Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-12-2024 18:56
General
-
Target
27e67aaa049c2243423f3c2c33e7747033f63234eda122bc9beaad90528cfd0dN.exe
-
Size
952KB
-
MD5
8e6e52fa1da6893e7bee069c7e5dacd0
-
SHA1
e05854289cc5bb1c60c39fd5453b720cf79eabad
-
SHA256
27e67aaa049c2243423f3c2c33e7747033f63234eda122bc9beaad90528cfd0d
-
SHA512
19ca97f006c3a34bc16f6d0538b3ef3d40ebc80c4b2a7019c91ffe989250f8109e337af2c808aa4010c72334d2afd6883f247f573b5b33b5b4d019e234d881b9
-
SSDEEP
24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:Z8/KfRTK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\27e67aaa049c2243423f3c2c33e7747033f63234eda122bc9beaad90528cfd0dN.exe"C:\Users\Admin\AppData\Local\Temp\27e67aaa049c2243423f3c2c33e7747033f63234eda122bc9beaad90528cfd0dN.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hZGZFefqLi.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
952KB
MD5580b0761a3221abbf22e70c68aec9592
SHA1aaac46de47701bc12b0a1a9f056294ccfa5878ae
SHA256add49a1b320c1fd682cc74185c7c46f3dd01e0a42f8215b952bb8c5585eb37b3
SHA512b5d150761d10e8f60ee96a58f089c2b77a24caf29013439b86cdf3147df24b0d38a0a7ee83fa171e983230ed8d8b8038589327b2b5168ba4551db51d672be6a6
-
Filesize
952KB
MD58e6e52fa1da6893e7bee069c7e5dacd0
SHA1e05854289cc5bb1c60c39fd5453b720cf79eabad
SHA25627e67aaa049c2243423f3c2c33e7747033f63234eda122bc9beaad90528cfd0d
SHA51219ca97f006c3a34bc16f6d0538b3ef3d40ebc80c4b2a7019c91ffe989250f8109e337af2c808aa4010c72334d2afd6883f247f573b5b33b5b4d019e234d881b9
-
Filesize
196B
MD5b231b1db592313142cbe20abae0502c1
SHA161a3d1c92edbc43d86c0e941b5d4275060ec4f06
SHA256603a2acd329e8f4697b6c95546646e9b817517e4fbc5b734408a7594fbc26638
SHA512987e503161ad8c901a8aca17bf6add56328105c2bfd4adf9284a6a09df48f311007e78c1784a9d7c9385582b6a824a7a1ffc6b0c00f692264e164cc80045229e
-
Filesize
952KB
MD597f9907be278bd1e128d29c3ad11485d
SHA19a08979c6139842fbf685760ccde4d3cea729dca
SHA2561e05a182e7f4e0289b0c4aacb4a1335660fdd0aaaf02f3cd87740d36bd6da235
SHA5121af05e4fad3df1d0b7e6ab4f1a19870b7ce5561dd70542eebbb9c776254236a39958a82511ccd41ad87fe34767b91b38c29654471fd00b07d87c4122aa167c89
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
976KB
-
Filesize
976KB