Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
10-12-2024 17:20
General
-
Target
c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
-
Size
1.7MB
-
MD5
6bcfacff2920b20d946173bf95750330
-
SHA1
7a6166a959e12742b8d01ffe953ca1bd63bc000f
-
SHA256
c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339
-
SHA512
896bac1f6043b3f1b863f120450f747154d3d116c4bdcd725bc0d6c63b59345e8ca4ada1e0a794561854db8468356dfd9e17dac296dfa8097621f2d3b90c584f
-
SSDEEP
49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe"C:\Users\Admin\AppData\Local\Temp\c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe"1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5514232e-e2a4-418b-8943-21a4514b74ac.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f1448c2-978f-4de4-b3d4-56235289a6aa.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5956f9d-132f-4227-bdaf-51db23c77058.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85aa41f1-f720-4774-b31c-2d009abbc03f.vbs"9⤵
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2cb9215-b7d3-485e-a066-773907b71ffa.vbs"11⤵
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a50a93c1-2b72-48af-9aab-408aa4957258.vbs"13⤵
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"14⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c219f54c-536b-4566-8a8d-bb7e47f23593.vbs"15⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ee18b8d-452e-48f3-ac7c-daac506cd6c2.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac36a71d-96cd-48a2-9c96-60bd9dddff96.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\046de2ad-2f46-4890-9ef1-5e44ecf3c5fc.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3dff093-aee1-48a6-b3b1-8444a66530aa.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09cb0006-aae7-416e-aaa3-567b6c3531ce.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f07290e7-ae29-4f22-a305-b151825dd310.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f45d5fa-6e25-4a18-9602-3f93c532c71f.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD56bcfacff2920b20d946173bf95750330
SHA17a6166a959e12742b8d01ffe953ca1bd63bc000f
SHA256c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339
SHA512896bac1f6043b3f1b863f120450f747154d3d116c4bdcd725bc0d6c63b59345e8ca4ada1e0a794561854db8468356dfd9e17dac296dfa8097621f2d3b90c584f
-
Filesize
1.7MB
MD55eced9e7d0b7b40ac73fe0f8acab8391
SHA1ddcca033c5e85f03da78d216b8b17d90e1375a46
SHA25661679ae80b041e1109cd29500664650ac6c1bd41fb476e2432b3211ca1b45a98
SHA51230de3e7aeeac0d40c05a4bc428719d8dcf49568f320c8324da53662451a42a1961236fa7ab0efc3d3e833cba93ae007203d069a16d67190638b4ae2ceaced30d
-
Filesize
1.7MB
MD595dddb7e5880af7468403af9a87b2d8d
SHA1e575e09ebd27f0cdc534003d668fb0609caef252
SHA256160b84c5c3ca4993046eb0904e1317fa9933b58d458856a3125aa32cab4c8f00
SHA512880f095ff55e54e6fddb531f94b16e5524bfa1b1f76ab4a68f6db7d916c5cbb209ca5378bd11df46231860668d3dd60840a1935dfe532db9244af32dd472808e
-
Filesize
758B
MD597b0f732ce371c5fb53d5b2cf3fb047c
SHA1ffa65138bca6bad61c0f7582e6c37ea7a01aa7d7
SHA2565848efec9d2c39df9d9492e3decc63fda8bca9eb7acf50d323a6f069f8e930fa
SHA512cfc7da3347b3f934da85d470f27d028dd4917b78e9c9361e4a4af2915fb7c4a96dbf37189ffa13564aa98d844d086626b402fd022e9abf04032000cb34497ef5
-
Filesize
534B
MD5933b735d16f9b7487248c046e6fd7326
SHA156a4576388bd45ead170dcb70e9a9dd8a8b9df86
SHA256008fb77080901dcc91c889bfdfee68de6596d5a64fb0359fc8ea9bd6ebbca69d
SHA5122830c583eb1641963d39355b7d8db63beefd324046def7a65142fd109e61c84db723ea9295399c46bee78c7eaa4544b7dcc2cf9a9b49bcbd90deca78d4a04c52
-
Filesize
758B
MD5adfde80d873bcc99b7616fa653d1ad19
SHA1949f3f49d65f368937d42891bd1e92bfc0c8d9c4
SHA2561e0dbf8c5a3af3631ef0d0e4a6fe6544ca2c00330c9d7fb73c4885dfe4c0c126
SHA512a3cefda3cec064324c2464cc35dd8c0e25606a4a3f5654b0b37a60cc3c184b6cceb348b9229acdee7d485a727d66c75a0a5e8ff00f7bcbd60904127658575cbb
-
Filesize
757B
MD5a48296d16918c580963eaa735cb0d1b4
SHA179d1300869e1b99febeba4b2d53caaaa1893cb02
SHA256ec72c6ddf2a1a32be230801146025aee166009a79dc8c5a222845a9a521888e4
SHA512df232d7ae91744db7c3535f00fa3d0fe596997eccf32653037da456b1fdbde45280bdec98035010e227325ecde6293d6f702fde7df104ade1f3d46ac0a9de0d0
-
Filesize
758B
MD512a23aea1721a10715970e11d1b99684
SHA1f6c519233f878d0fedd4a30de91dcc7ddcb46fee
SHA256455d8fb2f5c0ef165b0c889876b34c1c9b0ec8ee63395e69fbf384b801092085
SHA5127ea572dc1228d71861009937abb6289e1d3b83039d642a1d4068807a5e669946e0dfeba67825851ac3dc6cb2be7a4bea9cc73a0ae7461d59884f559869f0a9d2
-
Filesize
758B
MD54b61159b906515164ea610135f2a8bb0
SHA139e9e53d881f1792c5e0b4e60dbeb96ba91f1edd
SHA2566578031a0f59621493884fc254d5d07c86cb38ab278a54ed9e4da7be5f3ee05e
SHA51211d768176673bcd7b8cab17ae0a1e15472e3a32def0fa280fa9b114bc273f2ce9dbd80a9410a159fd16d876994f374f944b0088996caca361e8a2c4a11eec76c
-
Filesize
758B
MD5d1402036809e4781b6c3d302ade86995
SHA18d73c63087676ab921b5b09b551d0917ccb5b417
SHA256a81c0820d1d54d8cf983213180826d3d336bab9c29d791cdcc93c12e2984752f
SHA5128c7f5fd7fb7998d49bd26f527785db0cf39aa14a5e99574a2c0a97771e603f4f28df3b838b7ee50be4a295008f6f7c0789eea7b0ea31a6b8fe0e8d95c19b0dc2
-
Filesize
7KB
MD5652c3beca9b0f36241c8c3bb3f9eda90
SHA1990ff8316cc5f65d3f797815a126699693f25240
SHA256258e297a8cdb68ed9a988e76761a0a2f60ac74ce6c6e84eee9b405ec926df9c7
SHA512e6e0ec25e2314fb14e3b98f97aee6c2e43ea52af55fd23e6d4bae275f6a1abf31e8a3663f02cbeba96218d4c1f39e0819e9269245ca0bece3de48c40212fb1c8
-
Filesize
1.8MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
48KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
1.8MB