Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-01-2025 05:00
General
-
Target
d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe
-
Size
2.1MB
-
MD5
ec5fdacecceee343335d6a686ce75864
-
SHA1
965f210fa2eccd71a866908320cb92eb926b338d
-
SHA256
d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad
-
SHA512
533713c84dfcd9d23ffb338d9dd5c237ef6151315037ed8477f91bd89bad02639ee9e936cfc2ea5098f2bbff9e565115b14f71e287297d11328cf9c030512a4c
-
SSDEEP
49152:IBJi/YtO8s26Kzc1OpFAuD86cmG96kZTRc:ycoxd6Yc1+rXG3Rc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe"C:\Users\Admin\AppData\Local\Temp\d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WebWinBrokerDll\d7VV42fpHwMzBQMSzwM0QGomZi6nsu6X6fwca17SIFxI7SHNedkYCWqtFx6.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\WebWinBrokerDll\OH5MsEg2KeRkhqJt.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WebWinBrokerDll\BridgeServerruntime.exe"C:\WebWinBrokerDll/BridgeServerruntime.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x14l4aen\x14l4aen.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE09C.tmp" "c:\Windows\System32\CSC3C943A95FC0E4F51873F6D9D53EAA136.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4tDdGdw7s.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Users\Admin\Downloads\TextInputHost.exe"C:\Users\Admin\Downloads\TextInputHost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgeServerruntimeB" /sc MINUTE /mo 13 /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgeServerruntime" /sc ONLOGON /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgeServerruntimeB" /sc MINUTE /mo 7 /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ec304e6883e155349ea4d3dae48d3479
SHA1f5cf7d654fb859e2f98e73ee2c99bec7d87b9f0c
SHA25612f33dc7d3e4245957c19c0556acf469b657526d53c10a5564773e3b0ed3bbc1
SHA512c1b08011398d2fec54f7813c9650bd3a8dd3c8295b3e021f5e82cafa94aa289e47c53a551b35302df84079c0f90d9831f70187d3c25e446b38109e73f9e05b6b
-
Filesize
218B
MD53f8fda7ddea5aa21891a4f0c89eee46b
SHA11097d6a878968188be6309669397ed629632a7c5
SHA256089412910c3c4f95f15aab991b3fff84d0b05b461571a84dec8bbeba6500636b
SHA512a67a1f453d86c6b665183a6331051c0085b1d24ece79257a9f7307ebb91d97ebd72595ecbddb20d6e5ba0daa6acc112c1b92efe4d02b6f8e50fa5315343f1799
-
Filesize
1.8MB
MD556554dd4e4fb40b0b5e23cbac2632fda
SHA1639002e98be388ecb14d2b973388531a124f2311
SHA256e93b10e93c375f1e7a2ad0df4c213a1630d64cac96e6467dd0926b2d44dac295
SHA5128bc6fb271d6459dcf0c27794dc9f90b83d606c100bc762ada33df238011d0518c85da3c64b37f451706a67030cc99f6a1194d65e2bc5a30ed1e5e029a3bb7288
-
Filesize
107B
MD541c6e0e5b5a7be33fd9e1f2c02adcc1e
SHA11fb52df44fb4a90bcc7311238dedfc1b9ccc6b4f
SHA256f873310a27b36240c42e0d93c877096e7163d2de480caf83fdce2ef1168376e9
SHA512a1ca006a8d9300f3743350243bf90629522bb2f71c80a8f3a6cc41759a5746a9bbe932b69e4ca46de7de3c555d66fe2f86c13a717806cc9acdbc80f02525c0be
-
Filesize
210B
MD57f45c1ae3ffa088fd090281714ccd636
SHA1e256ac2063feb5bbda9261ebd6941fe391fd5e62
SHA256096a645b2d6d4d076b4ee48d1e88372c59f895ce7db2a31d8f8aa0132d7ea5bd
SHA512cadcc93806689bf5b7c3679d160bc9000d6597fea1143f60fa98cc3bcc3107d0efeb2abf661d37ac80189d01fba1e43c533a0f0f31b006eda2175a2f558526b5
-
Filesize
404B
MD57eebfc8dc8b1f61413b873396fa64b89
SHA106348703b51b5ef38d7b5c0528df181687b7504e
SHA2567e5aacd6553a4e08a5791689f3603e762d9aae3c4951efb1a62764a06018354c
SHA51298c8d481ea492432af2b87e0135332023fdba7c9eb51ad11f973ceb5e38ecf526f46302905ae16042bc0d1e9bd8ef5f5cd35cc06ccaa848b5c918adf220507cd
-
Filesize
235B
MD534e6bc9fbe949e8a341eafb4ecee3fc5
SHA1e70ec36dc6edbea5a3c091dd1233eea0decc9287
SHA256be9b779a07ac1b87fa77bad10c70661ebc61adb921a2b59ca40486de50182f46
SHA512c0da559927a73fd1a842a95f6240862b4eebd7e540d64a91f3048d1c61e853199c1cf3b69f717736d33b6cd1d14452a1f87e0ec96633dff6e688a7fdc2c760ea
-
Filesize
1KB
MD5034b083b6729ade0b138a24cbdd66c6d
SHA1299c5a9dd91498cfc4226a5fe6d52ea633c2d148
SHA2568e3aa7a68c0bfea6cae11fe40e79aa1483bc2e43c4c3fd11fcebca1f7bcea0d2
SHA51243f68ec3211f2d1eb3a095713b3988a5b45a6fb03136876431edd3b25b628f904079557cbb60d0107c0444551db274c8e6817d63a543e8a7e390206af64d1cc3
-
Filesize
820KB
-
Filesize
1.0MB
-
Filesize
1.8MB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
820KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
8KB