Analysis
-
max time kernel
137s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2024, 13:38
Behavioral task
behavioral1
Sample
1cf1c8a6b74890f6d1913bf3b9e46a79.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1cf1c8a6b74890f6d1913bf3b9e46a79.exe
Resource
win10v2004-20240226-en
General
-
Target
1cf1c8a6b74890f6d1913bf3b9e46a79.exe
-
Size
1.7MB
-
MD5
1cf1c8a6b74890f6d1913bf3b9e46a79
-
SHA1
3baa803148359d5ecd3afac11352e8ecab90ceee
-
SHA256
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239
-
SHA512
6903889c69d4b6c13c768592abff2aa20b3f8c689381d4814f27c4647023bcfdbd20e99d98913e1d8ec19751d2eb1dbc5a8ca3e0a48be3acdcbd9a644ea5cc70
-
SSDEEP
24576:J2G/nvxW3WAAJElP9nCWgiFzoJNkvnw28BAc1eThSQFdO5q+4OvqLqzvXrJhtZ:JbA3Qa4h527ceSQFdOo+HqLqHfP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5776 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5780 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5504 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5612 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5524 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5576 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5564 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6136 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5748 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5876 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5880 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 3972 schtasks.exe 100 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5656 3972 schtasks.exe 100 -
resource yara_rule behavioral2/files/0x00070000000231e2-9.dat dcrat behavioral2/memory/3376-12-0x00000000005A0000-0x0000000000722000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 1cf1c8a6b74890f6d1913bf3b9e46a79.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation hostnet.exe -
Executes dropped EXE 2 IoCs
pid Process 3376 hostnet.exe 6096 WaaSMedicAgent.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\Java\jre-1.8\bin\plugin2\cc11b995f2a76d hostnet.exe File created C:\Program Files (x86)\Common Files\System\en-US\backgroundTaskHost.exe hostnet.exe File created C:\Program Files (x86)\Common Files\System\en-US\eddb19405b7ce1 hostnet.exe File created C:\Program Files\Internet Explorer\en-US\unsecapp.exe hostnet.exe File opened for modification C:\Program Files\Internet Explorer\en-US\unsecapp.exe hostnet.exe File created C:\Program Files\Internet Explorer\en-US\29c1c3cc0f7685 hostnet.exe File created C:\Program Files\Java\jre-1.8\bin\plugin2\winlogon.exe hostnet.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CSC\StartMenuExperienceHost.exe hostnet.exe File created C:\Windows\Cursors\SearchApp.exe hostnet.exe File created C:\Windows\Cursors\38384e6a620884 hostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5504 schtasks.exe 2012 schtasks.exe 2352 schtasks.exe 4640 schtasks.exe 5776 schtasks.exe 3780 schtasks.exe 5524 schtasks.exe 5876 schtasks.exe 4516 schtasks.exe 5656 schtasks.exe 5072 schtasks.exe 5880 schtasks.exe 5748 schtasks.exe 5780 schtasks.exe 2328 schtasks.exe 5612 schtasks.exe 2868 schtasks.exe 2304 schtasks.exe 1400 schtasks.exe 996 schtasks.exe 3940 schtasks.exe 4584 schtasks.exe 5576 schtasks.exe 1404 schtasks.exe 4896 schtasks.exe 5564 schtasks.exe 6136 schtasks.exe 760 schtasks.exe 3956 schtasks.exe 2864 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings 1cf1c8a6b74890f6d1913bf3b9e46a79.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings hostnet.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3376 hostnet.exe 3376 hostnet.exe 3376 hostnet.exe 3376 hostnet.exe 6096 WaaSMedicAgent.exe 6096 WaaSMedicAgent.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3376 hostnet.exe Token: SeDebugPrivilege 6096 WaaSMedicAgent.exe Token: SeManageVolumePrivilege 3944 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1080 wrote to memory of 3764 1080 1cf1c8a6b74890f6d1913bf3b9e46a79.exe 91 PID 1080 wrote to memory of 3764 1080 1cf1c8a6b74890f6d1913bf3b9e46a79.exe 91 PID 1080 wrote to memory of 3764 1080 1cf1c8a6b74890f6d1913bf3b9e46a79.exe 91 PID 3764 wrote to memory of 5588 3764 WScript.exe 105 PID 3764 wrote to memory of 5588 3764 WScript.exe 105 PID 3764 wrote to memory of 5588 3764 WScript.exe 105 PID 5588 wrote to memory of 3376 5588 cmd.exe 107 PID 5588 wrote to memory of 3376 5588 cmd.exe 107 PID 3376 wrote to memory of 3944 3376 hostnet.exe 138 PID 3376 wrote to memory of 3944 3376 hostnet.exe 138 PID 3944 wrote to memory of 4780 3944 cmd.exe 140 PID 3944 wrote to memory of 4780 3944 cmd.exe 140 PID 3944 wrote to memory of 6096 3944 cmd.exe 141 PID 3944 wrote to memory of 6096 3944 cmd.exe 141 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe"C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5588 -
C:\BlockSurrogateagentFont\hostnet.exe"C:\BlockSurrogateagentFont\hostnet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pki5XcHhHF.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4780
-
-
C:\Recovery\WindowsRE\WaaSMedicAgent.exe"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6096
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\en-US\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\en-US\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Cursors\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\en-US\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\odt\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5656
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2056
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5277c7ccc3313d83f51d594cba0ae300d
SHA148531a959a24846841b8fda471c5fea259f2ca38
SHA256175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac
-
Filesize
1.5MB
MD553827648303c620a8fa81a2998ae5ae5
SHA18aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d
-
Filesize
40B
MD515611ce0ff6e3e772e3a8b7ac6cf4653
SHA175bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA5121151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71
-
Filesize
205B
MD5d9beaa7b00a98853c9096c9a81dd024c
SHA13137a1d447b5ca3b5b1ed5387eff84825742610d
SHA256b6f184ee1e95c1ffcf7b80b42a8b1e2db1f47272f6d8279777b4a41e7ca9e544
SHA5128ce8edf7bfc8e66ee9534e68d2ff540de092805bb59c615529e548e0aa84494c88b2a73677a3421d835e6856496991a6066e4082c71909739eef57a0b6638106