Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 02:12
Behavioral task
behavioral1
Sample
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
Resource
win10v2004-20240226-en
General
-
Target
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
-
Size
1.7MB
-
MD5
1cf1c8a6b74890f6d1913bf3b9e46a79
-
SHA1
3baa803148359d5ecd3afac11352e8ecab90ceee
-
SHA256
6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239
-
SHA512
6903889c69d4b6c13c768592abff2aa20b3f8c689381d4814f27c4647023bcfdbd20e99d98913e1d8ec19751d2eb1dbc5a8ca3e0a48be3acdcbd9a644ea5cc70
-
SSDEEP
24576:J2G/nvxW3WAAJElP9nCWgiFzoJNkvnw28BAc1eThSQFdO5q+4OvqLqzvXrJhtZ:JbA3Qa4h527ceSQFdOo+HqLqHfP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 4488 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3792 4488 schtasks.exe 95 -
resource yara_rule behavioral2/files/0x0007000000023201-10.dat dcrat behavioral2/memory/748-12-0x0000000000CE0000-0x0000000000E62000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation hostnet.exe -
Executes dropped EXE 2 IoCs
pid Process 748 hostnet.exe 2596 RuntimeBroker.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe hostnet.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\0a1fd5f707cd16 hostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4940 schtasks.exe 3068 schtasks.exe 1472 schtasks.exe 1560 schtasks.exe 2792 schtasks.exe 3792 schtasks.exe 2024 schtasks.exe 4512 schtasks.exe 5000 schtasks.exe 1108 schtasks.exe 1688 schtasks.exe 3408 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings hostnet.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 748 hostnet.exe 748 hostnet.exe 748 hostnet.exe 748 hostnet.exe 748 hostnet.exe 748 hostnet.exe 2596 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 748 hostnet.exe Token: SeDebugPrivilege 2596 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1000 wrote to memory of 1776 1000 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 90 PID 1000 wrote to memory of 1776 1000 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 90 PID 1000 wrote to memory of 1776 1000 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe 90 PID 1776 wrote to memory of 2012 1776 WScript.exe 98 PID 1776 wrote to memory of 2012 1776 WScript.exe 98 PID 1776 wrote to memory of 2012 1776 WScript.exe 98 PID 2012 wrote to memory of 748 2012 cmd.exe 100 PID 2012 wrote to memory of 748 2012 cmd.exe 100 PID 748 wrote to memory of 952 748 hostnet.exe 114 PID 748 wrote to memory of 952 748 hostnet.exe 114 PID 952 wrote to memory of 4700 952 cmd.exe 116 PID 952 wrote to memory of 4700 952 cmd.exe 116 PID 952 wrote to memory of 2596 952 cmd.exe 117 PID 952 wrote to memory of 2596 952 cmd.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\BlockSurrogateagentFont\hostnet.exe"C:\BlockSurrogateagentFont\hostnet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y05nXIVCAi.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4700
-
-
C:\BlockSurrogateagentFont\RuntimeBroker.exe"C:\BlockSurrogateagentFont\RuntimeBroker.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\BlockSurrogateagentFont\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\BlockSurrogateagentFont\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\DeviceSync\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\DeviceSync\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\DeviceSync\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5277c7ccc3313d83f51d594cba0ae300d
SHA148531a959a24846841b8fda471c5fea259f2ca38
SHA256175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac
-
Filesize
1.5MB
MD553827648303c620a8fa81a2998ae5ae5
SHA18aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d
-
Filesize
40B
MD515611ce0ff6e3e772e3a8b7ac6cf4653
SHA175bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA5121151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71
-
Filesize
209B
MD52417f4df9c111291240f0f565b0a2051
SHA178daf7252bd731c6d7e7d0bd1a930b8f82d64d6a
SHA2561d53031193abc462fa9141a906577ef7040d5f73d1cda7b94d9200d6e50fa2dd
SHA512e3293a6e12468c4b83b2b3ce91fc3fe7ba428f3744f69a5c1824f75a7e95931cdf978c60ebaed7b495cc5a41dfbd08ae08250694f3fd912faded341f46821574