Analysis

  • max time kernel
    122s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 21:34

General

  • Target

    7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe

  • Size

    1.9MB

  • MD5

    0ff4c4cd478f98ae17c254e75688d8c8

  • SHA1

    33732dcae2c41811e780e75e8943b5cc794237eb

  • SHA256

    7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89

  • SHA512

    36e4fe1128e060c6add46c73d0242b1e425d073dc8ac7f373a7dcb275292e4804028270ac25246a8f145cea3e9253b0cbc46be3585a162bcc2411f146577563a

  • SSDEEP

    49152:OB8cbBE21MiimB0IJRzISewyxLE2Zu5nUcAdhE:QN+w0aRkhQZ3AdhE

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe
    "C:\Users\Admin\AppData\Local\Temp\7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\nsyv1xzYu8VmbCzcG862c9WsvpRLyz7as0bRq7W1Tn2IOKgyOUASya2W1wA.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\uo5q9MISAlMxXE7QNA1x3M7bBFAcJOtmOsD1tooxlC0BMSBA7z5lsvUd.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe
          "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815/downloads/winrar-x64-701ru/WinRAR.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1080
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2292
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:872
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1448
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vyp3aSwPg4.bat"
            5⤵
              PID:1572
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2832
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1492
                • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe
                  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2676
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2200
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2024
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinRAR" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1784

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Vyp3aSwPg4.bat

        Filesize

        186B

        MD5

        551169a40af643b2b3947122e05a985c

        SHA1

        e74b3a8ec85f869eb0064db458547628876a52b7

        SHA256

        a304c381ded7e1dbaf618862384367f9eb8627f14ed668e2a7fa86aac90fc7ce

        SHA512

        2a8746a0bb1b14f6a696e41ecead127fd910d7494c22daf64f19f0677875d9cbd79aea6e81516f5b7d1e2c38679dc801909600abac6534a191a3ff199b23b2f2

      • C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\nsyv1xzYu8VmbCzcG862c9WsvpRLyz7as0bRq7W1Tn2IOKgyOUASya2W1wA.vbe

        Filesize

        291B

        MD5

        e38ee1ac82a0f98f97f2d0f65c43f07c

        SHA1

        826e06d85af422da26e3baac2b8370d762b13de5

        SHA256

        b492062f1785a2205acc1de649539bd3db3e328eab63a9457d18e54e2cca6c20

        SHA512

        02f52a592eba58be3911b4a220b00d6be70b08bb209e9f9d1f79e841abd1d5dee0ec8c784232100002c6fe26e41cb83b2881cf8c934de5bc2b80a87bf682b542

      • C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\uo5q9MISAlMxXE7QNA1x3M7bBFAcJOtmOsD1tooxlC0BMSBA7z5lsvUd.bat

        Filesize

        115B

        MD5

        a3481864c868c617f8cf22bc2ea205b1

        SHA1

        3bc448934cf9c65607ca095c43fff6185847fe6f

        SHA256

        adda8c60ddbc883929dc8b08371940c5601993cea525d4f5f3e22ded9cf42304

        SHA512

        a5ed9fadad223a03ba756c3798d74dcc1d2e67572dcf22717137d48de4661eea102327e8346b3518a943bd43a0df1857b95143028478ff8974b7236666ca8ef1

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9KCWIYUXCBUJ6L15QBWW.temp

        Filesize

        7KB

        MD5

        ff51779bc6b27cc0a5a00cfdf50934dc

        SHA1

        768ba7c60390a2e4bcd449be9a32cd334ebc0cfe

        SHA256

        98d79ddfb10cac871fcd08b2530b1a6de1d0dc0fb70f2b2913d01d90da4b4865

        SHA512

        6a2a29a64a2f54569592dfa7475f84cd6f3b84cfe3b962f222573ff010507825a3345c3181129538633f687edbd827fc3e82bc8eec5d42b6e5fcf55f340e5652

      • memory/872-136-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

        Filesize

        32KB

      • memory/1740-139-0x0000000001150000-0x0000000001350000-memory.dmp

        Filesize

        2.0MB

      • memory/2256-135-0x000000001B890000-0x000000001BB72000-memory.dmp

        Filesize

        2.9MB

      • memory/2820-17-0x0000000000450000-0x000000000046C000-memory.dmp

        Filesize

        112KB

      • memory/2820-25-0x0000000000440000-0x000000000044E000-memory.dmp

        Filesize

        56KB

      • memory/2820-27-0x00000000007C0000-0x00000000007C8000-memory.dmp

        Filesize

        32KB

      • memory/2820-29-0x00000000007D0000-0x00000000007DC000-memory.dmp

        Filesize

        48KB

      • memory/2820-23-0x0000000000430000-0x000000000043C000-memory.dmp

        Filesize

        48KB

      • memory/2820-21-0x0000000000490000-0x00000000004A2000-memory.dmp

        Filesize

        72KB

      • memory/2820-19-0x0000000000470000-0x0000000000488000-memory.dmp

        Filesize

        96KB

      • memory/2820-15-0x0000000000420000-0x000000000042E000-memory.dmp

        Filesize

        56KB

      • memory/2820-13-0x0000000000830000-0x0000000000A30000-memory.dmp

        Filesize

        2.0MB