Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2023 00:39
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
1.1MB
-
MD5
06eae25115858e2475c1bab16bae9585
-
SHA1
657cdc54121fa9baaae7cc944ed935e1eddf4ebc
-
SHA256
d9bed95674d8f25aba2b84067e0691d254c86d686a4ec42dec119a8a2b006c98
-
SHA512
2ad4ccbbf950dac84d2353b9d59e8d59415ec3f9bef1d226270ebc4f416489dc6c39b5c4725dd10316b2cbc6adc8bef3e7db8e430ed581444857db8e0d0c53d1
-
SSDEEP
12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbiYS3HzuWTEv3L9aCcyYiqlbl117n1k4Rq5zs:U2G/nvxW3Ww0t03THqRaCQJThLis
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4428 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3396 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3676 4332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 4332 schtasks.exe -
Processes:
resource yara_rule C:\providerwindriverHostDll\comNet.exe dcrat C:\providerwindriverHostDll\comNet.exe dcrat behavioral2/memory/3040-145-0x0000000000610000-0x00000000006E6000-memory.dmp dcrat C:\Users\Default\SearchApp.exe dcrat C:\Users\Default User\SearchApp.exe dcrat C:\Users\Default\SearchApp.exe dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exeWScript.execomNet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation comNet.exe -
Executes dropped EXE 2 IoCs
Processes:
comNet.exeSearchApp.exepid process 3040 comNet.exe 1892 SearchApp.exe -
Drops file in Program Files directory 3 IoCs
Processes:
comNet.exedescription ioc process File created C:\Program Files (x86)\Windows Media Player\Network Sharing\dllhost.exe comNet.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\dllhost.exe comNet.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\5940a34987c991 comNet.exe -
Drops file in Windows directory 2 IoCs
Processes:
comNet.exedescription ioc process File created C:\Windows\PLA\Templates\unsecapp.exe comNet.exe File created C:\Windows\PLA\Templates\29c1c3cc0f7685 comNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3396 schtasks.exe 2732 schtasks.exe 1764 schtasks.exe 4288 schtasks.exe 3732 schtasks.exe 3500 schtasks.exe 3064 schtasks.exe 4428 schtasks.exe 4648 schtasks.exe 3676 schtasks.exe 4192 schtasks.exe 3972 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings file.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
comNet.exeSearchApp.exepid process 3040 comNet.exe 1892 SearchApp.exe 1892 SearchApp.exe 1892 SearchApp.exe 1892 SearchApp.exe 1892 SearchApp.exe 1892 SearchApp.exe 1892 SearchApp.exe 1892 SearchApp.exe 1892 SearchApp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SearchApp.exepid process 1892 SearchApp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
comNet.exeSearchApp.exedescription pid process Token: SeDebugPrivilege 3040 comNet.exe Token: SeDebugPrivilege 1892 SearchApp.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
file.exeWScript.execmd.execomNet.exedescription pid process target process PID 1684 wrote to memory of 2296 1684 file.exe WScript.exe PID 1684 wrote to memory of 2296 1684 file.exe WScript.exe PID 1684 wrote to memory of 2296 1684 file.exe WScript.exe PID 2296 wrote to memory of 2044 2296 WScript.exe cmd.exe PID 2296 wrote to memory of 2044 2296 WScript.exe cmd.exe PID 2296 wrote to memory of 2044 2296 WScript.exe cmd.exe PID 2044 wrote to memory of 3040 2044 cmd.exe comNet.exe PID 2044 wrote to memory of 3040 2044 cmd.exe comNet.exe PID 3040 wrote to memory of 1892 3040 comNet.exe SearchApp.exe PID 3040 wrote to memory of 1892 3040 comNet.exe SearchApp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providerwindriverHostDll\eQhltUTnqbyYIJBHh.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providerwindriverHostDll\5O0IdEW060cxJkvUmnX.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\providerwindriverHostDll\comNet.exe"C:\providerwindriverHostDll\comNet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Templates\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Templates\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Default User\SearchApp.exeFilesize
827KB
MD52b84697f835c36d37b5dc11106d655f5
SHA11f406d774af24ba55e55fcf03ee5928905fe7123
SHA256148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731
SHA512ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934
-
C:\Users\Default\SearchApp.exeFilesize
827KB
MD52b84697f835c36d37b5dc11106d655f5
SHA11f406d774af24ba55e55fcf03ee5928905fe7123
SHA256148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731
SHA512ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934
-
C:\Users\Default\SearchApp.exeFilesize
827KB
MD52b84697f835c36d37b5dc11106d655f5
SHA11f406d774af24ba55e55fcf03ee5928905fe7123
SHA256148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731
SHA512ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934
-
C:\providerwindriverHostDll\5O0IdEW060cxJkvUmnX.batFilesize
40B
MD5b7f686a12452b0e946a2b35746aa85d8
SHA13637b428ac91dd8e93259eb32e9fd8d1f43825f5
SHA25691a97a0a5785891a0c5c68a17625dbd99324eb363f0c13707f9ba9be9417253f
SHA512e70765edac455c33ac137ae6b3e67db616fcbbfe82298b5bbd59dc5179126ecc015fe4c18e9a0bd668da826d2cd4d2e3276dab7ed0331db7892795d6221c4ba8
-
C:\providerwindriverHostDll\comNet.exeFilesize
827KB
MD52b84697f835c36d37b5dc11106d655f5
SHA11f406d774af24ba55e55fcf03ee5928905fe7123
SHA256148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731
SHA512ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934
-
C:\providerwindriverHostDll\comNet.exeFilesize
827KB
MD52b84697f835c36d37b5dc11106d655f5
SHA11f406d774af24ba55e55fcf03ee5928905fe7123
SHA256148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731
SHA512ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934
-
C:\providerwindriverHostDll\eQhltUTnqbyYIJBHh.vbeFilesize
220B
MD5175e0c8fb6f8d79de10516a3c70b8bd4
SHA1c46ecb7f245a26cc06f9c227b75cb0e51fa5a922
SHA256c2d8a00d704a88597d0d1a31b06965713efbf55a6ec68e567fccd4e0ad236079
SHA512d2895a6260801876bac10b885e137bb3a1a62972d55660e45829aeafc76d25baa8af7857eb2a3d7245ee58404699278e24db4fe7e498f465e294b42578c60926
-
memory/1892-167-0x000000001B140000-0x000000001B150000-memory.dmpFilesize
64KB
-
memory/1892-168-0x000000001B140000-0x000000001B150000-memory.dmpFilesize
64KB
-
memory/3040-145-0x0000000000610000-0x00000000006E6000-memory.dmpFilesize
856KB
-
memory/3040-154-0x000000001B320000-0x000000001B330000-memory.dmpFilesize
64KB