Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
30-11-2024 07:40
General
-
Target
E96B9E17DA08C5A64C26DC666402C64F.exe
-
Size
1.2MB
-
MD5
e96b9e17da08c5a64c26dc666402c64f
-
SHA1
cceec5c7f6f4bbf08c63153a0dea8b5834ed38ee
-
SHA256
8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372
-
SHA512
dd71101f1b6b0dcd545bec2e448c6368a8653b599a5b0de3287ac50126b0c380a325e92fa201bdd869d97cf18e63d0795879923e9364abb92adfc57af02d5040
-
SSDEEP
24576:QGZn/lA+WQi7Tw3d3pI0eqZb/bte1aMiL/8LLKwi/TIRk:QGzAy1Sob6CsL8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 45 IoCs
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 14 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 30 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\E96B9E17DA08C5A64C26DC666402C64F.exe"C:\Users\Admin\AppData\Local\Temp\E96B9E17DA08C5A64C26DC666402C64F.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\winlogon.exe"C:\Users\Admin\AppData\Local\winlogon.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d30d445a-5ca8-4177-8d97-ca212341f963.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ab7527a-3437-47b2-b555-b0245e1673ce.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78c7678c-a8dc-47ce-9bf0-935e722ceadd.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95af63b7-08e2-4537-84c1-324dced931af.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca8cabf-22b5-4eab-958d-178b77d0cb84.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ef68173-21be-47b5-a84a-c5184c097c24.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68e7b3da-d081-4c64-ae62-316360bd6a11.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\612998fa-8937-4d67-be02-e0c8c66c9823.vbs"17⤵
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74b3ae9b-72e1-4256-af00-83c4e475f230.vbs"19⤵
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\065a821d-6fe7-4f24-a13b-be4739af0135.vbs"21⤵
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ed2c11f-b74b-41d6-b272-cc6b472cf831.vbs"23⤵
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28fa5b40-507e-425b-a3a6-281b38141741.vbs"25⤵
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\693f7e15-f419-4972-8dc6-5a2fd90bfab4.vbs"27⤵
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed6099e7-4130-4411-a91c-b531233540c4.vbs"29⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2f665c9-0b3f-48f2-9894-b52e1064b097.vbs"29⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ffc820f-db7a-4d36-b83d-86ff4f5c9ff4.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cd7e117-f86b-4ba9-af15-55337068477a.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6c01b82-6266-4d79-b35b-5e58b962e5e3.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6e6c1be-c612-44bc-b26a-cbca1f224519.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aaab3b6-5cfa-4641-a016-bc6ee22c42e4.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a827f0af-4811-4ce9-9814-e36199c4019a.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df57d2af-954f-4b8b-bdc2-6a23389a43b4.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\601512ff-8433-42c7-86a1-d5cf886665ec.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20fa76fe-67ab-4687-85f2-8c66fa6f4ec6.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36c240ba-4bd7-46de-80d6-cee93602c9a4.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2129de3d-f238-47b0-9315-64c1b234c95f.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\394ead9b-1a81-4215-bcd0-ae6ac42d9ce6.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbbafde1-0e2d-4162-ad42-a1886839441f.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:/Users/Admin/AppData/Local/\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD50f4fae324ae68c10bd25437eb5da2207
SHA18eefb4c3a1b49528cab2675a74c791df07c2b01c
SHA25646693fdea27db74662aadf1a4b3900435b23e38604ce96ca334e95a80d91a0bc
SHA512916d031132f6ae0e59423b69e641afdf168fd8f9234e1868e77bd7384833953773cacf2df8ed3b9d0003ca211a170e9523f65a6ab4aeca830fe147abc3b3d555
-
Filesize
717B
MD5f8c9373e26e297d276ea7be3cd966186
SHA1ed3eadfde77779838121ae0d084205fbaf4393e6
SHA256a934b41e393ad76623d5e80b740e8bc88580cb69e71d102ae2f7c24e5fc97357
SHA5127d5f60e8e288eefc9c0d22d0d49bbf74417083a05289cac08de129abd3560ad7c03b2c8636f5b21d65992144a0cbd2f6370ecd6486a78b47d12a57a0021e42ca
-
Filesize
717B
MD598b93e771741847e1bb03a20e797113e
SHA1db8c700365f09d3a858ae2552722029571025b75
SHA2568e201b5a5a600c010cf40dce84a014277b3a0417756364679798c60103ad6211
SHA51255ec8ca8631b62d7b41a2591d22cd44fb28c1bc5ba590593d79bc99203713caf1fd2bb02fdd2dd227c473b40d1108ebafcf6f88958f7bb861cac9dc44b6eae33
-
Filesize
717B
MD5bcab15468eb39276497c4d6484d3125c
SHA1ab26ba0b46e99f29a800f6124ba97a6b4b300840
SHA25615ec85f8a9d381dd24c299dfb3f29b11f65e7ff6cd16687e87959df666374b99
SHA5121ca9a4b5000ec85fce2398a69a02eb483f90021c3170b51150d4bc5a12315ca25237c1a15dce307ed67a64153dccb7af4c5396525f8d06736c3f1f34bfcefbd8
-
Filesize
717B
MD5e22446e5edd288c35248f1adccbcf264
SHA1bb2d32fa2bcf6b79a9cb641fc9807d94cde3b0bc
SHA256e2f99cc755dbb04904c0848876955659cf0b81c6cc81b5a7603722d958934610
SHA512e69bf6ba8aac46c8d1e66bc08c539f647f765f04df5ac856016bb33509b49db2f55c3cde0b41f3851f41328b0f0bc6ca9ef9e3a41def8f3387a65659a51d21bb
-
Filesize
717B
MD5c8def7a6d129f2d19f2a63864e169bdb
SHA10e0c6667f18e33f9794b29a0d75b0c7a69528fdf
SHA256fd98f6e3d4bf7312d4eae16122e97841f656caacd8c9235c33e053175fe3ed98
SHA51292d4f297d4e80b6bd85f7dfaa9a56734e9c01930c02bc253af48406dd701ad91ed39bb942ab50c659b3e502231b53adf2450138a1825728542f8b448d99903fa
-
Filesize
716B
MD5cf7f1c288cf9e3ef5067c1e54ff34477
SHA1e4dd649a816c46e075ac76977bd30f9f6c72a681
SHA2565292be5486aea7d29418aca6402cee84e88f49de8973e1ce0527d8d917cc5659
SHA512e4e87a71b5fe6602ab455eb79a8f99339b8ac6753f766deac1179f51f8a08b4dc5ba0af54e8fcf362a407a16a2f8074ef74e12614dbd73b8f2bee1b1a019f250
-
Filesize
717B
MD52e04a376576c0dc82e62dddba7970f2b
SHA1e6eb4857f389861bf126b2645c84313a77c641b0
SHA256f37099aa0add533982880f172d54ad2833afd985fb64faa1d2d73ff270b4dcb2
SHA512075de8cdb5092764ec5998834cd62f209e1f99fb9beb2a3145f87819fc01a4821494fd0889ecf23f0659ac2a63ba1a405e39e4fe72258da92f13af4b1dda9fff
-
Filesize
717B
MD541fe4ae24e327279b730459c427df83f
SHA180a70807cd62afe3945f9e69e22eec370de88461
SHA2565cffb0553d5896c64bf8dcbf433d161b886286f354b334f69214d78dbe5b7b78
SHA5125e6382f6c688d57717a26b6a81c563b4f428b1009c0ee025db0a997ee6e70060a45f7e25e5283a48259911f20828a59d979c858dd105cb7780d38d7b4b3d9fe0
-
Filesize
717B
MD5fbc0e3d328718907fd445f2229e90ec2
SHA1c7299f331b4167a4a34b5570c2f618e27e69daea
SHA256ca263f2639cdb6daca321e0cbeaf14448cd142c8959fc3dfe3848b89e500f587
SHA5124e6d8f535f25979d47a508686f7805df00a81660b717c8dc9a847023bc9c653ee2c3b4cb644e00ef4d7e7ef531e74134a871394dc0d6f62c89557b0e6b5fd351
-
Filesize
717B
MD56dfca22795f93a64f33739ca2f4b9a7b
SHA18cdc79ac9f774905f820d7ac42a8e078f1eff82a
SHA256183a122c026fd8845ceff5c3db40ca86599ab519854f6d05b81700db570efeaa
SHA51213abc1afc00e6670a6e188ba953e30d7d4bc1052f58777243cadb6400021b0901990bd6d1accbc583df6fb297c83134e6f78a2997fa73bf3429f48fc95d3aea1
-
Filesize
717B
MD54c5b08f7fa05c9f560e3f6cee65f196e
SHA137fe1b83e39a5ef38b31c805f19329ecc92372dc
SHA25695ba608bcc575f94693c0656083630108efcfe5c78bf30e1e80a85ac38eda055
SHA5124ff129d89b348416e04453311ab5e8f91d7fdb6405e7fdda5428dd634f8cf56c2c5985a589e3d71d0b051ed681d1ac46e48ded742cc3165048b4904618405ecf
-
Filesize
717B
MD5f6b2991058ad60375980f624ba731663
SHA187765e4db8f98fe7afafd9acfa4f24743493a993
SHA25603674df5c3f49490827e547642458aeb70f56e7aa96a25dcf4a9473a4994eaac
SHA512b8f018dda6db9c6fad62b1f84e161f204d271bca6ca90f4bc6b775ec8978496df07224426937a4258702aaafbcaf45dcfd84f0233cbb9f46fdfb82f15bf9ccaa
-
Filesize
493B
MD5982a80b4cc3cea44c6aae5b359087ece
SHA14148ae1ccead774fd3b4d2a45a6efbf97276cf1e
SHA256c7ee8921ea5aed2448830eccdde160b47295e169592f8d0bf4182d2199491891
SHA51247f1f8fe86900cf95b36591bbb2522844465f0f4bd39de6db5a8a6ba3ca151e4986ed8e68f673f7a54949c5a77d7d3eec4a5d5c7b234f851974e144f8559d13e
-
Filesize
1.2MB
MD5e96b9e17da08c5a64c26dc666402c64f
SHA1cceec5c7f6f4bbf08c63153a0dea8b5834ed38ee
SHA2568e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372
SHA512dd71101f1b6b0dcd545bec2e448c6368a8653b599a5b0de3287ac50126b0c380a325e92fa201bdd869d97cf18e63d0795879923e9364abb92adfc57af02d5040
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
1.3MB
-
Filesize
1.3MB