Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 19:40
Behavioral task
behavioral1
Sample
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
Resource
win10v2004-20221111-en
General
-
Target
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
-
Size
365KB
-
MD5
26aac416b405eb46f35b28dbab437670
-
SHA1
dd2e2c39196d4a524f1b28c4f5bdf39105c97f81
-
SHA256
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd
-
SHA512
383b3bc7aad95d6f77f4671d74ae93d73072aea1a3e5d6e3da035ec3b5b60d35cd3558cd6da2f781f7854778cd5a148edbb065f750f30c92c303d235ceaa8411
-
SSDEEP
6144:61g8VILtCndjKC4gHAAcVKzNJkjNo22iHQSgg9tkaHgHNHbNNHvJoHHNHgzF2N7v:6fndjHdcIiJ2iHQSgg9tkaHgHNHbNNHq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral2/memory/4300-132-0x000001E9E3B10000-0x000001E9E3B74000-memory.dmp dcrat C:\Users\fontdrvhost.exe dcrat C:\Documents and Settings\fontdrvhost.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
fontdrvhost.exepid process 1412 fontdrvhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exedescription ioc process File created C:\Program Files\Windows Defender\fr-FR\560854153607923c4c5f107085a7db67be01f252 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe File created C:\Program Files\Windows Defender\fr-FR\wininit.exe 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe -
Drops file in Windows directory 6 IoCs
Processes:
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exedescription ioc process File opened for modification C:\Windows\Vss\Writers\Application\taskhostw.exe 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe File created C:\Windows\Vss\Writers\Application\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxMetadata\upfc.exe 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxMetadata\ea1d8f6d871115e19e634087152e4aa43b875a69 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe File created C:\Windows\CSC\csrss.exe 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe File created C:\Windows\Vss\Writers\Application\taskhostw.exe 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3376 schtasks.exe 444 schtasks.exe 840 schtasks.exe 5092 schtasks.exe 4932 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exefontdrvhost.exepid process 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe 1412 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe Token: SeDebugPrivilege 1412 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exedescription pid process target process PID 4300 wrote to memory of 4932 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe schtasks.exe PID 4300 wrote to memory of 4932 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe schtasks.exe PID 4300 wrote to memory of 3376 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe schtasks.exe PID 4300 wrote to memory of 3376 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe schtasks.exe PID 4300 wrote to memory of 444 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe schtasks.exe PID 4300 wrote to memory of 444 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe schtasks.exe PID 4300 wrote to memory of 840 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe schtasks.exe PID 4300 wrote to memory of 840 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe schtasks.exe PID 4300 wrote to memory of 5092 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe schtasks.exe PID 4300 wrote to memory of 5092 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe schtasks.exe PID 4300 wrote to memory of 1412 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe fontdrvhost.exe PID 4300 wrote to memory of 1412 4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe fontdrvhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe"C:\Users\Admin\AppData\Local\Temp\948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\taskhostw.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxMetadata\upfc.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Documents and Settings\wininit.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\wininit.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Documents and Settings\fontdrvhost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Documents and Settings\fontdrvhost.exe"C:\Documents and Settings\fontdrvhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings\fontdrvhost.exeFilesize
365KB
MD526aac416b405eb46f35b28dbab437670
SHA1dd2e2c39196d4a524f1b28c4f5bdf39105c97f81
SHA256948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd
SHA512383b3bc7aad95d6f77f4671d74ae93d73072aea1a3e5d6e3da035ec3b5b60d35cd3558cd6da2f781f7854778cd5a148edbb065f750f30c92c303d235ceaa8411
-
C:\Users\fontdrvhost.exeFilesize
365KB
MD526aac416b405eb46f35b28dbab437670
SHA1dd2e2c39196d4a524f1b28c4f5bdf39105c97f81
SHA256948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd
SHA512383b3bc7aad95d6f77f4671d74ae93d73072aea1a3e5d6e3da035ec3b5b60d35cd3558cd6da2f781f7854778cd5a148edbb065f750f30c92c303d235ceaa8411
-
memory/444-137-0x0000000000000000-mapping.dmp
-
memory/840-138-0x0000000000000000-mapping.dmp
-
memory/1412-140-0x0000000000000000-mapping.dmp
-
memory/1412-144-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmpFilesize
10.8MB
-
memory/1412-145-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmpFilesize
10.8MB
-
memory/1412-146-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmpFilesize
10.8MB
-
memory/3376-136-0x0000000000000000-mapping.dmp
-
memory/4300-132-0x000001E9E3B10000-0x000001E9E3B74000-memory.dmpFilesize
400KB
-
memory/4300-134-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmpFilesize
10.8MB
-
memory/4300-133-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmpFilesize
10.8MB
-
memory/4300-143-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmpFilesize
10.8MB
-
memory/4932-135-0x0000000000000000-mapping.dmp
-
memory/5092-139-0x0000000000000000-mapping.dmp