Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-11-2024 08:16
General
-
Target
2d756772bc00e5778d794c107358ddf7.exe
-
Size
1.9MB
-
MD5
2d756772bc00e5778d794c107358ddf7
-
SHA1
77229fc9ceeb137c6644a4fa3085aecabaf94ec3
-
SHA256
a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
-
SHA512
31fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
-
SSDEEP
24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Drops file in Windows directory 3 IoCs
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yik5yx0m\yik5yx0m.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA20.tmp" "c:\Windows\System32\CSC98926D0DB380478F9AFBB0671A84CA8.TMP"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CSC\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CKLuGQOPwA.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\CSC\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\CSC\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Services\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\locale\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf72" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf7" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf72" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD52d756772bc00e5778d794c107358ddf7
SHA177229fc9ceeb137c6644a4fa3085aecabaf94ec3
SHA256a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
SHA51231fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
-
Filesize
198B
MD594222d6bc3df933b332488cfe9aa9513
SHA18b2c76a50bb334bc0ddaa882836a1819ba0e5e82
SHA2564a7847d52e991742fb8a5348f15a77c05ef3fb4806ff194424bf3ff4f42c0c84
SHA512f30e973fbe1328e2f75d53064020e890ead47e26f134a279589dd557ba697e8865ccd5f78a31b40846bdef168e252b41faa530fb7c255646d84dd8901beeb71b
-
Filesize
1KB
MD501eb0ff384f8b0a0438d8d0df3797e90
SHA154aedc933d4b814ae4b2d54990a96974218b0268
SHA256127c1d4fe477f3707277225f2966d9ae81e2ece23f0248991db7472d2b106c33
SHA5127470478a2707316f5402c4bf03feb586a31036c8a9258e8118b54f80f8f15eaf381ea0102d815b55d35ad235b1288beb57f0002db1753c57d4d2c0cb8eee8a4a
-
Filesize
7KB
MD5ff77a6d8b94ff26e9db7167652d898c8
SHA1c2c3415e66981b0ddb107a072cfe0969154dacb6
SHA25675591d4daf5a27553f0b75caeb569428a38a08922a87fc95f831b3d2aadaab14
SHA512c663bea6529020ff806f2e700dd6c098928767b939f74264bdd7c0e8a5688851f69ae80458958c5ec0ac5bc13b10ee7ae5a5cf9e9179c98c277a15edef0262a1
-
Filesize
415B
MD51455df001ba1dd51f91b3f817994808d
SHA16ce0c656f41ef7c3b66c17f891ef8c69ec96b67d
SHA2560218c2768a08e14d3a4341517a18751fd012e679d2046ab2925a9def848bd776
SHA512e54e89c01dff55c80ba790212a46270390d20e87708b74a7c12ad636e7bbdde896e6ce6756f17f3202d8d4ed01d85fc7c80fd8e32d656db5686949847063f87e
-
Filesize
235B
MD5f522cc20878585a816d7c9d0f8b54761
SHA14c2a6d059ffdd108057552553bb917e82f4474fd
SHA25651afa5e1bd6801b890f607419f01ca604b33d5894fb0e4d12707ecda07c05cac
SHA512333879c3bd09bf08239245859eb48efac63f792d672a1f57d30086830ee33951337baeb4238470ca26f4b880c4f5e209264074ee43a5dd2e61bf1a4c9e052ee6
-
Filesize
1KB
MD5dcd286f3a69cfd0292a8edbc946f8553
SHA14d347ac1e8c1d75fc139878f5646d3a0b083ef17
SHA25629e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596
SHA5124b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
1.9MB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
2.9MB