Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 02:41
Behavioral task
behavioral1
Sample
dd0a4243de09c5864297da95ddc1362c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dd0a4243de09c5864297da95ddc1362c.exe
Resource
win10v2004-20240319-en
General
-
Target
dd0a4243de09c5864297da95ddc1362c.exe
-
Size
1.6MB
-
MD5
dd0a4243de09c5864297da95ddc1362c
-
SHA1
e91545cf645d3987e44d657bd37b79a2cd7515d4
-
SHA256
23a9505d97a5c7c3ac76901f21e72ca79d0aa56393c3e9e13f30f5286431f1cc
-
SHA512
b0ae4c48264051823bd74167c42e4071d189394b77b664f333c872f8ff8d20dddf26b2dc64efb013bf735d5accac2e38f340079c23c53196709eed9765123901
-
SSDEEP
24576:i2G/nvxW3WyZRE4c3f7LcJVCsjTcgucZDlx7HZHb40W00l6g+4V:ibA3NELx+0lGe
Malware Config
Signatures
-
DcRat 7 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3484 schtasks.exe 3420 schtasks.exe 3160 schtasks.exe 3144 schtasks.exe 4492 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation dd0a4243de09c5864297da95ddc1362c.exe 2112 schtasks.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 3924 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 3924 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 3924 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 3924 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 3924 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 3924 schtasks.exe 101 -
resource yara_rule behavioral2/files/0x0008000000023373-10.dat dcrat behavioral2/memory/4228-12-0x0000000000E70000-0x0000000000FBE000-memory.dmp dcrat -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts MonitornetdhcpcommonRefhostDll.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation MonitornetdhcpcommonRefhostDll.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation dd0a4243de09c5864297da95ddc1362c.exe -
Executes dropped EXE 2 IoCs
pid Process 4228 MonitornetdhcpcommonRefhostDll.exe 4420 MonitornetdhcpcommonRefhostDll.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MonitornetdhcpcommonRefhostDll = "\"C:\\Monitornetdhcpcommon\\UMkN4Z1\\MonitornetdhcpcommonRefhostDll.exe\"" MonitornetdhcpcommonRefhostDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources\\StartMenuExperienceHost.exe\"" MonitornetdhcpcommonRefhostDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhostw.exe\"" MonitornetdhcpcommonRefhostDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" MonitornetdhcpcommonRefhostDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\msedge.exe\"" MonitornetdhcpcommonRefhostDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\polstore\\fontdrvhost.exe\"" MonitornetdhcpcommonRefhostDll.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\polstore\fontdrvhost.exe MonitornetdhcpcommonRefhostDll.exe File created C:\Windows\System32\polstore\5b884080fd4f94e2695da25c503f9e33b9605b83 MonitornetdhcpcommonRefhostDll.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\WindowsPowerShell\Modules\msedge.exe MonitornetdhcpcommonRefhostDll.exe File created C:\Program Files\WindowsPowerShell\Modules\61a52ddc9dd915470897a065f14eeedfa88f98fd MonitornetdhcpcommonRefhostDll.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 MonitornetdhcpcommonRefhostDll.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe MonitornetdhcpcommonRefhostDll.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\55b276f4edf653fe07efe8f1ecc32d3d195abd16 MonitornetdhcpcommonRefhostDll.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\taskhostw.exe MonitornetdhcpcommonRefhostDll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2112 schtasks.exe 3484 schtasks.exe 3420 schtasks.exe 3160 schtasks.exe 3144 schtasks.exe 4492 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings dd0a4243de09c5864297da95ddc1362c.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings MonitornetdhcpcommonRefhostDll.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4228 MonitornetdhcpcommonRefhostDll.exe 4228 MonitornetdhcpcommonRefhostDll.exe 4420 MonitornetdhcpcommonRefhostDll.exe 4420 MonitornetdhcpcommonRefhostDll.exe 4420 MonitornetdhcpcommonRefhostDll.exe 4420 MonitornetdhcpcommonRefhostDll.exe 4420 MonitornetdhcpcommonRefhostDll.exe 4420 MonitornetdhcpcommonRefhostDll.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4228 MonitornetdhcpcommonRefhostDll.exe Token: SeDebugPrivilege 4420 MonitornetdhcpcommonRefhostDll.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1444 wrote to memory of 1972 1444 dd0a4243de09c5864297da95ddc1362c.exe 97 PID 1444 wrote to memory of 1972 1444 dd0a4243de09c5864297da95ddc1362c.exe 97 PID 1444 wrote to memory of 1972 1444 dd0a4243de09c5864297da95ddc1362c.exe 97 PID 1972 wrote to memory of 1496 1972 WScript.exe 98 PID 1972 wrote to memory of 1496 1972 WScript.exe 98 PID 1972 wrote to memory of 1496 1972 WScript.exe 98 PID 1496 wrote to memory of 4228 1496 cmd.exe 100 PID 1496 wrote to memory of 4228 1496 cmd.exe 100 PID 4228 wrote to memory of 2748 4228 MonitornetdhcpcommonRefhostDll.exe 108 PID 4228 wrote to memory of 2748 4228 MonitornetdhcpcommonRefhostDll.exe 108 PID 2748 wrote to memory of 4900 2748 cmd.exe 110 PID 2748 wrote to memory of 4900 2748 cmd.exe 110 PID 2748 wrote to memory of 4332 2748 cmd.exe 111 PID 2748 wrote to memory of 4332 2748 cmd.exe 111 PID 2748 wrote to memory of 4420 2748 cmd.exe 112 PID 2748 wrote to memory of 4420 2748 cmd.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe"C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Monitornetdhcpcommon\qTMy7tKgcv8HK3o1cT.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Monitornetdhcpcommon\UMkN4Z1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe"C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2CqMyoSWPb.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4900
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4332
-
-
C:\Monitornetdhcpcommon\UMkN4Z1\MonitornetdhcpcommonRefhostDll.exe"C:\Monitornetdhcpcommon\UMkN4Z1\MonitornetdhcpcommonRefhostDll.exe"6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\polstore\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MonitornetdhcpcommonRefhostDll" /sc ONLOGON /tr "'C:\Monitornetdhcpcommon\UMkN4Z1\MonitornetdhcpcommonRefhostDll.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2232,i,3915538061666887171,15629965885515244134,262144 --variations-seed-version /prefetch:81⤵PID:4956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55403717e99762e8c0e9cc5e97c74473c
SHA13405db3bab54365efb29172f061dc461a43f9da3
SHA256c282d6ab229dbc8f26ebe56d64db0c5ac2721a8d0d3d3f915563d125cccbbb4b
SHA512334b4da3b0a8c92d1f10ddaae473379a0ed966e699d45aa57240c37464f3f30488375376d447f0e6ab621fa92337a79f95ca387dbb72e337565f0a9eda0400a3
-
Filesize
60B
MD548a60762b79ad9f6a6243ac662713ce2
SHA1b0adb833ec22168c21022ff4a9da743d2803dace
SHA2567125fce7974bcb82ed25158d6df05502444032b5ee3dbd632b9688ea0aa3d4c4
SHA512f26f35f69fd8fe4c83cad1e06cb5e0451654f6890242f4781a83d74c79d36116dd802e71f2914664d2858ac43a08ecec2fcabdd29093b8f40e03b79f30059cb3
-
Filesize
204B
MD5bf3d7f76563cab7463d7af23eae9806d
SHA1c5bf0526d8815d1223a1fd7919872ab22fb0d86c
SHA25690d824616f4cfb00b38f8787620d092ece7fec348c788d4cafd4a37e30abe194
SHA5127020295c2f35b05297f432b387ae50fb884ba7eb856f333cf5dc16c2d779b11a1a64bdf7c4abdc974666e6225dc7824e6e45c6bc258519a0a5baaf95619ac430
-
Filesize
1KB
MD5b7c0c43fc7804baaa7dc87152cdc9554
SHA11bab62bd56af745678d4e967d91e1ccfdeed4038
SHA25646386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457
SHA5129fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769
-
Filesize
282B
MD51e56262fdece41c68476bcc2a877d541
SHA19e6d4b8f328212ce0ed18b7371115e79849b10d7
SHA2567379e79f3e4d049a6e48965ae153758e9928cfa6d9eaf27c7ee15a09b5b2fe74
SHA512b0b43aaf0a8d7e8cca3a88a6f7ce6a84995ea75994215e18a4d7ebeddde737453033c7f04a7be9b0894c04a8633ddec75dd29f5e27de9062017f93e2d5fc59b7