Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-12-2024 21:01
General
-
Target
d23424c0067404957e3e18f85081a3341bee4165b461f2dcded51fadff7d790bN.exe
-
Size
1.5MB
-
MD5
80c10ba32141f1c07e1408cc48a8e4c0
-
SHA1
a3f2f9c3516e508b2eaf1324a51cfed32e45132e
-
SHA256
d23424c0067404957e3e18f85081a3341bee4165b461f2dcded51fadff7d790b
-
SHA512
04f2cc1bfd44d836a906173dcf013ea7a199c4f24be65f6e8308a70a9fba9515511bd8fefcbddf4fa4ed924b4ad5e3923926358495cd6607e63fb7fdfa43ff04
-
SSDEEP
24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK
Malware Config
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 33 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 10 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 22 IoCs
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d23424c0067404957e3e18f85081a3341bee4165b461f2dcded51fadff7d790bN.exe"C:\Users\Admin\AppData\Local\Temp\d23424c0067404957e3e18f85081a3341bee4165b461f2dcded51fadff7d790bN.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d23424c0067404957e3e18f85081a3341bee4165b461f2dcded51fadff7d790bN.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\winhlp32\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dmdskres\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04cbea1d-c050-4493-9a13-d7ba0f0c5f4d.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exeC:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef80bb69-6a86-4141-838f-3e55ba22333e.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exeC:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65521e8b-add7-4990-bcf1-eb4b50ca1b68.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exeC:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\505eb185-224d-4192-8540-b94a0bfb1240.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exeC:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93cbcf91-1f9a-46af-b522-b138e38c4534.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exeC:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a4fee96-08a4-4388-9d71-1e93a0aadeb0.vbs"13⤵
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exeC:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b26cec84-425b-4e04-875e-ac4ce101e0e0.vbs"15⤵
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exeC:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e819247b-a71d-4357-b96d-eb37c4fefca7.vbs"17⤵
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exeC:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a68ab85f-591f-48ae-af23-ddecd22ee43a.vbs"19⤵
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exeC:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79ecb19e-5ca0-4a95-a6e8-025cf0b3ab79.vbs"21⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508518f0-4cc2-457a-a8c4-7279ac2c50ed.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8a3b6d5-77f1-484a-99ae-c93665694f5c.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ad8f2e2-4b41-4169-ba98-4e905d66477d.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b067c470-b3da-44a1-becc-185a155fc584.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72e35411-701c-41d9-9a88-44ec2f50d459.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02af76d6-1320-4e69-afc0-cf93e36165fd.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36f7e21a-fdc1-4057-aed2-c06ddbf3a169.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\719c683b-0b30-449c-ad00-c32260b09103.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1db2e3f4-916f-44d9-a0e7-174f5d22b9a0.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab0f2c37-f367-45c7-9d0c-c9094dd4a1ac.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\winhlp32\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\dmdskres\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD580c10ba32141f1c07e1408cc48a8e4c0
SHA1a3f2f9c3516e508b2eaf1324a51cfed32e45132e
SHA256d23424c0067404957e3e18f85081a3341bee4165b461f2dcded51fadff7d790b
SHA51204f2cc1bfd44d836a906173dcf013ea7a199c4f24be65f6e8308a70a9fba9515511bd8fefcbddf4fa4ed924b4ad5e3923926358495cd6607e63fb7fdfa43ff04
-
Filesize
736B
MD539bbe993ecf8585d29f7bf22ed6cae77
SHA1374c33fa82abf4e5c7c0195d9cef89f30c0e58e8
SHA256e49a90628a274c00906cac22897e876a26f81a707214644745f4aa527b614b79
SHA5122d5d71a3adea69a3040ee7eeac1883f0ee710311dc7ede1400db61c7e7cfe9c1e6cfb0c2cc2e372b5aed8088e6076479fb18b8a3282d3c6b1d6c6540cd085e46
-
Filesize
737B
MD534ec5e9b0a3b34e9dde4017fa8a6ae90
SHA116e5f8b291a0a520d0e24cd3266b05619f689d3e
SHA256a7f41b4cf8bd1cf5d96bee96cfc78a09e6ce87e56912647b733c23a7c56c3035
SHA51225b7de5ef0060a5f7bb317fdbb6fbf2406305f009a9ea51fbbe59e41f044aeba166575d286dcf8a06c6641490a83ca27197e41f8da96e5f69048c780927df943
-
Filesize
737B
MD5c2e9295f54e6337f19573decc0418665
SHA12b6cf97f7f063f8c1761a0a900a92e1926763bd7
SHA25644d67892f7a920837aa471fa0f89aa558b2bbaf6b94b5c56ecec67222663f265
SHA512b6f587248528989a48d17548e11c450ff4fc549ee91f017add097e85d5b11aecd47481d1944b24d7dcaaf26bdde6a91e9f00f12b45fe74f26d770bc80ac8a9d1
-
Filesize
737B
MD5b5dfcb8044cdf3ac6d68fa8dd248596d
SHA1c6e0bb7624cae0982654a29afdcc215190ca064a
SHA2560aa096022fc2dde19b77ed9d1e3a1246c268275ec933310316c864335388fb82
SHA5125e1df4835c2c0c878d921bcbdc89b54898f724e97237a95f08a0a9dc4a59718efe65423069f23c40bbfbca923d5efd141f093e3915d71fa239c2179835dc3b5e
-
Filesize
736B
MD58ad52b616924b6e5f1dd7485cd7ab8e0
SHA10174478723514e3dd65295cd37ea8747d5e91c61
SHA256b59ee4050fcafd8fadb57ff7f88fc2b678f9e9da81b42c9ad1c2df76cd419e2d
SHA512aabcf74b9a247a33c35d7a6337f3ac4f014bef6c5e7cf87faca2fbee0f4a0bb56d2f619a5539be336f369a4d348eaa9dd93c365712327ff10e2f91f182061e64
-
Filesize
737B
MD588fa4167d88fdd9e38fbfb4051105a14
SHA15a318a93e2332d7ec2a1866583c9741befece877
SHA25673419c42ec3dbec26c3bb8a8470c3a094592bb598af52666bc883e7229eaf1c8
SHA512efd23cc0d862a1ea2fb0e2f8ed994c4af127e0c7c8f2aae4d60d9cc568ac92afc44acd1d2db090ea0505258807afb7709b6688e3b506c7187ec89ffcb0be79a9
-
Filesize
737B
MD5f12f0227ca900016944457c54a54602c
SHA1889ba349e1478c717b6b72b3b0d0dc7ca9b1e967
SHA256d91924d9c7e28cd316a58a87674cff7954bac485e0a066af2ccb7f138737fe64
SHA5128a1a0e37b23cb11ec830762fa1c3ff99696f140c1aad50dab62772e95b5c507b8eedbea145eb0ab4e02bd2972727a44836cf974c6a67f18a3de72c0b1526f0b4
-
Filesize
513B
MD5a39f6735678ee82cf6dc06286dc7c94a
SHA1e4f74a986dbc1d7e69bc7df994eb0c58756ada2f
SHA256b294ac7c822de9350e8354263d0b0685310a03bf7895daff88cc6b33a3361d45
SHA5128c3dfc2eab92273d4888c9d5d4f68482f87b4a60efdfeef8ba306e282af57b6dc818523de86b7331a6b6cb47ce2502520d93056e33e58141e785dba917698919
-
Filesize
737B
MD51eb514e09050bee889eab7d5e088038d
SHA1df6702258eb8beb337576b2678263cb99bd045a8
SHA2565809194e7c92b74c4d16519ac6f959cff47c078e342b42762c2573a0ad363612
SHA512b0bb193a528107c2eadc48e7e873ff40970f96b74ef37308212d8c4fd2096e0e866f29cc6db7c86392b18306ac6b7c00f43a7a03063626c690352524fc827541
-
Filesize
737B
MD5cdb9c491981f07655f513eeed1102f59
SHA127c6167da614ae1ebf0543d381176cd23dd463a0
SHA25631da122d0b86b522eea1ffd86157f4501a83aafd97bdeeaef6709b9c3ccddd83
SHA512fe4bdda9f4c08b7c66facf857c3d46331398e202da2cf29b6bda63b67bf291a2b3f0357a1e65d0f1ff3ed0f44d1d676106735e9bddf42ef7df7147cf9d758fb3
-
Filesize
737B
MD512394764073cc85fa61a887b7e0d2992
SHA19c6ed242a6eaf852f80c847167075dc6dbb25358
SHA2567394dacd03b6fcbafcf04e90dd62db731596d01bbb1cad5a1a584652388c808b
SHA512b93e506f9e3ed3d8d17aff9956d5bdb1e599493e0fde141a649f4dbacc5a0d68f6f28e33f869e1e33a9601edb1e60046df1726e8d35a16257ad5506fc402eaba
-
Filesize
7KB
MD52cc19451f6302d0a43bacee8ebbe473e
SHA1df50d5c9324449a98100805e7ea3a7ef9db2444d
SHA256ea7517508d17b3c6988146a413b7e29727fca62ab54122f1a7beb8dd2d6ca74f
SHA5120f8d2bcb63427fc7bf13d5f7802935c7a685f906101f8a7a7f3dcda3ca9e8ab67f6a84d4e2e8d7ba19a9d69b1e0afa71f9d9b57d5a4e79d006086cce502db9a0
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
72KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
1.5MB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
48KB