Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 04:09
Behavioral task
behavioral1
Sample
dd32729dcf73c31a478099c25da5789c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dd32729dcf73c31a478099c25da5789c.exe
Resource
win10v2004-20240226-en
General
-
Target
dd32729dcf73c31a478099c25da5789c.exe
-
Size
1.4MB
-
MD5
dd32729dcf73c31a478099c25da5789c
-
SHA1
dad05d17829936c6136d16962c38d2981e56bb21
-
SHA256
6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e
-
SHA512
fcf113386c292d03c39071587907f0700936d0ac060c8b96f1ce71683b5e78b1c4b730fdc79b35bb1fe097010844e237034a4184e32fc0b4566ef2f31d382fc0
-
SSDEEP
24576:U2G/nvxW3Ww0tdGyavpdrgnar7l2odPdcsZHpa+AGO05d2GqXW+lWR++40:UbA30alr7tcsZHpaVwulmJ
Malware Config
Signatures
-
DcRat 8 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2672 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation dd32729dcf73c31a478099c25da5789c.exe 3936 schtasks.exe 2612 schtasks.exe 4560 schtasks.exe 3620 schtasks.exe 2308 schtasks.exe 2444 schtasks.exe -
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 1380 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 1380 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 1380 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 1380 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3620 1380 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 1380 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 1380 schtasks.exe 95 -
resource yara_rule behavioral2/files/0x000700000002320f-10.dat dcrat behavioral2/memory/1260-12-0x00000000006C0000-0x00000000007E2000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation winPerfdhcpCommonSvcsavesperfMonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation dd32729dcf73c31a478099c25da5789c.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 1260 winPerfdhcpCommonSvcsavesperfMonitor.exe 4324 explorer.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Globalization\\Time Zone\\explorer.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources\\SearchApp.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Microsoft OneDrive\\setup\\csrss.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\csrss.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\dimsjob\\RuntimeBroker.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\dimsjob\RuntimeBroker.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\dimsjob\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d winPerfdhcpCommonSvcsavesperfMonitor.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Globalization\Time Zone\explorer.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File opened for modification C:\Windows\Globalization\Time Zone\explorer.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\Globalization\Time Zone\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\55b276f4edf653fe07efe8f1ecc32d3d195abd16 winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\38384e6a620884a6b69bcc56f80d556f9200171c winPerfdhcpCommonSvcsavesperfMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3620 schtasks.exe 2308 schtasks.exe 2612 schtasks.exe 2444 schtasks.exe 2672 schtasks.exe 3936 schtasks.exe 4560 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings dd32729dcf73c31a478099c25da5789c.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1260 winPerfdhcpCommonSvcsavesperfMonitor.exe 1260 winPerfdhcpCommonSvcsavesperfMonitor.exe 1260 winPerfdhcpCommonSvcsavesperfMonitor.exe 1260 winPerfdhcpCommonSvcsavesperfMonitor.exe 1260 winPerfdhcpCommonSvcsavesperfMonitor.exe 4324 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1260 winPerfdhcpCommonSvcsavesperfMonitor.exe Token: SeDebugPrivilege 4324 explorer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2460 1748 dd32729dcf73c31a478099c25da5789c.exe 91 PID 1748 wrote to memory of 2460 1748 dd32729dcf73c31a478099c25da5789c.exe 91 PID 1748 wrote to memory of 2460 1748 dd32729dcf73c31a478099c25da5789c.exe 91 PID 2460 wrote to memory of 3400 2460 WScript.exe 92 PID 2460 wrote to memory of 3400 2460 WScript.exe 92 PID 2460 wrote to memory of 3400 2460 WScript.exe 92 PID 3400 wrote to memory of 1260 3400 cmd.exe 94 PID 3400 wrote to memory of 1260 3400 cmd.exe 94 PID 1260 wrote to memory of 4324 1260 winPerfdhcpCommonSvcsavesperfMonitor.exe 103 PID 1260 wrote to memory of 4324 1260 winPerfdhcpCommonSvcsavesperfMonitor.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe"C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\Globalization\Time Zone\explorer.exe"C:\Windows\Globalization\Time Zone\explorer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\dimsjob\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205B
MD5abd20005732c70524b80234027cf0db4
SHA1d0cdbcfce900f87af778847ef0d3cab111d81a96
SHA256a3f95542fdf730753c47edb849267864f0cff972bfa20cab36065c24953c45d6
SHA512c3a71016fa58d8d1cd173c9b9ba32c157d2277535fd8f658cc87981cc4721d7c04e822b96a58d8f31d87724237b24c81635c13bb746dc12db1f2379e4867f7ba
-
Filesize
66B
MD558afc535c3d36e78abb3677a61dc4737
SHA1bd3914278bba89d1b88dac33ca2b1ca9c04c3aa4
SHA256ebdb6f3c9799886ce3dd7e9ed19333446b94303c8ad00d5b49d744a0c867d4d4
SHA5128f609700f10ce525feee7a3e7bd1799e573bd6b1e67783478cf5e1390a18de5eb37bf179bbd805532f7e05d12602205af00e7b3c214d09516bdcbd90c25aa4b3
-
Filesize
1.1MB
MD54f85fd9da0e6d825b520f09905b16301
SHA111b96ca925a09cd96569c4be2930b9b2bad9dd07
SHA256fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
SHA512cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e