Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 02:21

General

  • Target

    430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe

  • Size

    1.9MB

  • MD5

    b379f4ac167609d8a3ef26444098b61d

  • SHA1

    85fe0bbbe666d72a955ee98444415194e00739eb

  • SHA256

    430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80

  • SHA512

    0028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe

  • SSDEEP

    24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 12 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
    "C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j3ge12os\j3ge12os.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3E2.tmp" "c:\Windows\System32\CSCEE2C1281E5AA465BB178E71C58F4F651.TMP"
        3⤵
          PID:2908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\services.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2320
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\lsass.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2108
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2112
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\System.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAeXItx3bJ.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2176
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2208
          • C:\Windows\fr-FR\services.exe
            "C:\Windows\fr-FR\services.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2848
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\setup.exe\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2508
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1372
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\fr-FR\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\fr-FR\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2468

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESD3E2.tmp

        Filesize

        1KB

        MD5

        bdd05466b6fa0cee96af7c6ca25ddbf2

        SHA1

        da4eedcab2e624415525907f47b5cce2563a7f33

        SHA256

        d1c5a0c9def71a55c6c34f0839cb9094753e2dda29ca69d4e9265067e5e0a54a

        SHA512

        d981929addb2059ec25c161482e593012fb220507d961faadf2e382bf1b7f648820652f7a96483a7ed266640fe5ec3a30fc2925e518a3ab178a712177d0678ea

      • C:\Users\Admin\AppData\Local\Temp\lAeXItx3bJ.bat

        Filesize

        157B

        MD5

        e96815e73f04233366232bb522d1d110

        SHA1

        7e307a967901d37b34409cc2ad6145c6a5c3c5ea

        SHA256

        15b10b1b1941b699eed53b45046af69c11d41c9d6c9673b45457c0f9cee687c4

        SHA512

        02cdfeb644245523b78bcdafe0317a7864fd5dc202a15e9ee437a97ae7d2c8013dc489b7470af2250df3497c618c1283a197b5f4a03f1ffb2eea76da943b15a9

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A7ZQSOT1EXBBYOB3X181.temp

        Filesize

        7KB

        MD5

        15470336762a7e1ead07a820807ead7f

        SHA1

        cb4be7262d395ae97f331bbd716cec27924fd4e4

        SHA256

        8ea8e070699242118fb20bd53de229a02dd4293985ca763db6c68d613c296a48

        SHA512

        d96475b6795c290df446b6661e0c666f1785515e7e767d5adef9f1f8bfdc04706f723f74553bd98e9afeab8c03d60eaa5e2d476888f2f3a67c112f5fe9869377

      • C:\Windows\fr-FR\services.exe

        Filesize

        1.9MB

        MD5

        b379f4ac167609d8a3ef26444098b61d

        SHA1

        85fe0bbbe666d72a955ee98444415194e00739eb

        SHA256

        430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80

        SHA512

        0028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe

      • \??\c:\Users\Admin\AppData\Local\Temp\j3ge12os\j3ge12os.0.cs

        Filesize

        361B

        MD5

        41821d9875810b2d11667c9cd6787ca0

        SHA1

        a9cb902ae7a18e76bb6a5877b3f6d7612585fac5

        SHA256

        64282d4f7dd1b41a6ba7a9439382d5df0f16d78e665d3e25bc018cc93e45d8c6

        SHA512

        fb646e208ae532bef7aee0750289b0027b6f22d3fccc45f3cc040d89bda56f82ad591a64184b869ce9b219c737633cf53bd7a750d24405c2730a242a7e4bea4f

      • \??\c:\Users\Admin\AppData\Local\Temp\j3ge12os\j3ge12os.cmdline

        Filesize

        235B

        MD5

        1ad5810077e33a911d14ef0460d1ccf3

        SHA1

        bf3c8638f53c76e26d4df4ec7c0e5ba03b4c1779

        SHA256

        19ab4a68420194d302154f6d20e65d42e1ff48fef2f4c20be6668ecc4c95e25b

        SHA512

        15ab194567a6063faf3ab85f89a90049e17a7ea5db151587f990ef50c774022f64c0d4105ed000c98dacd827a3e05b3a5f90006d1e0503c1238e8f1a0b014e72

      • \??\c:\Windows\System32\CSCEE2C1281E5AA465BB178E71C58F4F651.TMP

        Filesize

        1KB

        MD5

        fccbcfaf29fdccaabada579f7aaf3ae7

        SHA1

        f9b179b6aab6b96908d89b35aab3f503478a956d

        SHA256

        e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02

        SHA512

        ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10

      • memory/108-20-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-6-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-12-0x00000000002F0000-0x0000000000308000-memory.dmp

        Filesize

        96KB

      • memory/108-14-0x00000000001A0000-0x00000000001AC000-memory.dmp

        Filesize

        48KB

      • memory/108-16-0x00000000002B0000-0x00000000002BE000-memory.dmp

        Filesize

        56KB

      • memory/108-17-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-19-0x00000000002C0000-0x00000000002CC000-memory.dmp

        Filesize

        48KB

      • memory/108-0-0x000007FEF54B3000-0x000007FEF54B4000-memory.dmp

        Filesize

        4KB

      • memory/108-23-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-22-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-27-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-10-0x00000000002D0000-0x00000000002EC000-memory.dmp

        Filesize

        112KB

      • memory/108-8-0x0000000000190000-0x000000000019E000-memory.dmp

        Filesize

        56KB

      • memory/108-5-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-40-0x000007FEF54B3000-0x000007FEF54B4000-memory.dmp

        Filesize

        4KB

      • memory/108-41-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-4-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-3-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-2-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-74-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

        Filesize

        9.9MB

      • memory/108-1-0x0000000000320000-0x000000000050C000-memory.dmp

        Filesize

        1.9MB

      • memory/2112-79-0x00000000027D0000-0x00000000027D8000-memory.dmp

        Filesize

        32KB

      • memory/2312-88-0x00000000001C0000-0x00000000003AC000-memory.dmp

        Filesize

        1.9MB

      • memory/2484-72-0x000000001B6B0000-0x000000001B992000-memory.dmp

        Filesize

        2.9MB