Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 12:51
General
-
Target
4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe
-
Size
924KB
-
MD5
e44a6dd4f61c4c3138fc1c81f13ce0a9
-
SHA1
a8479aee1b3e22cd059cf38b3110d69a5504102b
-
SHA256
4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323
-
SHA512
ec423fe26d7e9a7a726bbbfe2d7dd7c0235c6bc3111e795d0d99b4ee76b453d1e548bd943e29ee7d607a7f39ed8f78f20ae5885d77f8e6db35607806616b3219
-
SSDEEP
12288:aRZ+IoG/n9IQxW3OBsee2X+t4RboqnOH0qhDD2hBM5biqZUAu09SwRRpfcg:U2G/nvxW3Ww0to+OHt7iefRpft
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe"C:\Users\Admin\AppData\Local\Temp\4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\mLzymvMiirrQOXPEyjXJ5QZUzTtHfO.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\t3VXd.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\SessionHostmonitorNetsavesHost.exe"C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\SessionHostmonitorNetsavesHost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPD9L51RjU.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Documents and Settings\winlogon.exe"C:\Documents and Settings\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\assembly\GAC\Extensibility\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SessionHostmonitorNetsavesHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\t3VXd\SessionHostmonitorNetsavesHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\DevModeRunAsUserConfig\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202B
MD5796bbde23addcfc17606e60f3e5d4db3
SHA1af64354a3562de0d41155dbc7801c4f41902d4f4
SHA2561bb57bd3d7643963115600c57f689c270c64001d682f6b89fea996fe2e46cfc8
SHA512d88044aba6913771a8b7abe8d4a1d9b14fc46a7e0582d3a720c2c0810d5e62a4438ca217197387344ecab4b018c804f3e4dd9939a7f6c7322fa1b2a68067e9fc
-
Filesize
615KB
MD5e915469eca8f027672aedc6241ab4ea4
SHA14a28d6a2eafad121f47c118866da6ee9de2a6829
SHA256f086f15de0d2fba478956f12f96d5a5f11f7ad0048a3ea694d226e062f4b99cf
SHA5125889f84f0043c293dd74f5d8e859575317a93a823ccd1b7295dd70e7d1ea4354b282da7c69692e37de797fde705118455232244acba2f64d22d28172fd6a22db
-
Filesize
207B
MD5fe43d6574e51bfef72c4cdc63b217db5
SHA14f0e06ab9c15cf1aa385b6ab773d308c6e334d9d
SHA2566c29dd00d17230a1bc450d51e2387cf502fd33956e661a8adee8057c19a6d7dc
SHA512053e00973ba2f04ff3db1b33f9129288123c5ba209c8c28082d111607bdb599dad385db881d7898e45826a455d35fabc396b1925d31359066a5924e339162a11
-
Filesize
65B
MD53d340aff29db3e924132c091f33d802b
SHA158c02b709a43b3548227fac0765e706cdbb2f5a7
SHA256931b38c3661c01a98f5e0c1a1723d846b32bf3911a2780e5398994605dde3c41
SHA512afbe5c7647bd758aaf625859988b0e4166b36db48890acae768f9d795d3497a289b4fb427dacef09872b99006652f4b0ab03bf42bd27612e89f4b3917684b5a1
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
640KB
-
Filesize
8KB