Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 18:26
Behavioral task
behavioral1
Sample
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Resource
win10v2004-20230220-en
General
-
Target
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
-
Size
2.4MB
-
MD5
0e444044fdfea512ca18fc3396abb65b
-
SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34
-
SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755
-
SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119
-
SSDEEP
49152:bkcwlRFUh2b69Cs9MR3uh+tytRY1aLXYqIiiJd2EHt:bkdlRI3ceI1azYqWj
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 5096 schtasks.exe -
Processes:
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeSearchApp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe -
Processes:
resource yara_rule behavioral2/memory/3468-133-0x0000000000DA0000-0x0000000001018000-memory.dmp dcrat C:\Program Files\MSBuild\SearchApp.exe dcrat C:\Program Files\MSBuild\SearchApp.exe dcrat C:\Program Files\MSBuild\SearchApp.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe -
Executes dropped EXE 1 IoCs
Processes:
SearchApp.exepid process 3480 SearchApp.exe -
Processes:
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeSearchApp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe -
Drops file in Program Files directory 5 IoCs
Processes:
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exedescription ioc process File created C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\5b884080fd4f94 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe File created C:\Program Files\MSBuild\SearchApp.exe 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe File created C:\Program Files\MSBuild\38384e6a620884 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3508 schtasks.exe 4640 schtasks.exe 4256 schtasks.exe 392 schtasks.exe 3320 schtasks.exe 3488 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeSearchApp.exepid process 3468 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe 3468 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe 3468 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe 3468 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe 3468 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe 3480 SearchApp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeSearchApp.exedescription pid process Token: SeDebugPrivilege 3468 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe Token: SeDebugPrivilege 3480 SearchApp.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exedescription pid process target process PID 3468 wrote to memory of 3480 3468 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe SearchApp.exe PID 3468 wrote to memory of 3480 3468 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe SearchApp.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeSearchApp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe"C:\Users\Admin\AppData\Local\Temp\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\MSBuild\SearchApp.exe"C:\Program Files\MSBuild\SearchApp.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\MSBuild\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\MSBuild\SearchApp.exeFilesize
2.4MB
MD50e444044fdfea512ca18fc3396abb65b
SHA18b601ccad5b2a76967c0ca7579dc13d092307f34
SHA2563041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755
SHA5127b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119
-
C:\Program Files\MSBuild\SearchApp.exeFilesize
2.4MB
MD50e444044fdfea512ca18fc3396abb65b
SHA18b601ccad5b2a76967c0ca7579dc13d092307f34
SHA2563041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755
SHA5127b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119
-
C:\Program Files\MSBuild\SearchApp.exeFilesize
2.4MB
MD50e444044fdfea512ca18fc3396abb65b
SHA18b601ccad5b2a76967c0ca7579dc13d092307f34
SHA2563041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755
SHA5127b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119
-
memory/3468-133-0x0000000000DA0000-0x0000000001018000-memory.dmpFilesize
2.5MB
-
memory/3468-134-0x00000000030D0000-0x00000000030E0000-memory.dmpFilesize
64KB
-
memory/3468-135-0x000000001CF20000-0x000000001CF70000-memory.dmpFilesize
320KB
-
memory/3480-151-0x0000000000C30000-0x0000000000C40000-memory.dmpFilesize
64KB
-
memory/3480-152-0x0000000000C30000-0x0000000000C40000-memory.dmpFilesize
64KB