Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
12-12-2024 18:51
General
-
Target
7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed.exe
-
Size
952KB
-
MD5
74ffc0f02c115af7ca2a9e63280ee91a
-
SHA1
cbc921ebe0671922b3495aead9c23c9d8305baba
-
SHA256
7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed
-
SHA512
e9a2453c1a3c897a94a0cb817c12dbda52c175a709704614cda8497ce95dd6f137d394d3e6c0136f73819b05c1248649b4a1fc147c90dbe0bdc25d12b1fa5179
-
SSDEEP
24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXX:Z8/KfRTKt
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 16 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in System32 directory 25 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed.exe"C:\Users\Admin\AppData\Local\Temp\7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tQfOuHVhCp.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\System32\DiagnosticInvoker\spoolsv.exe"C:\Windows\System32\DiagnosticInvoker\spoolsv.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\KBDBUG\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\kbdlisub\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\VAN\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\{40E1AFD1-570C-4984-A508-7F615ABCCB7F} - OProcSessId\7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\AppxBlockMap\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\DiagnosticInvoker\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\InprocLogger\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD5a977d5a3e88b620ae1362eeaa9006a5f
SHA18ec2e26910a1c982bf564dcb9865ae04a9138415
SHA2566b48775460a6ededd58287023579a7d1c9315ec8b0a91db0c0805379b0c8b294
SHA512e7e5800981337e06ad6715b095498e1b667f723b9e221cc7fd1fcf42ed8f32b434543e2309b37cbb09d3c2d0ffe3f37c3aa495760738bb59627bc05629b786eb
-
Filesize
952KB
MD57cc2ebc2d041aca26018af4a16c8922c
SHA172367e645c231f3605e08f5caf1f92379e63c1ce
SHA256ff3cdd1949e2f39d532e1018a6a6d4f8d5e9adab7d0249dc3bed6cc906c07062
SHA512330ad6d527a7f82ace4e26c2bf661c49299d1d28bcc24c250939053a369cc4cf3164f2e4a35d31f5d0e54384bf199d68eeb7d80e635cbb6e92546799b2d2da68
-
Filesize
952KB
MD5eb1be7f746b77cb220e698f4b964d2b5
SHA1459f35a097dcd1a050dc3584bfd8b1ee3a5f52c8
SHA256c2c50b6fb572bd265341da0219cdfe7df4d5444ea91154d11f746019cc7254d4
SHA5126dbc4474315fb24bcd9de6e0dd2752ac1c1fca8b99cb7dc7e6cef24901dfeba06ee8df3017d303d6694b1e57ead3a751b3a33dfff6f2e7b2521890fa6bbf20f4
-
Filesize
952KB
MD5db349ca343df17fa5cae035fb57eac5e
SHA1c10f0aa55f6ed564f12d2c4e6df487f581078638
SHA256c08b5ecdf54d2ce7a4e9c59a53e0fa2b60e5baf51e86fc93d02fd0ff03ebc506
SHA512bcc04621df37c4316d3715e82d53249e1a3983ac2e5efa54b627380392a032d95fd4709ccd3b63f99a065279f08eef8eaa0be8cd3f8bbdec2a221e20fe20ca68
-
Filesize
952KB
MD574ffc0f02c115af7ca2a9e63280ee91a
SHA1cbc921ebe0671922b3495aead9c23c9d8305baba
SHA2567a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed
SHA512e9a2453c1a3c897a94a0cb817c12dbda52c175a709704614cda8497ce95dd6f137d394d3e6c0136f73819b05c1248649b4a1fc147c90dbe0bdc25d12b1fa5179
-
Filesize
952KB
MD5e806e51df229532c4903bdb4133552a3
SHA1e51ada47a8a5bcec9cb1a84b010d09e4eb497d7b
SHA2563e7d15127cffba988ba2afe87938f0537531fbc26ee63112afd4123612100bbd
SHA512f372f790c1956c71a08b09f32942987d376de0a70945fa08824c8795cd8ec5d1894e00d3501c8ba4e9a3280c8eaea2fe15f8657c1a6ec998c25c5fc1d3564b02
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
976KB
-
Filesize
10.8MB