-4e6f-80cd-d08061cacade.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b777ef52-9bdd-43e6-bfba-b60fcf1b4911.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1e154f3-c734-42cc-a087-5786f4eea890.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44390f1f-1170-42ea-95b4-58dfb6005892.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df621851-0ee6-40aa-a559-eed929479ae1.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\system\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\system\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\system\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5a2e72e24af123d7c43c0b2a998f829f0
SHA131d2f614def3942ca91743f6006ff1dc90f1ce94
SHA256e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80
SHA5121a3df078ec2c913ea60b091ef2e7e46cd30c742d0a4325d11412d58b432474a1d7f2cd86e549ee6dc27a1f776c2eed88092874205ac98d463765bd13db867d9b
-
Filesize
705B
MD55217cb9d2ba261f5e8aba665d854aa05
SHA1f556117fc7e0900b08592e827d6fe50be7bfcf51
SHA256980e100a4d32cc6a6cbab9e42cd23c15add7af8bfae53b72253b619ecd976670
SHA5122090ee10863647cc01074a67b20026ca98829c05cf21db6ec5a30c1ea4833705b86a968c4a1744ed7e3519013c77cb1bb11dbc78fb5eddc4f8d270a77a0a8974
-
Filesize
705B
MD5edabf6d68db799ff96769766f438da6f
SHA1e163def3cbb8646b58c2b40ca23d0d3b267aef75
SHA2563ff219ee72f4700152f3bfa8ed503e62ab748fd2291e8ad5bd9c55315e831748
SHA51294273f1d7639dcdf24e221af210709bc52c52ee709d23d2b9df791a09f3da858cb71b4b156e3615ba4ec7d7a120dd944424b2062792cd57496ed8872f1975d18
-
Filesize
705B
MD51443fa4981fbfb80e12510053e5ed224
SHA1aaf78ffb283ca9415d791322d6d491d99273eeb1
SHA25642d5e391ebce495d049cb2cdcb4e232dde19d15cf5fd866bb87c1c127cf6fe71
SHA51219cd7178a5ab1130aa7e229ee27571db8a13a408b36172a6ee2031c1bf202e23ae97f87a0a547884a08378411d5b726f70d1f7f3888a96a33ef24d63e163425f
-
Filesize
705B
MD5023581ff153f5d5991c1c32fa15e1223
SHA19eab52a3ddbc9e6ae4866e24db264d558795d58e
SHA2560e800ac7a0c1e2c9b63009677e7c54f78a8fd138e6cb2ed83a6142421c4ecb68
SHA51200b0e3dbbd7ed198a4203b93995a307840f653bbba40fef87e52d4cce2132716ef253d782e11b25b3ce14d5268d0648a64a86d54d5efcd5877d1078066ed60e0
-
Filesize
705B
MD565e5d2cede433690cdba1b160e6e59bc
SHA17dafc26e2e25adbb6ce83bc1b3ca9a30693c5ab4
SHA256ba57762f902e8c31abc8be95285b4a91ad5c5db21a3f7fa82028390d535a881e
SHA512cfb02ab47990b23f2083d0e4bcd9d0d6626e5f5df2cd196aa3c4f895d34b7f08325a73e28c7ad12e56e77fcaed2a19a64c043e82060b4fb921b9d3c320bad4f9
-
Filesize
481B
MD59cdac72997b7229aac6711f7369a5d23
SHA190217897d7dbd23d5781581737810bfd8e44565c
SHA2564c944bdf6942f6b618fdbb3c5755a480ac436caefaeeb4800df1f180008433a1
SHA51236c618c97d2527f5a8b6e83651e27ad8c2bb251cc6d6895ad2d55bd2891fcb59bae862347809caed739a3c79666fc11db0bd1a8a29f1813edfe456cbc30073b4
-
Filesize
705B
MD593aed571667f8821cfee49311fdc77f3
SHA19b1c66d259c42120e4bf01343ac8b4865a5b709a
SHA256876682138d4438ed10b8089ffa69b4b5e51aa821f9dc706c8f58466cb577178d
SHA512f73457405b73a619187100553ec3f582593825d9f94681f2a0876e1ff8aca2318d178547b80b00a696877ef20b651ab7d02c262047fe867ec6bb8fc4f06aaa99
-
Filesize
7KB
MD5f40dfb4fc295c8b6c8ab39bd2d68a397
SHA1d1492d9e588050032d9721e50b6ff6abc3ef71a3
SHA256f9da4fc77a4215929ab44b68169655ff96a828b561a98fe3eaf2efc531a27b10
SHA512c4a658d61c16be2cb897f6ce6df8d57e0c7a01c2b969c42596d7e1053b27ac217e44d9eac67f8278a802983bdd3c4da2fbef65d49adb039493e20b10b07d87ef
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
2.9MB