Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231201-en -
resource tags
arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 05:55
Behavioral task
behavioral1
Sample
44e2a2a697477c436112954794761cc0.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
44e2a2a697477c436112954794761cc0.exe
Resource
win10v2004-20231201-en
General
-
Target
44e2a2a697477c436112954794761cc0.exe
-
Size
1.1MB
-
MD5
44e2a2a697477c436112954794761cc0
-
SHA1
87195428fd9e65ea14889e4853dc44f391088963
-
SHA256
90f403c6304240465460ace49b8db9d46c7d28bc36fd49b89f4722ee497bd2dd
-
SHA512
c2040c04ec3d743941c2ba059f572f07d5df2a043c5302b3cf6e13d74610025457be22c3b8d9a1943873b99ac72e5972830a5c17becc52fdc19582e0d58911c4
-
SSDEEP
24576:U2G/nvxW3Ww0titP01wNiMXBlVJX3NSdGKJg6U8HC:UbA30KP0XMXHX38dPDi
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3864 1492 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 1492 schtasks.exe 97 -
resource yara_rule behavioral2/files/0x00080000000231d9-10.dat dcrat behavioral2/files/0x00080000000231d9-11.dat dcrat behavioral2/memory/3860-12-0x0000000000A60000-0x0000000000B36000-memory.dmp dcrat behavioral2/files/0x00090000000231f9-17.dat dcrat behavioral2/files/0x00080000000231f1-31.dat dcrat behavioral2/files/0x00080000000231f1-32.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation 44e2a2a697477c436112954794761cc0.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation intoperf.exe -
Executes dropped EXE 2 IoCs
pid Process 3860 intoperf.exe 3580 wininit.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\Updates\Download\5940a34987c991 intoperf.exe File created C:\Program Files\Windows Multimedia Platform\wininit.exe intoperf.exe File opened for modification C:\Program Files\Windows Multimedia Platform\wininit.exe intoperf.exe File created C:\Program Files\Windows Multimedia Platform\56085415360792 intoperf.exe File created C:\Program Files\Microsoft Office\Updates\Download\dllhost.exe intoperf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2548 schtasks.exe 4600 schtasks.exe 1644 schtasks.exe 3924 schtasks.exe 1148 schtasks.exe 4680 schtasks.exe 1120 schtasks.exe 3980 schtasks.exe 2404 schtasks.exe 2836 schtasks.exe 4560 schtasks.exe 3864 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000_Classes\Local Settings 44e2a2a697477c436112954794761cc0.exe Key created \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000_Classes\Local Settings intoperf.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3860 intoperf.exe 3580 wininit.exe 3580 wininit.exe 3580 wininit.exe 3580 wininit.exe 3580 wininit.exe 3580 wininit.exe 3580 wininit.exe 3580 wininit.exe 3580 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3580 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3860 intoperf.exe Token: SeDebugPrivilege 3580 wininit.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3856 wrote to memory of 1360 3856 44e2a2a697477c436112954794761cc0.exe 88 PID 3856 wrote to memory of 1360 3856 44e2a2a697477c436112954794761cc0.exe 88 PID 3856 wrote to memory of 1360 3856 44e2a2a697477c436112954794761cc0.exe 88 PID 1360 wrote to memory of 3116 1360 WScript.exe 94 PID 1360 wrote to memory of 3116 1360 WScript.exe 94 PID 1360 wrote to memory of 3116 1360 WScript.exe 94 PID 3116 wrote to memory of 3860 3116 cmd.exe 96 PID 3116 wrote to memory of 3860 3116 cmd.exe 96 PID 3860 wrote to memory of 3816 3860 intoperf.exe 110 PID 3860 wrote to memory of 3816 3860 intoperf.exe 110 PID 3816 wrote to memory of 3692 3816 cmd.exe 112 PID 3816 wrote to memory of 3692 3816 cmd.exe 112 PID 3816 wrote to memory of 3580 3816 cmd.exe 113 PID 3816 wrote to memory of 3580 3816 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\44e2a2a697477c436112954794761cc0.exe"C:\Users\Admin\AppData\Local\Temp\44e2a2a697477c436112954794761cc0.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgewin\j1qIwrxR5PWhzH3rYbChGhv1rfV.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgewin\aVtauS9Ns.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\bridgewin\intoperf.exe"C:\bridgewin\intoperf.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMYZ5DmT2.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3692
-
-
C:\Program Files\Windows Multimedia Platform\wininit.exe"C:\Program Files\Windows Multimedia Platform\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Updates\Download\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Updates\Download\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
221B
MD53ed36fce1a7bb42e8bd8a9010f997c14
SHA1f81441e8593b15b861750d9b7e080a0fc7de0954
SHA256e6aa8a2142db52fb2945de64c955a768048be27fff1f3b2552036a0293d453c6
SHA5124bd469714d4b931fb6c2f014f8a5071c7e403bae7bead6905d7c2c44e0e7e93ce5da940d85e25b8880536161a208cacef3bc1c8d08c7f9d21708dfe148c65699
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
27B
MD59563bdb4457bb726008ec17163dcefe6
SHA17c2927cc8ae633484e96cf0926eabadcffe44554
SHA256f7016b9d9c3f1d7b89e0a4c06b1183e0d7207be92bad7e7cc960e976758fac4c
SHA5125e5cb09ac2017366cbc024e452983ea783b763b837e00c67e450a86a7b83fbc5bf97da87b19d41f0393e8faf5d97491529d55a52e4556868a249d299bc002591
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
827KB
MD5cb173771fd6331c5d9db3bef77acb57a
SHA1f3680aab95eb9f37b38cc616bc6b01db3cc953c2
SHA256251f52babec252887919e29c83180c6075a08e395f7fc2f44222e0dd320478b8
SHA512826730b301286e2d1c1137716c393a2fee686cc3146852e3903e9b3ca7026dce9dbb839537028d8deb16903d60b4604830b51992058f649cc2259cacf3f55bb7
-
Filesize
195B
MD5bcb81ae961fe26cc730d5429caee2a15
SHA15eee2200e5a5d79aa54e9de51a5e7332d26b32fc
SHA256d8fe32ec91d7d9e865ce5f3a3382d6093ea78fbeb4dfe521021ad918f6f64bc3
SHA512aaea8d450d6ca80ff0b6d82b8585a9e808863891fbc2de9387ad0220263d98898c89bebca90d331bef7eb900718c8625d4a259c0034b05246524e6d83fe5599d