Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-12-2024 15:41
General
-
Target
a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe
-
Size
1.8MB
-
MD5
4952c912c225b6b8938322dbdd9a9783
-
SHA1
33317daf672163d262782f65765971b1ae8007b5
-
SHA256
a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473
-
SHA512
582d1e2689332ac644954c77a9edc691e6360d4390ccc53bf22d12d77e82ec2ada21204bd006e5092989a9d9cef6a1c956b899110cf652218911f0277b6a997e
-
SSDEEP
24576:lTbBv5rUKDF1CAWfaC+ZeyMhYVHsVAq7KvsQCvwi5xLoJBLxqaFnvdioFnewSr/3:PBjF1hWYqVjwrCYi7MPhn5n3azk8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe"C:\Users\Admin\AppData\Local\Temp\a1f5b3ea9c7b1d6ddc99ed08cdeb1ada93c5818a2fd8eda010c5f253a484b473.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Componentperf\cfktGpUTtRSX2yQKRIoM3JndHvk9YcKcheeigUIMecfNqLjRtVUp9sGs.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Componentperf\SQ9jEh0oYRCdpe0w7L4R7l.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Componentperf\componentdll.exe"C:\Componentperf/componentdll.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f2pgqg2h\f2pgqg2h.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD273.tmp" "c:\Windows\System32\CSC2234C447D294782A24A35B1BCB6939D.TMP"6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Componentperf\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Componentperf\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Componentperf\componentdll.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EkMrK4zwJl.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Componentperf\System.exe"C:\Componentperf\System.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nLkpgeVQrJ.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Componentperf\System.exe"C:\Componentperf\System.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Componentperf\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Componentperf\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Componentperf\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Componentperf\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Componentperf\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Componentperf\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\security\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\security\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\security\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 13 /tr "'C:\Componentperf\componentdll.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdll" /sc ONLOGON /tr "'C:\Componentperf\componentdll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 10 /tr "'C:\Componentperf\componentdll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94B
MD538245dfef92b3892bef514a4f569b043
SHA12e96ba9b418200bfb9e33544f3669cf452d27f27
SHA25686e2a7dce38cdc6eb73f29c05352980861c22db7268140b777b07b21f9f5dd0d
SHA5122b0dd13c4214e217ded08ec4807bea9a3d70fab80492056ce028db234b5347bc1592025cbf39fca58dfe7aeb72f78493cd137fa658ecf334d84821e47a20724c
-
Filesize
214B
MD5d2b8c634d59aedcbe2bba990a7e3ce86
SHA132e5591d46e65520765fbf7e4c204cc9a2345b55
SHA2568f63f2cf87891a4fcf31564af3b2b76c8e28e2c0aae723dd3724a5f4e48cc508
SHA5122858d0659984e01529f6e3f3a1e90893e3c2f745b35961aef8ab0f85edf61f746dff5d2b4733dafd9ffddcdf7f0b87189e7d89d24b3f54ed74afb40ef281cbf0
-
Filesize
1.9MB
MD57fd78c3dfb4d897f2e572a89721f272a
SHA10bf21b96846c8ba92aaffc8eef868f4ed2d36eb0
SHA2560b336aaf70796274f51f9ee315077e63433c16a84cedc1a4fe45fc17759d2aca
SHA51295693f447a4a0e102ad90f1e574ea15ce4279f6bb937cb7ba5fe384ec96a665561f9798c5f85f925c98354fbfaafda7fd099d9a7f4008c3410e23535bc4253cc
-
Filesize
1KB
MD5935ecb30a8e13f625a9a89e3b0fcbf8f
SHA141cb046b7b5f89955fd53949efad8e9f3971d731
SHA2562a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9
SHA5121210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
203B
MD580e9f85ca7ea87c0e70be5569022ccdf
SHA130577231d038bc1eaf8693de65f82e8634ff97a0
SHA2565506e293e9669bc099177d90b38381639ff0da415ac1ca0b20e6fdb58682a0a7
SHA512d0364b1536382df1164741b344b444f103e6754da7b0efaa4e0426f15e63aa1bd622248880d46c4d424ce0d26f7d077b4880f67d2f716c010fa21845ae8998d6
-
Filesize
1KB
MD5cf2e88f494ab72539f90224a12c775eb
SHA16b5a8b732fe79b2aef6da70e66d1bc1ddd70b2fb
SHA256814c3163bf500d0cd6d8d92510f1202f8e4167fbc050107adb61ec6a228a47bc
SHA512ccd4a46525b8e6fc2429f8558bfdb5aefe2a01ced3f8fc1ef2d07bf8f1f8466d1121fd6d109ea20945e2e4ae5647105a9d4c803ca9e92a8a2ef4b4326b76de85
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
203B
MD551d939ce075327fa184b942a13d01b07
SHA193fb3440ef9d70f621d0115d4a19871d80820ba9
SHA2564b1edefe8edef3eaeaf43cae31b6e8660b58fe80bb407b22834ef9567e1afe92
SHA5122f916d8ac04edccc69aee3ea83754ab5724518f4249bf262774b894333ae9584f6cbdd17f6eea4db1a61e7ea1a095346567d6a2a1e1d3fa3b60eb7132404b81b
-
Filesize
365B
MD57b335f72ad7b8cf81f96fb90dcea314a
SHA18232c53cfd51933c793d2270bbb909ad72a3d2f9
SHA256da0deb72d70364d1d0947e6ceb5842695cc2b9c8001d2a0d40c6be8108c594cd
SHA5129cc10731957ac38187b468f2b182b70867c6f0f73bf3b40b078d5b5cc1c15c6db066c0b57cbc7a3d9bb1714a8dcea22be2464f2cf151006d76852f66851b20cb
-
Filesize
235B
MD5792e7720835262125a9269ce97a41cee
SHA1eeac177edd1083503eae1f7d80ef8790218cc0ff
SHA256de25800f98011ffed583e752f9d0abf4a41041289d4b8c2f505e683294b79cb0
SHA512c65c024e79da0df5af8442fe8f56372fd598fe4b45f0ce78496713cc47ee7de809fc3bf112d62a1742ef20dcf6817353380c849139c70418a6b3bb30851291a4
-
Filesize
1KB
MD575e32610d8ef6143201c7c28465fcda9
SHA1b2bae99fade2dda07aecbe1659d184be0fc4e7a6
SHA25697ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b
SHA512b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc
-
Filesize
136KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
1.9MB
-
Filesize
8KB
-
Filesize
820KB