Analysis
-
max time kernel
118s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-11-2024 02:15
Static task
static1
Behavioral task
behavioral1
Sample
24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
Resource
win10v2004-20241007-en
General
-
Target
24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe
-
Size
775KB
-
MD5
0ed1f9cb842483e03e36cee538678ffd
-
SHA1
1d13a84aa671b75f66f4c7fce8339619291d4a43
-
SHA256
24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc
-
SHA512
78cb214db0ecbc532a50fc1344a138125e0031485c004e95bc21064165f9fd667fa582cd5196a6e1b4276b6dd7fa1d23dfabfe0c58b0d93fbf8e5329b064a809
-
SSDEEP
12288:FFg6HIZxWaga+z9e9qJeyLVqlUhqgPXdU2ypi0w8ncqXuvVw4heSNSzLz/:FIrr+h0qJeiqlGVUskcz9w4jI3b
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
resource yara_rule behavioral1/memory/2188-17-0x0000000000400000-0x0000000000478000-memory.dmp dcrat behavioral1/memory/2188-19-0x0000000000400000-0x0000000000478000-memory.dmp dcrat behavioral1/memory/2188-15-0x0000000000400000-0x0000000000478000-memory.dmp dcrat behavioral1/memory/2188-11-0x0000000000400000-0x0000000000478000-memory.dmp dcrat behavioral1/memory/2188-10-0x0000000000400000-0x0000000000478000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2184 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1384 csrss.exe -
Loads dropped DLL 1 IoCs
pid Process 2456 cmd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\NlsLexicons0027\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe File created C:\Windows\SysWOW64\NlsLexicons0027\services.exe 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1956 set thread context of 2188 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2104 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2104 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1032 schtasks.exe 1852 schtasks.exe 2124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2184 powershell.exe 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2184 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 29 PID 1956 wrote to memory of 2184 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 29 PID 1956 wrote to memory of 2184 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 29 PID 1956 wrote to memory of 2184 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 29 PID 1956 wrote to memory of 2188 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 30 PID 1956 wrote to memory of 2188 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 30 PID 1956 wrote to memory of 2188 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 30 PID 1956 wrote to memory of 2188 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 30 PID 1956 wrote to memory of 2188 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 30 PID 1956 wrote to memory of 2188 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 30 PID 1956 wrote to memory of 2188 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 30 PID 1956 wrote to memory of 2188 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 30 PID 1956 wrote to memory of 2188 1956 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 30 PID 2188 wrote to memory of 1032 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 33 PID 2188 wrote to memory of 1032 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 33 PID 2188 wrote to memory of 1032 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 33 PID 2188 wrote to memory of 1032 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 33 PID 2188 wrote to memory of 1852 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 35 PID 2188 wrote to memory of 1852 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 35 PID 2188 wrote to memory of 1852 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 35 PID 2188 wrote to memory of 1852 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 35 PID 2188 wrote to memory of 2124 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 37 PID 2188 wrote to memory of 2124 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 37 PID 2188 wrote to memory of 2124 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 37 PID 2188 wrote to memory of 2124 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 37 PID 2188 wrote to memory of 2456 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 39 PID 2188 wrote to memory of 2456 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 39 PID 2188 wrote to memory of 2456 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 39 PID 2188 wrote to memory of 2456 2188 24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe 39 PID 2456 wrote to memory of 2340 2456 cmd.exe 41 PID 2456 wrote to memory of 2340 2456 cmd.exe 41 PID 2456 wrote to memory of 2340 2456 cmd.exe 41 PID 2456 wrote to memory of 2340 2456 cmd.exe 41 PID 2456 wrote to memory of 2104 2456 cmd.exe 42 PID 2456 wrote to memory of 2104 2456 cmd.exe 42 PID 2456 wrote to memory of 2104 2456 cmd.exe 42 PID 2456 wrote to memory of 2104 2456 cmd.exe 42 PID 2456 wrote to memory of 1384 2456 cmd.exe 43 PID 2456 wrote to memory of 1384 2456 cmd.exe 43 PID 2456 wrote to memory of 1384 2456 cmd.exe 43 PID 2456 wrote to memory of 1384 2456 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"C:\Users\Admin\AppData\Local\Temp\24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\Admin\services.exe'" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1032
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0027\services.exe'" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1852
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2124
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E03v8V9qQN.bat"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2340
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2104
-
-
C:\Documents and Settings\csrss.exe"C:\Documents and Settings\csrss.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD514c1353e5384ae3e16132a18525dac48
SHA10dba19dc258caff30119ea07c5cc129409e47a05
SHA256794cd3fc5f499a9ae8c15f710bb77a9ebf5726f72c8bde58c580bf54a5e7d81e
SHA512ac98db0f4c983e3c9c26d5968e8c7c78e0318523e5ffb81853aedd5aaa0a53d73fabc147664131c62cdf3b9fd0b1d5846ce6d1a2f3b5ea257575fb2aa4b54f1a
-
Filesize
775KB
MD50ed1f9cb842483e03e36cee538678ffd
SHA11d13a84aa671b75f66f4c7fce8339619291d4a43
SHA25624f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc
SHA51278cb214db0ecbc532a50fc1344a138125e0031485c004e95bc21064165f9fd667fa582cd5196a6e1b4276b6dd7fa1d23dfabfe0c58b0d93fbf8e5329b064a809