Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
12-12-2024 18:51
General
-
Target
7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed.exe
-
Size
952KB
-
MD5
74ffc0f02c115af7ca2a9e63280ee91a
-
SHA1
cbc921ebe0671922b3495aead9c23c9d8305baba
-
SHA256
7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed
-
SHA512
e9a2453c1a3c897a94a0cb817c12dbda52c175a709704614cda8497ce95dd6f137d394d3e6c0136f73819b05c1248649b4a1fc147c90dbe0bdc25d12b1fa5179
-
SSDEEP
24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXX:Z8/KfRTKt
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in System32 directory 5 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed.exe"C:\Users\Admin\AppData\Local\Temp\7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\WMPhoto\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
952KB
MD574ffc0f02c115af7ca2a9e63280ee91a
SHA1cbc921ebe0671922b3495aead9c23c9d8305baba
SHA2567a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed
SHA512e9a2453c1a3c897a94a0cb817c12dbda52c175a709704614cda8497ce95dd6f137d394d3e6c0136f73819b05c1248649b4a1fc147c90dbe0bdc25d12b1fa5179
-
Filesize
952KB
MD583f248bdadbc5da3b80cfe84f3d09797
SHA1cda319bafeb03339ce3726bf53d2bcf6b0ea88e2
SHA2562e0d2426be742646aebecfefb47e325076c2960f8e7986e2a1739d2f35dd930b
SHA512f8b6acdd66bd508031859ab8b0b5f50dd7f2492a1467614abb9d5d99f5673e3d0ac4b9f0927600143d26db63a9efbee1388c339020a3163ddf629182805f114d
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
9.9MB
-
Filesize
976KB
-
Filesize
9.9MB
-
Filesize
976KB