Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-12-2024 22:11
General
-
Target
4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe
-
Size
952KB
-
MD5
82ededc8ebe36096a29aeb793260f6c6
-
SHA1
9bc9ba0e92990015e1ee7d3175506cd850e40f08
-
SHA256
4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5
-
SHA512
a94b65efa5a07af586071dad395e7694e30acb5a4ef6ff19f55f8191a11bfacd3c1cfd17e04077949091ace10e573033c4399aaa23264435780e34f081700120
-
SSDEEP
24576:W+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXl:x8/KfRTKv
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe"C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pAEBCbnR0T.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\StartMenuExperienceHost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Documents and Settings\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
952KB
MD588da2110432e89c73ed202c4adbec720
SHA1e9059a8ba711fe7475bc0de9efe75f758ce6e5e5
SHA256c844c4574183306af2f9cd32e43eebeb0a33e5d804391eeda8d5f4fd7c34b717
SHA5129e4b32ac7c8bde6cf301a7194a91611d7c9fab5ff4d9f4e6ffce88725383452ef7e3336bf4485550f41433068c651f439b0b931e4366f120d8edef0bb1c7a38a
-
Filesize
282B
MD5485a6b8a5c7736b396f14ae3f5f641a9
SHA1752f93c381e01a7f05fdea69d3294523861db3a6
SHA25662db9d86d62ceef290681abf6879264485269590023fab896fad844bebdaee54
SHA5126ce23471d9267f15fdbbc4476a7cb5551d516830947058ca685f1ceda36530501b93a7e7eea08eafa298b8457268277344e47a210d16f52b4b599ce3e4581f15
-
Filesize
952KB
MD566f4da473806e445ae1632ba4b1ddb59
SHA15a71457351e80ec912fa0dba13108ac540191ff6
SHA25639c1f2bd399f73c546d7534fe7edbda5dac423645f7a0fce2faa600d204ef082
SHA51235d79dce4eee440c13f154a7005bdd694d845022acba122e5cfe8dd47e08ca27bfe44e14dfc7ba499529fa2afc33d47ecc5ab01f4ac40443b9120ed178626ed8
-
Filesize
952KB
MD582ededc8ebe36096a29aeb793260f6c6
SHA19bc9ba0e92990015e1ee7d3175506cd850e40f08
SHA2564d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5
SHA512a94b65efa5a07af586071dad395e7694e30acb5a4ef6ff19f55f8191a11bfacd3c1cfd17e04077949091ace10e573033c4399aaa23264435780e34f081700120
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
976KB