Analysis

  • max time kernel
    139s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-11-2024 00:30

General

  • Target

    93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe

  • Size

    1.9MB

  • MD5

    d555abf32ac6999a3ddd82eff6523be5

  • SHA1

    fc57db7c9856edd9018b4128b96a9a53146bf910

  • SHA256

    93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f

  • SHA512

    5c3b30b37394a4b89c1939362fed98f0435d44010b50570cb7841508626de7cdef994890f9736530a94dd065d4ee7bf14cc7dbbe50326c9964a198a21c7d5fa9

  • SSDEEP

    49152:eLviZcjVZitNo7l+/yPyC3A0qu3/JbbdY/m/w0p2ZJ:eLvUcBKopOyPZVVYmN4

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 12 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe
    "C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zjiibn3i\zjiibn3i.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEAA.tmp" "c:\Windows\System32\CSCA9528983CC49495092BFEE7CC66BFDDF.TMP"
        3⤵
          PID:2572
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\he-IL\spoolsv.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:448
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\services.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2112
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1736
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:988
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NrcfFdhdSl.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1000
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:1784
            • C:\Program Files\Windows Portable Devices\services.exe
              "C:\Program Files\Windows Portable Devices\services.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2872
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\he-IL\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\he-IL\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\he-IL\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2364
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2116
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1200
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1500
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2264
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1248
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2424
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2832
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\security\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\security\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f9" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f9" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2148

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\NrcfFdhdSl.bat

          Filesize

          230B

          MD5

          df82c68246f255ba7f3ec5b61b175e3b

          SHA1

          4674073fb3a5351dbbb4d5ee4e9f932a681729cf

          SHA256

          c38b277a8df8d17733055e9678e9e9bfedf482ef4fd6cbac73d38a07f03e4a3a

          SHA512

          18f14ab44653269b11e2679c0280118e4d46531ce5e8e6da7d35554690345d521aa6e891d4e1b8d3676bd57ef5ed53b3fca32048c0afa9f078b30941c4fd847e

        • C:\Users\Admin\AppData\Local\Temp\RESFEAA.tmp

          Filesize

          1KB

          MD5

          86b3b71e615fe81d732055fc3083218a

          SHA1

          a1fbc34cf4d6b89c188f5f10adee39ae154de0da

          SHA256

          2501c1292f9b3ce26915861404a3cfb59e4335f08cc355f7da7b6b8e60bdb3b7

          SHA512

          b1d12d0fa0fa9bb97b7938dff01c46f3ee0dc4699e2783e66eed1a8120bd248e8baad0a0bfa73936fe3d13fa451c3d8fda3be4f9890685e20f21e234d12d8b94

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          f8cb8a5797a999b1ece8b34ef53baafd

          SHA1

          1b23c4f964cfd724d84f9b51eb548645bb0b8f8a

          SHA256

          b1ed1518fbf1115b87bbb7ffbb8b5164d99b9235144294d165578939c19ceb56

          SHA512

          069327fb7db49442aeb02fa0a84943fcf52aed17427b00425a27d9c5ed2d25875644d0977494c474bc4f5f2b4c5557d54cced58ef6820d57cbc22053213d8983

        • C:\Windows\System32\he-IL\spoolsv.exe

          Filesize

          1.9MB

          MD5

          d555abf32ac6999a3ddd82eff6523be5

          SHA1

          fc57db7c9856edd9018b4128b96a9a53146bf910

          SHA256

          93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f

          SHA512

          5c3b30b37394a4b89c1939362fed98f0435d44010b50570cb7841508626de7cdef994890f9736530a94dd065d4ee7bf14cc7dbbe50326c9964a198a21c7d5fa9

        • \??\c:\Users\Admin\AppData\Local\Temp\zjiibn3i\zjiibn3i.0.cs

          Filesize

          369B

          MD5

          de77adac1e2272ca9865c987c370273e

          SHA1

          50d65b20449c57deba2e15136765efb8b1a5cfb5

          SHA256

          6507c1105caf0c064491a35e89a51d296d943def240ec957ab2da6a9ed503481

          SHA512

          c67a33493c26f5076607653ca00c0eac4a348753a631480190dea0018d8dcfd3e513d458146d275e04ded8bd7952e7e64b6d9e0fb629bef80e6b197a12d61619

        • \??\c:\Users\Admin\AppData\Local\Temp\zjiibn3i\zjiibn3i.cmdline

          Filesize

          235B

          MD5

          58d9c3c78af767f701c71c532470fbcc

          SHA1

          a9d212c281e51ccd51b4874c0c5ebff4e981cc7f

          SHA256

          ed7a3a3ab007ccd8d3b69434edfcf76f0fc10e7bcabf9637d24b68fee4727649

          SHA512

          e3a3ebbaaeda032ea401a12eca7be9ad953fba4be67240ce92dda324a5a949b9be1f64900ee1c314b8387843f1a4a9491c9ae008e3ae0a185ea8f24f6a17d3fc

        • \??\c:\Windows\System32\CSCA9528983CC49495092BFEE7CC66BFDDF.TMP

          Filesize

          1KB

          MD5

          167c870490dc33ec13a83ebb533b1bf6

          SHA1

          182378ebfa7c8372a988dee50a7dd6f8cda6a367

          SHA256

          3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

          SHA512

          1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

        • memory/2084-25-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-9-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-12-0x00000000007D0000-0x00000000007E8000-memory.dmp

          Filesize

          96KB

        • memory/2084-15-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-14-0x0000000000790000-0x000000000079C000-memory.dmp

          Filesize

          48KB

        • memory/2084-18-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-17-0x00000000007A0000-0x00000000007AE000-memory.dmp

          Filesize

          56KB

        • memory/2084-20-0x00000000007F0000-0x00000000007F8000-memory.dmp

          Filesize

          32KB

        • memory/2084-23-0x0000000000800000-0x000000000080C000-memory.dmp

          Filesize

          48KB

        • memory/2084-0-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

          Filesize

          4KB

        • memory/2084-24-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-21-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-8-0x00000000007B0000-0x00000000007CC000-memory.dmp

          Filesize

          112KB

        • memory/2084-10-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-6-0x0000000000570000-0x000000000057E000-memory.dmp

          Filesize

          56KB

        • memory/2084-4-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-3-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-49-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

          Filesize

          4KB

        • memory/2084-50-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-51-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-52-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-2-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2084-1-0x00000000002D0000-0x00000000004C0000-memory.dmp

          Filesize

          1.9MB

        • memory/2084-77-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

          Filesize

          9.9MB

        • memory/2112-76-0x000000001B770000-0x000000001BA52000-memory.dmp

          Filesize

          2.9MB

        • memory/2112-78-0x0000000002860000-0x0000000002868000-memory.dmp

          Filesize

          32KB

        • memory/2872-92-0x0000000000CB0000-0x0000000000EA0000-memory.dmp

          Filesize

          1.9MB