Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 04:31

General

  • Target

    131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe

  • Size

    1.2MB

  • MD5

    d7a0ca18ae95c63d25af6782b7bd6b8d

  • SHA1

    86450a088d627ab64129c4dc34a824da3ee4b561

  • SHA256

    131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3

  • SHA512

    9714dcca024cd2780fb28ad9b12280e6ad4b0aca3b6650e0137c80c4b2b29db68add4b5085fa2ddf49e780a470b936b3bb74282eb3c4246661f6bd60a7688274

  • SSDEEP

    24576:U2G/nvxW3Ww0txzb2+Jh6UN0AbIkKlAgHJOsiCWzD6z+47:UbA30B5rbNlILj1hCc

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe
    "C:\Users\Admin\AppData\Local\Temp\131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\winsessionperfcrtdhcp\H4eizCYuNaDysMfGy8i9P9o.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\winsessionperfcrtdhcp\USu4u0OJi5iSZO.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\winsessionperfcrtdhcp\winsessionperfcrtdhcpFontmonitornet.exe
          "C:\winsessionperfcrtdhcp\winsessionperfcrtdhcpFontmonitornet.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3728
          • C:\Documents and Settings\dllhost.exe
            "C:\Documents and Settings\dllhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2272
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\Phoneutil\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\globinputhost\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3788
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\winlogon\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3808
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\comuid\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1984

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\winsessionperfcrtdhcp\H4eizCYuNaDysMfGy8i9P9o.vbe

          Filesize

          212B

          MD5

          7b821ef7118b960e5707288a81e136cc

          SHA1

          6251f2f8d2cf3a107b26a53b09feae748bfb8088

          SHA256

          a6bbcf93787d3e116fe20798611f286a07f95388bf4fe0695af6a55a0d1f3d4d

          SHA512

          892d97be3dff4a2e2596becdcf65114a29f2ae6536c187587addfe5017d35ef73148106df0f5c37536ca530e146a081d9a33a68eea54ecbb037fb6b951bc38de

        • C:\winsessionperfcrtdhcp\USu4u0OJi5iSZO.bat

          Filesize

          66B

          MD5

          0286dfaabb2eaca6be6162d5872aaeba

          SHA1

          75ab5fa416ec4e9e3df83f28cc67e71c593cfda4

          SHA256

          a07930110496f899d363e0120709c95eca5fdd7ce127e51457647a9eec103622

          SHA512

          6b5999896ca5d3c2d38054769ba76402d6e53406a5bed281dd17fa5d3db0c7dcc711acc997bf7f9e602643a896da4de5cd0c59d393bbea82a3e03474ecfbbb6f

        • C:\winsessionperfcrtdhcp\winsessionperfcrtdhcpFontmonitornet.exe

          Filesize

          910KB

          MD5

          13ba0d9074cdbfeae9f78242af80afb6

          SHA1

          ec312cbd990aa9b5dd03d7bd73ffbe79d7ddc27c

          SHA256

          a57b942025856c8ba21f897830a67cd4d3e317587f0bb6a7fce37f53d9e9d026

          SHA512

          03e00bb2dbd43249489fe0a32a9277134eb026b1322bee5a208718e05ba9a4077ad4e02075c1e12cf6e3d941329a1203a3210ea932ea86b8855d01867dfe37c9

        • memory/2272-45-0x000000001BB10000-0x000000001BB20000-memory.dmp

          Filesize

          64KB

        • memory/2272-44-0x00007FF871BE0000-0x00007FF8726A1000-memory.dmp

          Filesize

          10.8MB

        • memory/2272-47-0x00007FF871BE0000-0x00007FF8726A1000-memory.dmp

          Filesize

          10.8MB

        • memory/3728-12-0x0000000000DA0000-0x0000000000E8A000-memory.dmp

          Filesize

          936KB

        • memory/3728-13-0x00007FF871BE0000-0x00007FF8726A1000-memory.dmp

          Filesize

          10.8MB

        • memory/3728-14-0x0000000002F80000-0x0000000002F90000-memory.dmp

          Filesize

          64KB

        • memory/3728-43-0x00007FF871BE0000-0x00007FF8726A1000-memory.dmp

          Filesize

          10.8MB