Analysis
-
max time kernel
62s -
max time network
105s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
20-11-2024 12:14
General
-
Target
install.exe
-
Size
4.3MB
-
MD5
c8868d0efa08db9acf9f1be0ea1de96b
-
SHA1
327b71fa12b87caf9868a6bc18857f78a19fbc43
-
SHA256
f9ce5f29f9fee9b30206253d77cf17870ee82765b36f51749e08b3a14d52d6db
-
SHA512
5ac067b46391fb2c41487235eb2a3e57d8b2984ee906f869ad8a20154baba09c09852d9384999bbdee6a2f83263201dcc811bf8386fba3a9a2151c181d6d4690
-
SSDEEP
98304:4Ps0/vuEKE162HsxtixUU4hR1HxtixUU4hR1F:KaTxtixRCZxtixRC3
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RkQPx1nNk6.exe"C:\Users\Admin\AppData\Roaming\RkQPx1nNk6.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\FaPY477v1P.exe"C:\Users\Admin\AppData\Roaming\FaPY477v1P.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\urocnujc\urocnujc.cmdline"4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC15C.tmp" "c:\Windows\System32\CSC8270A442E5C248C8A272A1118AF6BE6.TMP"5⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cq6BV118wO.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
C:\Users\Default\Music\RuntimeBroker.exe"C:\Users\Default\Music\RuntimeBroker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 3122⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1784 -ip 17841⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\Windows Defender\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows Defender\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\Windows Defender\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "FaPY477v1PF" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\FaPY477v1P.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "FaPY477v1P" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\FaPY477v1P.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "FaPY477v1PF" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\FaPY477v1P.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5176070b00759051d9a932ad2259db157
SHA1c46ce54c1ddf063fc693bb514e8c5d3bded967ce
SHA2562640b860929474ee225c4568ae39cdf2e0750bee754ee1af32afbdf3a0a55976
SHA512e3405c47abff8b351d9ce4d73f4b07908b178a95ccf3222d9834137578078932768770d0e699bb486dfcdf7ed34b75d3b908196d5a1aed3c2a1d26f19f92d4eb
-
Filesize
1KB
MD506eff2742134b81b8c2403e14369a236
SHA12422dbfa2dd9e8688bda1e9443f814bf059f4aee
SHA2561a12d6a38761179226a11f24132fbdec69d4b3cc23d002e39a85f02cef6d35f1
SHA512a965930815de3cc9180dacb9d2dce68f6d34b171596f3baf42dcce446d20374a16fb00844fce77994a2f3d0a6e8e6c003c7a5e5609c9bad99e5c80c11d53314d
-
Filesize
843KB
MD532cae9f5844cb03f0504c3ba6519c937
SHA16886d2706d23fc131e21c9e96f25c641ac04db15
SHA256f147fbaad060811085df8d6f6324c395a8552896e7b611ec24ba9a506f04c3c0
SHA512dd5c3f0adc23bae3c71775227b326abecd8668ff56ecac7030663129d5d99efd6c454057733d41ccc38e680e95f2669d2e110c29714b295932c59ed49ae2039e
-
Filesize
18KB
MD5f3edff85de5fd002692d54a04bcb1c09
SHA14c844c5b0ee7cb230c9c28290d079143e00cb216
SHA256caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131
SHA512531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d
-
Filesize
388B
MD5598d30acd16ac06a082756cba74761cf
SHA15ce21c91fc1ee835aedb79c5a2c7a684f513532b
SHA25689c589c3202ad49ff405f4f48574e32fe4152286e4dd076cff204904b5dec19d
SHA5126888c072361479be59814ec9fd69737b742ea5584a0d26e65fae6ee934bb419b957c0ef943774607190a467da78c2b8d44d9656c9639c4181705fdaebf35c7f3
-
Filesize
235B
MD59cdd1dc1f33dd37a60c59a80180deac0
SHA1fe444ba6191ecf2ee66d376655d9929b1d341864
SHA2569f0a9a6c552b7d1163a9058a010e65e547c066afc411128191afa913ca7ffb6d
SHA512f653aefabdead10c161ae6544291848355306bdb0554b5692a68dd758adfe6141f05ba642a70b8e8a82169b5852b12a4d0bf78c2b7256f00f32722dba155aa04
-
Filesize
1KB
MD52ddaf10e7350236c8cb4081912188ca2
SHA12a13673a51e96fef6374a4a6748157f19ebbdbfa
SHA256c4d9cf358c5fef64c8dc24d46b1c43130b5177bdf381d5062e5fd093b3e7e64b
SHA5122edbc7b83b15203e14520a77bbcc777e26d807f438288a10d5e9ea5dae002f00513d6b9c29ffe39b117c8319418087f6394da1949c0bfb3065b76e24260b0861
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4.3MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
5.2MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
872KB
-
Filesize
8KB
-
Filesize
10.8MB