Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-11-2024 04:09
General
-
Target
d9aef85fc0e89a01c741f919fd9740bc71a970777746338d7c689bb69a5b08cf.exe
-
Size
2.4MB
-
MD5
16be4b35fbc59aa471fff4ab77f53c5e
-
SHA1
5d31d96f0562309fc24294ecfdb3d2a26b238764
-
SHA256
d9aef85fc0e89a01c741f919fd9740bc71a970777746338d7c689bb69a5b08cf
-
SHA512
29c902990c748f34c260a08811f1f24956bbc62b7135e58095753ef1f9ad5a094bc560a3dc7aaadb6295eb518b6ad4d645d4775cf11b9a87fd868dc138cf9b45
-
SSDEEP
49152:pCZ/7MmTJP/uNiZ4qBpWVPW6dKiXGRhuknLwFPy4Eiw7m:aDMmTJXui4qBpWLZgukLwkiA
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 10 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 11 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9aef85fc0e89a01c741f919fd9740bc71a970777746338d7c689bb69a5b08cf.exe"C:\Users\Admin\AppData\Local\Temp\d9aef85fc0e89a01c741f919fd9740bc71a970777746338d7c689bb69a5b08cf.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exe"C:\Users\Admin\AppData\Local\discord\Network\audiodg.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5accfb1-90e1-4926-a1ac-3cf3899b259d.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exeC:\Users\Admin\AppData\Local\discord\Network\audiodg.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a550d8f-5704-45bc-b7c4-0fbe730140de.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exeC:\Users\Admin\AppData\Local\discord\Network\audiodg.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bdae8b1-267e-4c01-acfa-c766a2ae8cb5.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exeC:\Users\Admin\AppData\Local\discord\Network\audiodg.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8df2e02c-a48d-40d9-b1e9-be9c08cc834f.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exeC:\Users\Admin\AppData\Local\discord\Network\audiodg.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2eb2e551-e65e-4a98-a5f3-5601ecf980c5.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exeC:\Users\Admin\AppData\Local\discord\Network\audiodg.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a19a8a06-3b80-425c-befb-59af474038de.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exeC:\Users\Admin\AppData\Local\discord\Network\audiodg.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef270543-6aff-4250-be73-903f950ef92f.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exeC:\Users\Admin\AppData\Local\discord\Network\audiodg.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367298e9-99b6-4344-8064-1dc2da558041.vbs"17⤵
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exeC:\Users\Admin\AppData\Local\discord\Network\audiodg.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97b6cf27-caf3-42c1-9553-33c4bef6cdde.vbs"19⤵
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exeC:\Users\Admin\AppData\Local\discord\Network\audiodg.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ec886a6-9506-49e2-bbce-237da05bd169.vbs"21⤵
-
C:\Users\Admin\AppData\Local\discord\Network\audiodg.exeC:\Users\Admin\AppData\Local\discord\Network\audiodg.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34c25aec-67a5-403c-bbf6-801d6a8a475b.vbs"23⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\058c0907-df88-4076-93b3-ab60154ff6e7.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3bd2a29-634a-4cc6-ba19-3687695f4182.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\306cf373-fd31-4925-8b2c-17d2264d0bcc.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c2d84f3-6ffe-4879-880d-da46b71a6180.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\931f71a7-5b4d-44c8-8a7c-87be6af87fe3.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\266572d1-ea26-47d8-9638-dd9cad256ade.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1ae5a67-6ed2-4f67-aec7-b1bfecd0385c.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0371ef3b-3356-4fec-8688-68a49ab3f25b.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c122f7b1-9810-4d86-98f3-70dd274e0d1b.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02c80c81-1ae0-463d-a967-261a30b35321.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81adae96-b0dd-401e-be4c-52495cd7dd49.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:/Users/Admin/AppData/Local/discord/Network\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/discord/Network\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:/Users/Admin/AppData/Local/discord/Network\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
731B
MD50c6840a1d12f0fcb8a6aac70012fc6cb
SHA1d2a866b54307a44bbfedfbe44df3d8ec1794081d
SHA2560e0cb7025fbdaa6a8ca90069a6bd7d0dca7dd82a0254bc5a220097b36ef6e75d
SHA512055ef48e1cb00bbb9c240b978391f9132e5fe41d3eeee08f7da24f0f18071b1d3d0e20cc1d6ea4f277ebf694ab77e8b7d05234baf941f831b6008a6c6ad35bd7
-
Filesize
732B
MD59fd09d74f3ee0e4039abda5f95ebe204
SHA1166405a7b6449c1f13b00b8f39125c05b0677b70
SHA2562c7ca99527253ccc5e255dbb295b71517f739f2fe5ebd323bea51f75a8bd3c9e
SHA5120aebda928b6728bfdd876673e6a1098fe36d497148738a044f8c050495edef15e49ea2b49dbf1a2f91177c6b206ae2bbd14220926cda1f93a006b50aeebbac60
-
Filesize
732B
MD5c2146c6620aee9136f1066b221c30e4d
SHA11be54eb95999a09415b94e662acd009499b31d1e
SHA2564062819458f3eccbafcd0726d7259676757fd426a62bc934fc03dde6e3c0feb9
SHA5120107db4c31affe43acbff7405f365fb45a01b29d3724e57e674a999a969adf1107dd7719531dfa5ec3fcdf7e6eb8de31eb4bad7aaf0c9f109a6a21681675dadd
-
Filesize
731B
MD5cca92bf1e6a51c6bd766e0f3b3eae593
SHA12e72c67616034c2b78472a5c98fac418738da4c7
SHA2566256aef93bcec9a9d4c72635768c729f84950ce00c0dcc87aacb6a38f14e756a
SHA5126f6af36271e8ac1794bf5058afcda3971c0942bd19a6f1e201111ecc80f6d029c6e66477a2193273bde8c3c0b7397b688d2e14e7e9cd3467139636f89b3b4f60
-
Filesize
732B
MD5eadc7aab02487a6ffe4841bcea2f6796
SHA14c0e037d383cb856b530ba21a5efdf904cfc07e4
SHA256db5f90ad6ad71f7944e88a575161c80265aa35ac143af6d9f271108a7743bd54
SHA5125c1f7efbb61888010bf628632259ed33bd26f9bbc2c76a0b6f213420d9b6f881fef25fe131d80e947c625d68001c6a2a860291e44d2a6b7917fd10fb08994a40
-
Filesize
508B
MD5f41baeef48426bf69be49991095498d4
SHA1de4d1b166bcc75497b07639d09666fd085db5007
SHA25660ba71a76b029d280ab72bdfdd5b43287c4cc38380b570ffa9383319d5359613
SHA5121b7d3909c72a29fc587b977af889e4b1e32ec31cef57df7578c9201f22b69ab257aeae2d475a6f49aa5e89682f466234b10b8799fc8f1b524273c6056a74f9f4
-
Filesize
732B
MD5d4fcdc85688280fe2da8ecdc13ba23b9
SHA12f716a8c2bade0c2b7a2bc3f91099340eecb5476
SHA25619285c5409d57ad331995b58c8409e683f4657b057eefac59a3b73509e108e72
SHA512d7b5280fdf16df9179b4b2ce6d64b29a893af67a0fad1036b27d1976d68f2adc17ceca65e400af88d474ecbadec839861af3e94099d6070cc812e9f7c1745f66
-
Filesize
732B
MD59f67233b935d34bc604fd28860612862
SHA1d6eb8678a39e2f13a614d5023030dec737df6f7f
SHA256d4ac934e959a4d4e2c5236f401ab456ed247979e9e48b60c1627a6fda2f0cb41
SHA512dd9ceb4e022e00ebfac3fecfff3853325c80525c9f89df03781256d236811279df9b15133642552a12f432bf92d1ee256e9d791e39fb28e06a744a8acb084180
-
Filesize
731B
MD5a5100d4d97b8e61b568a863d6964e496
SHA13f67ea0884352a2728b11bc75876551f8cc81456
SHA2561ff66702259a68e352933362cad4fbed88a603f31e019376d00fc6b47296efe0
SHA5125f5ee007a0cfb3c28f50ed3c35ee9717e094daefc497909af4a7ac5d7c9cb467a04dd096854c9b21a522e6b267251c8275987e647630302f1977f648a68457c3
-
Filesize
732B
MD56ed506301d79a61b34c06c06db46ca7c
SHA156af1f9b55c515da7fc71c2cf4b1426c6a489651
SHA256e543b467c19a951a45c4590da042fd487222c3205c2242cb1e0bdf7997bda935
SHA51268c09369501b9c3d2b5e85fddc0c80c36633bbb033a04d1dafc110e4deb4b3952e81673ce7e1fe115090d4e738e52a9cdcd63a2af392c958c01206683d616b67
-
Filesize
732B
MD537310577e1d6d8eb52f3aa6b04d6d827
SHA1ff412570e855dc18be5a05b4b04cc45d7cffca41
SHA2564d91a22fdac3e7b2e1fea8161d3dd447c6eec3d71ba75c2e18665e05225a363e
SHA512669920e39bdff1d53baa2ee7ccf88bfcaf0d0a2e8f774980505da3d279976f0e5d9c228c82f33bee26d5269fafaa452935df7af02b0cbf5c9f76b5a2388b21f1
-
Filesize
732B
MD5d8cf8a61b9867bf63c04cf69311cb22d
SHA196a63ae1fc934e5588831636d3be18b48e444d64
SHA25680b88f1b2eb51a7fc39d0ff795cfcaa33faf114ddee40fabd80b88046757eb88
SHA51284d310bc3e085af8352540de11848de9f6ca4662a5378806e69d1d925458a9e1e0ca614b713c5ae33c0d73616750280cd78a5d8697b2a5431416bb801fe85dd3
-
Filesize
2.4MB
MD516be4b35fbc59aa471fff4ab77f53c5e
SHA15d31d96f0562309fc24294ecfdb3d2a26b238764
SHA256d9aef85fc0e89a01c741f919fd9740bc71a970777746338d7c689bb69a5b08cf
SHA51229c902990c748f34c260a08811f1f24956bbc62b7135e58095753ef1f9ad5a094bc560a3dc7aaadb6295eb518b6ad4d645d4775cf11b9a87fd868dc138cf9b45
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
2.4MB
-
Filesize
72KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
72KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
72KB
-
Filesize
2.4MB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
2.4MB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
344KB