Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 04:31
Behavioral task
behavioral1
Sample
131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe
Resource
win10v2004-20240226-en
General
-
Target
131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe
-
Size
1.2MB
-
MD5
d7a0ca18ae95c63d25af6782b7bd6b8d
-
SHA1
86450a088d627ab64129c4dc34a824da3ee4b561
-
SHA256
131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3
-
SHA512
9714dcca024cd2780fb28ad9b12280e6ad4b0aca3b6650e0137c80c4b2b29db68add4b5085fa2ddf49e780a470b936b3bb74282eb3c4246661f6bd60a7688274
-
SSDEEP
24576:U2G/nvxW3Ww0txzb2+Jh6UN0AbIkKlAgHJOsiCWzD6z+47:UbA30B5rbNlILj1hCc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4732 2912 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 2912 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 2912 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 2912 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 2912 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2912 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 2912 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2912 schtasks.exe 97 -
resource yara_rule behavioral2/files/0x000a0000000231ac-11.dat dcrat behavioral2/memory/3728-12-0x0000000000DA0000-0x0000000000E8A000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation winsessionperfcrtdhcpFontmonitornet.exe -
Executes dropped EXE 2 IoCs
pid Process 3728 winsessionperfcrtdhcpFontmonitornet.exe 2272 dllhost.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\Phoneutil\\dllhost.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\globinputhost\\dllhost.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Package Cache\\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\\dllhost.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\winlogon\\dllhost.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\comuid\\RuntimeBroker.exe\"" winsessionperfcrtdhcpFontmonitornet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\"" winsessionperfcrtdhcpFontmonitornet.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\System32\winlogon\dllhost.exe winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\winlogon\5940a34987c99120d96dace90a3f93f329dcad63 winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\comuid\RuntimeBroker.exe winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\comuid\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\Phoneutil\dllhost.exe winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\Phoneutil\5940a34987c99120d96dace90a3f93f329dcad63 winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\globinputhost\dllhost.exe winsessionperfcrtdhcpFontmonitornet.exe File created C:\Windows\System32\globinputhost\5940a34987c99120d96dace90a3f93f329dcad63 winsessionperfcrtdhcpFontmonitornet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4764 schtasks.exe 3424 schtasks.exe 3788 schtasks.exe 1392 schtasks.exe 2448 schtasks.exe 3808 schtasks.exe 1984 schtasks.exe 4732 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings 131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3728 winsessionperfcrtdhcpFontmonitornet.exe 3728 winsessionperfcrtdhcpFontmonitornet.exe 3728 winsessionperfcrtdhcpFontmonitornet.exe 3728 winsessionperfcrtdhcpFontmonitornet.exe 3728 winsessionperfcrtdhcpFontmonitornet.exe 3728 winsessionperfcrtdhcpFontmonitornet.exe 3728 winsessionperfcrtdhcpFontmonitornet.exe 3728 winsessionperfcrtdhcpFontmonitornet.exe 3728 winsessionperfcrtdhcpFontmonitornet.exe 2272 dllhost.exe 2272 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3728 winsessionperfcrtdhcpFontmonitornet.exe Token: SeDebugPrivilege 2272 dllhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4916 wrote to memory of 2164 4916 131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe 89 PID 4916 wrote to memory of 2164 4916 131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe 89 PID 4916 wrote to memory of 2164 4916 131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe 89 PID 2164 wrote to memory of 1088 2164 WScript.exe 94 PID 2164 wrote to memory of 1088 2164 WScript.exe 94 PID 2164 wrote to memory of 1088 2164 WScript.exe 94 PID 1088 wrote to memory of 3728 1088 cmd.exe 96 PID 1088 wrote to memory of 3728 1088 cmd.exe 96 PID 3728 wrote to memory of 2272 3728 winsessionperfcrtdhcpFontmonitornet.exe 107 PID 3728 wrote to memory of 2272 3728 winsessionperfcrtdhcpFontmonitornet.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe"C:\Users\Admin\AppData\Local\Temp\131604f5f6612d1f2973e76bedcdd7f1d78deda8c4465eb28f4dfda1051a3fa3.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winsessionperfcrtdhcp\H4eizCYuNaDysMfGy8i9P9o.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\winsessionperfcrtdhcp\USu4u0OJi5iSZO.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\winsessionperfcrtdhcp\winsessionperfcrtdhcpFontmonitornet.exe"C:\winsessionperfcrtdhcp\winsessionperfcrtdhcpFontmonitornet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Documents and Settings\dllhost.exe"C:\Documents and Settings\dllhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\Phoneutil\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\globinputhost\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\winlogon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\comuid\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD57b821ef7118b960e5707288a81e136cc
SHA16251f2f8d2cf3a107b26a53b09feae748bfb8088
SHA256a6bbcf93787d3e116fe20798611f286a07f95388bf4fe0695af6a55a0d1f3d4d
SHA512892d97be3dff4a2e2596becdcf65114a29f2ae6536c187587addfe5017d35ef73148106df0f5c37536ca530e146a081d9a33a68eea54ecbb037fb6b951bc38de
-
Filesize
66B
MD50286dfaabb2eaca6be6162d5872aaeba
SHA175ab5fa416ec4e9e3df83f28cc67e71c593cfda4
SHA256a07930110496f899d363e0120709c95eca5fdd7ce127e51457647a9eec103622
SHA5126b5999896ca5d3c2d38054769ba76402d6e53406a5bed281dd17fa5d3db0c7dcc711acc997bf7f9e602643a896da4de5cd0c59d393bbea82a3e03474ecfbbb6f
-
Filesize
910KB
MD513ba0d9074cdbfeae9f78242af80afb6
SHA1ec312cbd990aa9b5dd03d7bd73ffbe79d7ddc27c
SHA256a57b942025856c8ba21f897830a67cd4d3e317587f0bb6a7fce37f53d9e9d026
SHA51203e00bb2dbd43249489fe0a32a9277134eb026b1322bee5a208718e05ba9a4077ad4e02075c1e12cf6e3d941329a1203a3210ea932ea86b8855d01867dfe37c9