Analysis
-
max time kernel
49s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-12-2024 01:44
General
-
Target
7fdcec09216465295e52ef182d3d999dbb943b9ca64301171ae6f8fc153d7b40N.exe
-
Size
2.2MB
-
MD5
5862163947e4c9c8a582139802752500
-
SHA1
d1f83488f1609e91e410e4ecce1c8a40a0824f4d
-
SHA256
7fdcec09216465295e52ef182d3d999dbb943b9ca64301171ae6f8fc153d7b40
-
SHA512
07f767bdcad34165b9bdbce92154ee8fc89436471b7eb7c6bb11f34c2dd110e6163ba9781cfe2d228d915a8c56e62e2c19a677601f4d29477cc4dd1ce1c77448
-
SSDEEP
49152:IBJ/8S2mDpxl4U/IJL4HfAzqLwvugU6fZ9pHhjEHg2Rl+yJmu3qwX:yZ8S2mDpxl4U/IJL4HfAzqLwvugU6f12
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fdcec09216465295e52ef182d3d999dbb943b9ca64301171ae6f8fc153d7b40N.exe"C:\Users\Admin\AppData\Local\Temp\7fdcec09216465295e52ef182d3d999dbb943b9ca64301171ae6f8fc153d7b40N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\b5G22TwI5sSnSJKL7urg5tCF8EHPXDbL9yEMgA9LaYyHnpFyHeN8L6Oob76V.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\Gl46TpULdKzqTEeaDuM.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe"C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc/componentdll.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n5ycqeia\n5ycqeia.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCCA.tmp" "c:\Windows\System32\CSCB3A372CF2DD6478EA8E3AC6B462948D.TMP"6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rJuHHN30F.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe"C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Cursors\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Pictures\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdll" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246B
MD51a7592a6c146841e74e211ecf928326e
SHA15acceae93a994641af57c9fbabc8ad812530a1e1
SHA256e6c98a370da72800e52136c33d7901ff60b4a4b1134679a91e99964887ac32fc
SHA512005fe21fe653f80d2996e866d250e3e1bf00818e53e3cf541598ea7d5432ff71e194b21b46971c531f427473e648df3d481889bec42a8e07978d35e553ea1fed
-
Filesize
1KB
MD5e33d3de225efb83073d6910f72c741a5
SHA11c913b297f0dff3f422576e2e200bbd1bb0ee393
SHA256c7b3f3c622f7b6155be334d6824f2a8336fa04f7f73c02ae051603ab8240db0a
SHA5124f6a4cd0c4a89cadeca67ff30ac5687d165448d5ad0d8e66e33dffe9885c12c8303f36453e078002d6feaaf609690174b8fc5f1123b09dc67bdae2439c54bdb5
-
Filesize
89B
MD598323978cd8426bb4eaf02610b43a8b7
SHA160106862147c23f62a8b3c315e99614a55a83e86
SHA25616f70a27fc2b9b69519984169dec646adc2c1ae59af5bc34c62a783bbd71657f
SHA512a0db58f068bb80372392a4a436ff260a9729f08eed7ceef01ecdce68ebbdedb481edccd358169983542a64962c602941c41f590a52663141de2cc2b2793b326a
-
Filesize
220B
MD5418d6c2804f2e772fd6dca301bf12a34
SHA1abfe7b99d95635c533a3d04f03ab28ab37dbdc6f
SHA2566dc0862dcb39c860680a7baa09be804992f68986a5f8450f1f6b0459995cf309
SHA5121c519fa0b9093a11c71228df5310ba580b26d3211ea1f8a4def1db50c8a42e9d1c4c8e73b98f7f5076e1c4744b18abf134c23adb744392aaf135f73395e61923
-
Filesize
7KB
MD53a61825f060a66e35716e968cd07452d
SHA1f936b4be55687fe9a0b0f068b09ac8b11ea3a682
SHA25614cc7696c053cdb325fc2f78c456b23feabf1750b7fcc13b015a36afd48ea432
SHA512726661cb504642b587b9cb6bc78c0b0239b59ae6a8cd987566c20cfb572f65f96afadd60d6a502c0097203da32e9c5da37aac6e15935bf52c51d3abc106d5cdf
-
Filesize
405B
MD5ebebb221dffba200c6273db4834a9c1e
SHA1f26e59692ac50c891033a704731d062ffcaea1bd
SHA2565f5c9c1c2d5632daada65c79404577eeadbed508547b4f7498a5c699cc6f456a
SHA51262b0e15b4355dec3cbfeb42e66a1e9af751d30917e3c1363df654d9e57497be9d9ad6c593b4ce2a62ffb47c0610a5488c4f9aedd2911a202610a2c55dd9cbf0f
-
Filesize
235B
MD514f7699349e6d24e1563a58942ab43e9
SHA142df579d1e66a99e88ddf0b668db8bae50ca0d62
SHA25604a71feea561cccde7087d6b7c26620fe710a77c7e2c98bf531bf329b838a998
SHA5123d990b7ec13272826d05f1309520f3740129c143d281ea31c2b0edec4f077f0dea58a1d1e93e1a9bbd1ebe98f74c9be431507d50319044126474528f643d7e65
-
Filesize
1KB
MD59446a6998523ec187daa3d79bec9c8fa
SHA116c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96
SHA256f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7
SHA512fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d
-
Filesize
1.9MB
MD50a65c7fe9428f97bb5efd56cc1e19617
SHA1b88d9cca07a6aa4f47a8c705329a0b2a7a1c9be6
SHA2561135cc4a0a57bae21afd676287902da8dc40073717570864ce05f6e590ef266d
SHA512224a9112b9f28f517becdfe7e206693c162f486c297b2ca1fd4f41662143576cacd6f1d9a441e4c4665a4543f9595bf7d40d463a7d04f72df897d705d4c4209f
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
2.9MB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
1.9MB