Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-06-2024 08:06
General
-
Target
48c2137034bee9bdfc2c9df1e71e9e04.exe
-
Size
1.3MB
-
MD5
48c2137034bee9bdfc2c9df1e71e9e04
-
SHA1
573e8453bc08e2b4e8e65b8560d81b150a9acdd8
-
SHA256
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
-
SHA512
5c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247
-
SSDEEP
24576:q0bcg1vqd25Gl35KcbOwGqq+AZbPxtDSk5/FX5vDlIXNQdS:qGy/3dSnEYFJvxS
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 12 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
System policy modification 1 TTPs 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48c2137034bee9bdfc2c9df1e71e9e04.exe"C:\Users\Admin\AppData\Local\Temp\48c2137034bee9bdfc2c9df1e71e9e04.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\48c2137034bee9bdfc2c9df1e71e9e04.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ecc5a11-4dee-4f2c-b4d1-b99cd6c41738.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2be315b3-41af-43da-86da-c0e0b845765d.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b021da26-ee32-4000-8de4-34afaaf8178a.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\explorer.exeC:\Recovery\WindowsRE\explorer.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2052c42b-72e6-43a5-9167-770290a41603.vbs"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0ad6e41-4a38-41ad-ac7d-2bdf6ee06494.vbs"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7b12a73-5ed3-4b52-99df-e2e678033c4a.vbs"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4160,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\explorer.exeFilesize
1.3MB
MD548c2137034bee9bdfc2c9df1e71e9e04
SHA1573e8453bc08e2b4e8e65b8560d81b150a9acdd8
SHA25654559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
SHA5125c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.logFilesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Temp\2be315b3-41af-43da-86da-c0e0b845765d.vbsFilesize
710B
MD586d8649f32deeaac699e4ff69912ff1e
SHA1f96ef379c6564b65251135dfa2c1c5e79b8b330e
SHA256afe08928fa189a3a6bbab5d1f138c71db14e45133a8914a5734b72fd2ab84d42
SHA5127b7cd06958350fa0fb513a9ce142a6063cdf381fdf9b2d8d34f83253ac389c848b9bcad36c81c39ac80081a029200c1947f0ead4a0a8d9079f72424d8aa9291c
-
C:\Users\Admin\AppData\Local\Temp\5ecc5a11-4dee-4f2c-b4d1-b99cd6c41738.vbsFilesize
709B
MD55ac687d8612f40b773abbfccdaa260f7
SHA1c0bbe58ed1b19c4c7e85b20a6a5275de0690bfa6
SHA256697f06a23ad9e4378b926560ef1876af5a13f76d74332a358482474f617b1a74
SHA5126ae0f9270e5a726dee27c7f05c28f2883aa5e7218e9be4390908deb6cdff22da035cb5e41ca23c7e97f936805db991898b4d23cb43ea2dd2580763e34d459c7d
-
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.batFilesize
199B
MD5538f3b6752b32efe9412602d116c7866
SHA1a4fb850a3e39998a01800b15a4130e553cf43ff6
SHA25699aa9736d480bdc0ccf649ab409003d81867d90e86732aa68240e9e2a7709244
SHA512cc4101b78b3bcc3d4e5c1c020a81cfe0788ef6fe5210c63b8f28ce9e9a7cadf17d841a9e9c414638c40a5e6870a0d6610301526d2f065e248379288472ef2495
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbykfmgl.k4w.psm1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\b021da26-ee32-4000-8de4-34afaaf8178a.vbsFilesize
710B
MD5734baea5e4ea3caee97f8bd18118f0a5
SHA1074de0febb9ca9d55df9b9739a1e99f10d0a7924
SHA256581e102e725b9a3089ce323652ab2ff568cb913aad8ba6ac5e7647e99f8efca3
SHA512445625e358764584ba7c97224e4ddd556cd1779b4c53374c32e57de39cbcb5d1ba4da43fdd4af06c67746e95d601551c493cd1f24e049b00a6cbb8c32683ac3e
-
C:\Users\Admin\AppData\Local\Temp\d7b12a73-5ed3-4b52-99df-e2e678033c4a.vbsFilesize
486B
MD553dbda2e8e847183c68d0881f2e9d1e3
SHA137b261d0f25e5b1cf4dd7db36a72e37a5bc4bc64
SHA25654e7b4fa09634e41f49f68d3698c8ee62e68c9ddd586cff64d3aaebe3b6748ed
SHA5128a47e20200f2329a24008f473d66551ae9b1fa94d458bb091a3cebfc7a9bec0e82847a60b8b64afc8c870b740930bcc5b6cc1fd9106e01d6f16fb92e142f03b9
-
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.batFilesize
199B
MD543a9df49d524d44f236cdae71e7065a9
SHA1a7f046d783bf40c7b7fd50b25ea90c6e10a0a901
SHA256a73b7383b335e4d741f9f67e44cab2b056fa45f3fc42ef53c97184777e0e3cbf
SHA512fd7432b61e4380ddaa910ef500a860c58984fa8b1b19f789e7e114868397bf5e3d3b824cbc760f4961c23bf34bd7940fb4f99b8c3b4542253f7c4816cc6c75d8
-
memory/448-81-0x000000001C590000-0x000000001C739000-memory.dmpFilesize
1.7MB
-
memory/1652-28-0x00007FF992650000-0x00007FF993111000-memory.dmpFilesize
10.8MB
-
memory/1652-5-0x000000001AF80000-0x000000001AF88000-memory.dmpFilesize
32KB
-
memory/1652-1-0x0000000000310000-0x0000000000466000-memory.dmpFilesize
1.3MB
-
memory/1652-12-0x000000001B6D0000-0x000000001B6DC000-memory.dmpFilesize
48KB
-
memory/1652-2-0x00007FF992650000-0x00007FF993111000-memory.dmpFilesize
10.8MB
-
memory/1652-11-0x000000001B6C0000-0x000000001B6CA000-memory.dmpFilesize
40KB
-
memory/1652-8-0x000000001B030000-0x000000001B03A000-memory.dmpFilesize
40KB
-
memory/1652-9-0x000000001B040000-0x000000001B04E000-memory.dmpFilesize
56KB
-
memory/1652-3-0x0000000002790000-0x00000000027AC000-memory.dmpFilesize
112KB
-
memory/1652-6-0x000000001B010000-0x000000001B01A000-memory.dmpFilesize
40KB
-
memory/1652-10-0x000000001B6B0000-0x000000001B6BE000-memory.dmpFilesize
56KB
-
memory/1652-7-0x000000001B020000-0x000000001B02C000-memory.dmpFilesize
48KB
-
memory/1652-4-0x000000001B660000-0x000000001B6B0000-memory.dmpFilesize
320KB
-
memory/1652-0-0x00007FF992653000-0x00007FF992655000-memory.dmpFilesize
8KB
-
memory/2412-59-0x0000017D6CF10000-0x0000017D6D07A000-memory.dmpFilesize
1.4MB
-
memory/2412-30-0x0000017D6AB90000-0x0000017D6ABB2000-memory.dmpFilesize
136KB
-
memory/4212-65-0x0000027FFBD60000-0x0000027FFBECA000-memory.dmpFilesize
1.4MB
-
memory/4696-66-0x000001C9F6940000-0x000001C9F6AAA000-memory.dmpFilesize
1.4MB