Analysis

  • max time kernel
    94s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2024 18:00

General

  • Target

    e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe

  • Size

    2.0MB

  • MD5

    38924c8184bf5944da2ac3e5cd987da2

  • SHA1

    1af0d4b729dd9c3a42c197a4ec961cab5722adda

  • SHA256

    e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908

  • SHA512

    225e25eb08a1abe529a4fc5eb435eb800145a782e3dbdd6ba1c28925f84d758c18111ed181649bd222d50fd4a44f1ede7e43c630a58ae9a92fd2074d3d306a61

  • SSDEEP

    24576:FcBmS1nneRYZwoKBU7ArlQUCeYIxerW33/XfV6jx9aP5VR/z0WcBS4bppmHVSqyW:9S4/ST6xijxsBEmHVSqFHOHqnCgXu8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 10 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
    "C:\Users\Admin\AppData\Local\Temp\e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Users\Admin\AppData\Local\Temp\decAE9F.tmp
      C:\Users\Admin\AppData\Local\Temp\decAE9F.tmp
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\csxt5pjs\csxt5pjs.cmdline"
        3⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9AB.tmp" "c:\Windows\System32\CSC565E4759A4F4EC29875F420D0435D8.TMP"
          4⤵
            PID:3960
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2060
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sysmon.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3372
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\winlogon.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:5100
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2280
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3092
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0KC50T3yOP.bat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4320
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:4352
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4864
            • C:\Windows\debug\winlogon.exe
              "C:\Windows\debug\winlogon.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2284
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1420
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:744
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2828
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2420
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\debug\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1628
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:60
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1460

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        2e907f77659a6601fcc408274894da2e

        SHA1

        9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

        SHA256

        385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

        SHA512

        34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      • C:\Users\Admin\AppData\Local\Temp\0KC50T3yOP.bat

        Filesize

        157B

        MD5

        9aaf0b3101dcf041747338bd4eb33645

        SHA1

        047d9d058d88281139df7d294abbecb625dd34f2

        SHA256

        dfcba38599f7d4c34f1ef8637d66be93a90af3b3ffe51b0dc3ef7e497a7e74df

        SHA512

        de4f232765415c119584f32ce9fd0bcfb7091167375aa12ff71c85037bcba8f6cf48e762a853bfad5a94284869af299859453e2f2bad676a57e9a2a0d090d4cf

      • C:\Users\Admin\AppData\Local\Temp\RESB9AB.tmp

        Filesize

        1KB

        MD5

        874368e376d42a420b7961ba11103d04

        SHA1

        a795691256954c3308ce13b2fc0dbf392c24686e

        SHA256

        5ebd1ff5020f1ddb700d62b80a19a332e8e83e86098cd417afafb695ddc0ff12

        SHA512

        384ab8c541adf6a4d803e718fd64c29f2ffc2759a9926e3b305b19711d9c363f502c27cee3e7bd58a312c383f399b135ffa863208e7f2a5254d61ed2e040b9c5

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndknso4i.d1o.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\decAE9F.tmp

        Filesize

        1.7MB

        MD5

        37d00592110ca3cc53b7f6ca6ab1c82a

        SHA1

        86e13c84c33969081fe59d123e3cf81e9b3e5674

        SHA256

        5acd08cc77f1cebd2cb95f88b37edf94b9e72b9b1c965af7ea2766e9ddc5afb9

        SHA512

        618eeaec0ac5390184a3b6195634cb16d3def1d2ac8ab3664b3128a4e4776dda7777e6c2aedf138a6f8e9b7f6f84fc58c38f89d9178b220443567e0c55e0bbcd

      • \??\c:\Users\Admin\AppData\Local\Temp\csxt5pjs\csxt5pjs.0.cs

        Filesize

        379B

        MD5

        0ab5733430a36d24998de5a627da14ac

        SHA1

        43ec02c14892026baad4d5999f9a16acdfcd9937

        SHA256

        b8bf44eef4f4c8d5d3167c390569242a298fbb129ed366e554a0f7b5972fbda5

        SHA512

        cba8beb803f3f553a470c8299254a27c3c61397181c835b0625f6d04df62f09c2f5e0b157556393d4e95caa7bfd387d0a123add444fa870cde8c543b3f2b5061

      • \??\c:\Users\Admin\AppData\Local\Temp\csxt5pjs\csxt5pjs.cmdline

        Filesize

        235B

        MD5

        9713f64e7c21fb5a927270eb6cf4d483

        SHA1

        0120e7bf0d449b824a00edb9c34103ba3a47fa8d

        SHA256

        5dde20e5aac902e1fb8b49164f6dc225f9b945291f8bc1dc9c9b73161df9431d

        SHA512

        23b4fdf29830aa28e56d3429fc4354054590ff189db7f349c7bd39a54fc3c054059e0ac86069aa99bb2ebb89b1cd18f5283bb6826d1271880671bf63e48c0f3d

      • \??\c:\Windows\System32\CSC565E4759A4F4EC29875F420D0435D8.TMP

        Filesize

        1KB

        MD5

        65d5babddb4bd68783c40f9e3678613f

        SHA1

        71e76abb44dbea735b9faaccb8c0fad345b514f4

        SHA256

        d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f

        SHA512

        21223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf

      • memory/2140-17-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-47-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-23-0x0000000002B10000-0x0000000002B22000-memory.dmp

        Filesize

        72KB

      • memory/2140-28-0x000000001B570000-0x000000001B582000-memory.dmp

        Filesize

        72KB

      • memory/2140-26-0x0000000002AA0000-0x0000000002AAC000-memory.dmp

        Filesize

        48KB

      • memory/2140-24-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-30-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-32-0x0000000002AB0000-0x0000000002ABE000-memory.dmp

        Filesize

        56KB

      • memory/2140-29-0x000000001BB20000-0x000000001C048000-memory.dmp

        Filesize

        5.2MB

      • memory/2140-34-0x000000001B550000-0x000000001B55C000-memory.dmp

        Filesize

        48KB

      • memory/2140-36-0x000000001B560000-0x000000001B570000-memory.dmp

        Filesize

        64KB

      • memory/2140-39-0x000000001B650000-0x000000001B6AA000-memory.dmp

        Filesize

        360KB

      • memory/2140-37-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-41-0x000000001B590000-0x000000001B5A0000-memory.dmp

        Filesize

        64KB

      • memory/2140-42-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-44-0x000000001B5A0000-0x000000001B5AE000-memory.dmp

        Filesize

        56KB

      • memory/2140-46-0x000000001B5F0000-0x000000001B608000-memory.dmp

        Filesize

        96KB

      • memory/2140-21-0x0000000002A90000-0x0000000002A9C000-memory.dmp

        Filesize

        48KB

      • memory/2140-49-0x000000001B5B0000-0x000000001B5BC000-memory.dmp

        Filesize

        48KB

      • memory/2140-50-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-19-0x0000000001180000-0x000000000118E000-memory.dmp

        Filesize

        56KB

      • memory/2140-16-0x0000000001170000-0x000000000117E000-memory.dmp

        Filesize

        56KB

      • memory/2140-14-0x0000000002A70000-0x0000000002A88000-memory.dmp

        Filesize

        96KB

      • memory/2140-12-0x0000000002AC0000-0x0000000002B10000-memory.dmp

        Filesize

        320KB

      • memory/2140-5-0x00000000007F0000-0x00000000009A6000-memory.dmp

        Filesize

        1.7MB

      • memory/2140-11-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-97-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

        Filesize

        10.8MB

      • memory/2140-4-0x00007FFC7BC93000-0x00007FFC7BC95000-memory.dmp

        Filesize

        8KB

      • memory/2140-10-0x0000000001190000-0x00000000011AC000-memory.dmp

        Filesize

        112KB

      • memory/2140-8-0x0000000001160000-0x000000000116E000-memory.dmp

        Filesize

        56KB

      • memory/2140-6-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

        Filesize

        10.8MB

      • memory/3372-86-0x00000156D5150000-0x00000156D5172000-memory.dmp

        Filesize

        136KB

      • memory/4676-126-0x0000000000400000-0x000000000060C000-memory.dmp

        Filesize

        2.0MB