Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
30-11-2024 07:36
General
-
Target
E96B9E17DA08C5A64C26DC666402C64F.exe
-
Size
1.2MB
-
MD5
e96b9e17da08c5a64c26dc666402c64f
-
SHA1
cceec5c7f6f4bbf08c63153a0dea8b5834ed38ee
-
SHA256
8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372
-
SHA512
dd71101f1b6b0dcd545bec2e448c6368a8653b599a5b0de3287ac50126b0c380a325e92fa201bdd869d97cf18e63d0795879923e9364abb92adfc57af02d5040
-
SSDEEP
24576:QGZn/lA+WQi7Tw3d3pI0eqZb/bte1aMiL/8LLKwi/TIRk:QGzAy1Sob6CsL8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 42 IoCs
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 13 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 28 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 42 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\E96B9E17DA08C5A64C26DC666402C64F.exe"C:\Users\Admin\AppData\Local\Temp\E96B9E17DA08C5A64C26DC666402C64F.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LDqlTPpYLb.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:/Users/Admin/AppData/Local/\lsm.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3b90500-50ef-4890-9df2-8a5ea2aefea2.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10f34b13-eb48-4a19-823a-5daa953a264b.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef34e3c5-c8db-4c90-8b1f-724f1f2337ce.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b37b511-0dbe-491e-81c9-98477d7416e7.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7acf6a76-91bc-4654-b58a-4720f5242923.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\068a8cc9-eb57-4417-84d0-fe06d55e9eff.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9df2d02d-24bb-4c42-9498-d2fe74d9d24a.vbs"16⤵
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92e37356-4a03-453a-8ce4-31fa7c81ac10.vbs"18⤵
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5eb579f1-0576-4cc9-9a38-6363a68424dc.vbs"20⤵
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e9d4c24-bcd7-4321-a0d1-97b9ea0277de.vbs"22⤵
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd99d9d8-4e56-4f7f-8326-5c7074b66ed0.vbs"24⤵
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\536e9a9d-8ecf-4d3b-91fb-53bc994f3be1.vbs"26⤵
-
C:\Users\Admin\AppData\Local\lsm.exeC:\Users\Admin\AppData\Local\lsm.exe27⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48cb2d58-7c6a-45a2-a8c8-498830b85200.vbs"28⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23d40032-7691-44e8-85d6-aa8174e431d4.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3537fa30-a21f-47f8-b761-7ca69dabfbc5.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee013fa-7701-4428-b39a-a404c4219669.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31470a26-6d4f-4207-8e83-e6cf92ab038a.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc750aac-11ab-4876-ad73-6b12e790860e.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\527ffcb5-6f38-422a-b928-9dcce304c32e.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a70fc28b-8cf9-4a0c-b60c-ea47815690c9.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a55f9ce-ee8a-4a45-bc96-1251786bba37.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e90e2d7-deaa-47a9-80d2-e348d2bccf8e.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27bcef4c-07f6-40cd-9ae7-b23e63d37cc8.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\014ebc95-722a-49bb-9e44-7f2d71f856f5.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\106bec44-c8cf-411a-870a-a2ba33ecd110.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4bb7ae3-ccd4-47db-abc7-0065e635bed6.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:/Users/Admin/AppData/Local/\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712B
MD56fca7d427207f5623812495ee6566d4d
SHA1549609f68e016d0410c2867aa34342697c6cd155
SHA256f22962a3329265e38037d38d9778a7156b8389d5cd8421247102ca87ecb35550
SHA512ea964229b62e7a114dccddaeaf823f0a32cebd028be6ccf41abcbba92ad784a3e7191bc6500e7928a34204a1d86ce306c92c1b263f2309e25f9d848b9a193761
-
Filesize
712B
MD5f524fdddb305566f40a6df0af89d73a1
SHA15d16c6971d18619c11b3e529e94a3a92969ccf59
SHA2561ecd8b06cbb655f12d7cf4cd602ec19e5a833c087191e32e322e2f77aa0a33f4
SHA51249bb78f9301474505c8fd447885b6bcc3bc716c818f84cc2160086e39fd7f1575d6d33abe8c902a6ae4a4df2da2f56d45c2d762109f313c21b9b11ff21e8f7d6
-
Filesize
711B
MD5a6d2a6e76e8dbddfed02538923b91a8b
SHA1ef4d7670c1e8fe924ab74e02b7705695ae560c9b
SHA256f504b788e7f69ccad8a181fc5bc9de3dfe8f0adda509fa9c6f846f6fa0553c19
SHA512fcf6bcecce04b6e63a34d42601a0e054240d8f083069196afcdfe947c5aa3c462c855b5e18e2eb59aa8776ac0257158d9f679a29ed2f2e67b6ec35b45d671813
-
Filesize
712B
MD5369c78351629fc7b8b1b4b43767c8ae3
SHA14e0d0261d0f5f44b243098654f62530454e3df76
SHA256c9ed90b1174ee1fde90f179051f8cab68c3729406e2b7d348ee70cfcd53c8531
SHA51222a32fa1cdca6274bf18e09419fe87cc6f9e3b19f3e858735ae4ad2978c3270233a066937ae222e56f8a4c8367a89e19cad36dc82a46499a8ed6e3ced250d39c
-
Filesize
712B
MD5d80825770c81cf1289dba128813f56a6
SHA1a3e97ee8e8189e7cb13a554f85ca77df13bef0a3
SHA256b2104fb52a0f1e01f37e1d6108f2efcec874eb08cba0d5038eb0615ea804772c
SHA512d29709e6d070e3e6a9a1e47c59df14ded991ec3d6dfe494fb651ad7bec0f60baefe69147c0509a1229f7e2c739fbdec48299b58d44a0acb7a7f12db16d417fe5
-
Filesize
712B
MD5410529b1bbe9f4fc7ebba3e1cc22938c
SHA18d0f6a4423f570fe3fd098790fb40cb6a760984f
SHA256e1e9748da68213b662a2fe9827bf345bafd9209f2cb63e183eaae761042a2689
SHA51239d12a963f27ef31b7914c08bfa68acb6c20b6454ada82c9a2edcc3008f16620e74761d6e65e48d53aee147c72270a16ad46bfa0fa46e9e1d659232cea9ee4cf
-
Filesize
711B
MD5f0e2f59acf1f098a3c5716596032a3ce
SHA17dd9ec59f2efc9c20ba918fb882ea4821b7f08e3
SHA256dcd850cd5a1a45d5a2d590cd4b5872e266942c9ded4890899444b1e1a5891495
SHA512726747db64b7155e0d8d6472c5071bc638d79d5b6c44f87b9379f39e3734ca77d88fe534a168a60cfbfdfff0e2f81d97be610e4c38afa36e8fa01f11aefba78e
-
Filesize
711B
MD5829841458a53b8bbc88ba345d674900e
SHA17590ffeef97b434a12ac052b95cc780bc543c117
SHA25663be53f8886f166e4fc862e6f7da0635ee39b21ca6cbb5dd74772c13fe7f8e69
SHA512569187e0c7b5d379524d02b6eb8fa591d0c50fec16dd1dbbc130b3a39c023ddad356d674409975a9d267b8929602f2c32c0410a85c8067f4b1f11d822217a8cf
-
Filesize
712B
MD536625e451f8bc834155ceb5907611979
SHA1823bfd95f57c318e490d22de96c94cd651ce52f3
SHA256a6ff93d7720ba910f81e0b2ecd1a59df6aef3b3140a1b303738a2bed9834dc28
SHA512656165917978a47c077ac855b3fbe8e566bc03a39d01db120d3bf150382c0c5dba8976638007b31ac3856a8b32448c2923a0275211688cdc7e1ccbdb72f19075
-
Filesize
202B
MD5e3306462ee2aa7104b3750bf199dde11
SHA14d5cc34d6e866c437544479f40a76c0a276a614a
SHA256ff1a5cd9a147f7831273cf2d2b99f120c5d678ef7944273dfd8daf98153cb4a0
SHA512aea94de78d4d56081b13ab19b99014ae65dbb7d3a743416ba3b091a1fe50f9b8616859fc421b2fd8a76d486a6919d59a678bf745d5b8fcba52e68361e9c9bf5c
-
Filesize
488B
MD53e2b94a4f1e98cc20b84fb8143b5949e
SHA136c785a6c7d7f581839dcb23e139183d066100a3
SHA25611830d1ae0a74e4dec3ac54505920303afe998fd846d007010c7fda57d235ece
SHA5128cce3024557ac40e77c7af34fc9d2ff1c3a4230a9cf7d6f7f8eab5d57b226aada45969f48e59bd30244b4c098dfe1a052e934745865159e862a48590c071f76a
-
Filesize
712B
MD5cac814ee8fdb265499fcf0e462b2c256
SHA1152a4de8e34acc32c4d84bc4307b4f603e7a156d
SHA256ae90bce3e774410a4a8cdbd0824de3ac227efd59497d29aa5d7f72e70ecdabd0
SHA512d2479d3ce0e48dc0ba9c5e9731c17288fb134dffe31b0805b187ad918168678546caf2664db462e0a05159753b9a3848a37ff86139c224edb846d3cc1849eab4
-
Filesize
712B
MD5f22c7433028523e1f3153444c2199911
SHA1d4e86f47dc1aa7a719f66bfdf004c26eb6609d5d
SHA256a7dbdb8600ea74d643005571c1969394848e358ca1ab2dd91f326220bcf08d27
SHA51213e205a778d0aaf6118596cf4ad73d2f82fadbf2251cf78d992434e31aa873a98d9f0d371657eee6fcaa3f93ed51d4cd18b73c3f3da62a39e8c27eee8e86e260
-
Filesize
712B
MD5734eae8f518dbe045fa17ea3411320d1
SHA1ec6a3e2ad48bd744fcc2dfefc0e6db731a1890e7
SHA256c716c98d57c2d99652c6200144e57061863ce450b5c55a52429be5b41ab2a8ac
SHA512240581f48663cde10a323c0999d8e87963bc68c32d335c104793ab061b5e29f57c07705784f3b6d7807f24e15239899ce9ce72afddbcc24aadc5bfebd9059bd8
-
Filesize
1.2MB
MD5e96b9e17da08c5a64c26dc666402c64f
SHA1cceec5c7f6f4bbf08c63153a0dea8b5834ed38ee
SHA2568e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372
SHA512dd71101f1b6b0dcd545bec2e448c6368a8653b599a5b0de3287ac50126b0c380a325e92fa201bdd869d97cf18e63d0795879923e9364abb92adfc57af02d5040
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB