Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-11-2024 00:45
General
-
Target
7a51c74f9e3082a8fdc5b2aa00d105ac565ed3a696b7b59ec562f0a15cf77930.exe
-
Size
4.1MB
-
MD5
fc12e64914d68aa8fcacfe14eac14973
-
SHA1
ffb90d0353325044a8e77a1b3d32c157e522ec6e
-
SHA256
7a51c74f9e3082a8fdc5b2aa00d105ac565ed3a696b7b59ec562f0a15cf77930
-
SHA512
6d2ff1530504b6a3fccb9bc2fce1e0844b5d901407af185b7b9b827896cfce26ea97f230d1f68ee577cf1665a4d0d2fe5b34532634dcc2bd05d5ff2ce77fbae0
-
SSDEEP
98304:cBLZABTF8Ic94u3YveXYBLZABTF8Ic94u3YveXB:cBZAB+33Y2oBZAB+33Y2x
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 9 IoCs
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 18 IoCs
-
Drops file in System32 directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a51c74f9e3082a8fdc5b2aa00d105ac565ed3a696b7b59ec562f0a15cf77930.exe"C:\Users\Admin\AppData\Local\Temp\7a51c74f9e3082a8fdc5b2aa00d105ac565ed3a696b7b59ec562f0a15cf77930.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpfC0QRob1.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\System32\NapiNSP\wininit.exe"C:\Windows\System32\NapiNSP\wininit.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\authz\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\KBDDA\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\Admin\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\mswmdm\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\NapiNSP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\logoncli\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\C_1256\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203B
MD501a04010114fe5bf259b03ae3469889e
SHA1a2f2f94467f7d29478b102b09b30bb6f7343a50b
SHA256367ba57a3d62c48b94aa6ea6fbdbdf6e812131b7d2519d4aa750f7fddb165198
SHA512703179a613568b560c20cf4c4753cab2ef337ebae39ffcb6ce3e0d7a57bf26ef73165ff5bba0d11e054068ef0af02e7ea583f669020777f80554a841b813ba18
-
Filesize
4.1MB
MD5fc12e64914d68aa8fcacfe14eac14973
SHA1ffb90d0353325044a8e77a1b3d32c157e522ec6e
SHA2567a51c74f9e3082a8fdc5b2aa00d105ac565ed3a696b7b59ec562f0a15cf77930
SHA5126d2ff1530504b6a3fccb9bc2fce1e0844b5d901407af185b7b9b827896cfce26ea97f230d1f68ee577cf1665a4d0d2fe5b34532634dcc2bd05d5ff2ce77fbae0
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
2.1MB
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB