Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28/11/2024, 04:56
General
-
Target
5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e.exe
-
Size
783KB
-
MD5
308e34620e4b48c3ae64e4045a817229
-
SHA1
d1312c2b2e9941f03f710af23e640cbfec175467
-
SHA256
5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e
-
SHA512
bfc03956208d26b6833c4d8a750041ac021f313f2e009ce009a381b6134e72f0003b2cbf8982d748587a21e249a45c3d21fb1daadd48521969830a37e5241d6d
-
SSDEEP
12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK2:G+OQbpbgsFdAyQvzSqaq8qt
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in System32 directory 12 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e.exe"C:\Users\Admin\AppData\Local\Temp\5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GR2ZzyivhR.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\ProgramData\Desktop\winlogon.exe"C:\ProgramData\Desktop\winlogon.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\SortWindows6Compat\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\dps\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\ProgramData\Desktop\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e" /sc ONLOGON /tr "'C:\Documents and Settings\5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\DXPTaskRingtone\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
783KB
MD5308e34620e4b48c3ae64e4045a817229
SHA1d1312c2b2e9941f03f710af23e640cbfec175467
SHA2565cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e
SHA512bfc03956208d26b6833c4d8a750041ac021f313f2e009ce009a381b6134e72f0003b2cbf8982d748587a21e249a45c3d21fb1daadd48521969830a37e5241d6d
-
Filesize
199B
MD5e66ac2c14982e8f3edee2c5df8219416
SHA140ca23efeeb742d562fb2cccc00b64b234a55d5b
SHA2564aef93c3441188c2ae51a61db754802b502adbd3d671f2e278c612114baa468f
SHA51238c757535e5e3fcd608b0ec7bfd13f512f3a2b86cd23862844f165cf52ec5d60a98d2924b2de7fd60a7bd40ebf1cb5498d1fbfda5c8cde842b426bf96a4c2055
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
808KB
-
Filesize
9.9MB
-
Filesize
808KB