Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 12:47
General
-
Target
голые фотографии акима.exe
-
Size
3.7MB
-
MD5
934f077da68d3fda26839f06286b71e4
-
SHA1
f805ec2e43d7518d420b94b954fd6b4e640ef64d
-
SHA256
0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b
-
SHA512
85e2bff55ce5aa6569d50146a3d95c611f774605fa9a8ee041cede3a928bf7585943e63aaf9eb5b14dc4d25fe6bee3e57d58c9b586653322300aaa67e87dd714
-
SSDEEP
49152:UbA30FDlon6ZtXRUNAtf3zkDcpigc4Jp8+bF5BxiLFHqzQ6yQH2lJwtYv2:UbZ7tXyNAtf3Rigc4n58xHqzQ6TH2Lel
Malware Config
Signatures
-
DcRat 21 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 15 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Checks whether UAC is enabled 1 TTPs 10 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
System policy modification 1 TTPs 15 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\голые фотографии акима.exe"C:\Users\Admin\AppData\Local\Temp\голые фотографии акима.exe"1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BridgehyperchainportAgent\lcZ6MvLb.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BridgehyperchainportAgent\akmRZ8KYIwqCrue04KkAUPxFzhoyZ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\BridgehyperchainportAgent\hyperblockDll.exe"C:\BridgehyperchainportAgent\hyperblockDll.exe"4⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rdf1ZkWNde.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\BridgehyperchainportAgent\hyperblockDll.exe"C:\BridgehyperchainportAgent\hyperblockDll.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HPJZN0gsBU.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19d2a0dd-69ed-47a2-9ada-e6ef0654034f.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69293216-2b3b-482f-997c-71ad0e23dee9.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w0sePnjeqs.bat"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9978cadf-63ec-49e5-b8d4-3c45ffddfc0c.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5wDdqOa6yG.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\487fe2e2-b685-409a-9e95-92a37ff9f600.vbs"11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XulrEiBG5n.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files\WindowsPowerShell\RuntimeBroker.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e287bf0-476a-4ca9-b5bd-c460655fbf20.vbs"9⤵
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BridgehyperchainportAgent\file.vbs"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office16\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\BridgehyperchainportAgent\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\BridgehyperchainportAgent\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\BridgehyperchainportAgent\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\BridgehyperchainportAgent\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5efb9b32455839f2f1e46065e13aeb93f
SHA1cae49ccdd500a9808ac144387b15ad6ced46c036
SHA256611d9c30bfabaaa6e9aee5c75025b71dca9116c45300ac325febeefe2d5b0e24
SHA512351d053f36e497238add089f19e30f164c1110be7826d58e7fb71705b06a7d6d51789add692ac08af4c1e613e3f9c54789a5c8f707ad302a70bcd379645cff1c
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
3.4MB
MD5df6d3aff42df48d0830227cae92e6bd6
SHA1bf7f75fd82694b2a44098df2b28c2db35e7ea142
SHA25605b5df5bc84e193fba3aa26d1b20cb81faa7b176a24a8df2238c8ed61e6e583a
SHA51207163831729582397fdbdcef5d921750b2968b9d555fd0b881913ae1b283573e4efc827d0eb51552882743b541e44ff2a8dbf0d99a4e5c3f47228a4536bab64a
-
Filesize
231B
MD505a47a3e17c29bf5b8bc6949a26ccb44
SHA187e896625a30943a252a839ba3e22507422bbb04
SHA25685f873ac1def74dea8180c0cce0084490505d2bc213abf34d3a95fda4b92c63f
SHA51272ef9bb092cfbc824341aa0075ee594b410e9afea3a8ae40c0f1743a4cb2528005701099ef156dc0f2a2da4474809f1d5995e01d12c6ac36f0cc7ae6baf8f64b
-
Filesize
1KB
MD5655010c15ea0ca05a6e5ddcd84986b98
SHA1120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA2562b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437
-
Filesize
728B
MD5564bc242dc4560a85b778cf6caa40dba
SHA1cd0e622b960850ba3f01e61ba66f812d3c2e55c3
SHA256081b703bc90ec420a2cd052e11fbccf60686c7b6167e7c84b15cdd8c154f697c
SHA512ffae429192aa577f2c3b8725ad10f1d8e1559055c438b3aaf44f555ab5d656503d941988c99d62cd4ccf67b8c7d3b7995b1d2b9849930384fa7172e71b844b12
-
Filesize
504B
MD5240f46f466fc4eef99b78818de7ac25d
SHA120fd6f26bf284ba4b311d5b0530bfe6a30cc46ef
SHA256219407dd1d745a992ce0b18a6806a0749679ce8058c928e5964fd021b58ee787
SHA51203ae9204dda023be227e475d042652764dcc172003d304cd1c0ca1fcbb2a4a950de82d5260bd56ee5f574cb223c44590209e6eb802944c94a240b2737f4f0f32
-
Filesize
217B
MD54402387d8634dde4c70b2e226f0b9865
SHA1a0000317bc12f9bc7da969b7f00e5eb1c46031fb
SHA2565a8c72ba25e19ac8d71abad06b9a485effbf884b854d38a8ee52d3cabedfde14
SHA512765cf87ad5bf0e0d3e0284665f145f27ac29b788cc301e076534ea65b5e765c0f79bd2adcb1ffea0ad946a7d003575de2921dd06a36786a364ccd49298420170
-
Filesize
728B
MD541827c3ed848ca5123317bf9c40bb64d
SHA19cf5a8560ad9639b8548c547d270c2ac0e1ee14c
SHA2560864d509d20d6d403fe3a32fffc9a1514908063c42675aaf0da3a44e16ec5bbb
SHA512beb382c3e23bcfcec17bd632130a91987e4db5b7344cfdbead1f96d2d4d3d7dcab6f734324ba77bb6e31be0469989301962ea993d78259f2dc6aa25a023ac42a
-
Filesize
728B
MD5924e093b33920b3223525fec391544da
SHA12ec59432920db9b8765f047136b5bb0d39d64a96
SHA25647598b90ed308fce46183ab3d267e002ad900265fa2571b30d3b4b6b88e350ab
SHA512a9386d88d2819bb91ca5f21842174213be1840afabbc2ae63d420fde16193b3dc482f7aaf6118a8610bb2d3e2c97be9d4ee61880c4dfca2d86110bc4ec9b1797
-
Filesize
217B
MD581d819e1992921d10e7c2a66890a42d3
SHA11e59984e8c30fffd2fe78f09f07fc07c2beb1008
SHA256983e7a452145b18a575a7fcec5cd04d1a385582115e42bcdc6a23966ca4b22d9
SHA512fb10904f45c802f0ab0cad95d2dfd82689caaac86735fae3a3133c77b537b750d84b40f48e2b5776a75dca381a47948ec51e970f02cb8ba2c7591e696ec32551
-
Filesize
211B
MD504abcc64b7b6b7a3f813dbc114e8f947
SHA15224963e85c685e45ba72802460992a28ec71b82
SHA25633de333f4ea8f01e6a06e9b5a003c81e6b163139be50ea28fe010dd6ff75714f
SHA512e59d42cae2ff56ea6c4cc0d0b71b52a340fd879643636c8fa705b92baf508584058a8ae4d58e0665fa7abcd2dcf1f00f8143c984101f4016f329982c430aef69
-
Filesize
217B
MD52dbb4dfd25287da3618f4343fdb25ac1
SHA1cc2cdab04bc3595259dc9b9736f24cca5132a95b
SHA256a029468f91b67523ab7a5f7e6cd30fb73481112bbdaf967140ac7fd7b1125b6b
SHA512260f15f8abd51db388110cb6d3a8a70ab687385e46e2349c43f03c3f24b1ee33cc39eb15e23e76fab1b848177e1c4b368927d5cf74f81ccb14cabd37609a57fb
-
Filesize
217B
MD5a9dd00df6beac0bdf04f8b9c67b33e01
SHA14fa6af991a66867d98d21beb74ca1158696b7126
SHA256eece7b93ef2118f7d6caea571dad23889aa24d1dc49f560b875a0fc52ba0bb41
SHA512675f5d70bc5d6f7724703a71ee02831c0431dec3738b69132c5edf76469e4336992d634e60e583a2e1fbbc0717bb00ac72fc7fbee23cea18d8080eaf8dc46b74
-
Filesize
72KB
-
Filesize
644KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
3.4MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB