Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 04:09

General

  • Target

    dd32729dcf73c31a478099c25da5789c.exe

  • Size

    1.4MB

  • MD5

    dd32729dcf73c31a478099c25da5789c

  • SHA1

    dad05d17829936c6136d16962c38d2981e56bb21

  • SHA256

    6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e

  • SHA512

    fcf113386c292d03c39071587907f0700936d0ac060c8b96f1ce71683b5e78b1c4b730fdc79b35bb1fe097010844e237034a4184e32fc0b4566ef2f31d382fc0

  • SSDEEP

    24576:U2G/nvxW3Ww0tdGyavpdrgnar7l2odPdcsZHpa+AGO05d2GqXW+lWR++40:UbA30alr7tcsZHpaVwulmJ

Malware Config

Signatures

  • DcRat 8 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe
    "C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3400
        • C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
          "C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\Globalization\Time Zone\explorer.exe
            "C:\Windows\Globalization\Time Zone\explorer.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3620
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2308
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\dimsjob\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2612

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe

          Filesize

          205B

          MD5

          abd20005732c70524b80234027cf0db4

          SHA1

          d0cdbcfce900f87af778847ef0d3cab111d81a96

          SHA256

          a3f95542fdf730753c47edb849267864f0cff972bfa20cab36065c24953c45d6

          SHA512

          c3a71016fa58d8d1cd173c9b9ba32c157d2277535fd8f658cc87981cc4721d7c04e822b96a58d8f31d87724237b24c81635c13bb746dc12db1f2379e4867f7ba

        • C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat

          Filesize

          66B

          MD5

          58afc535c3d36e78abb3677a61dc4737

          SHA1

          bd3914278bba89d1b88dac33ca2b1ca9c04c3aa4

          SHA256

          ebdb6f3c9799886ce3dd7e9ed19333446b94303c8ad00d5b49d744a0c867d4d4

          SHA512

          8f609700f10ce525feee7a3e7bd1799e573bd6b1e67783478cf5e1390a18de5eb37bf179bbd805532f7e05d12602205af00e7b3c214d09516bdcbd90c25aa4b3

        • C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe

          Filesize

          1.1MB

          MD5

          4f85fd9da0e6d825b520f09905b16301

          SHA1

          11b96ca925a09cd96569c4be2930b9b2bad9dd07

          SHA256

          fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

          SHA512

          cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

        • memory/1260-12-0x00000000006C0000-0x00000000007E2000-memory.dmp

          Filesize

          1.1MB

        • memory/1260-13-0x00007FFEEE710000-0x00007FFEEF1D1000-memory.dmp

          Filesize

          10.8MB

        • memory/1260-14-0x00000000028A0000-0x00000000028B0000-memory.dmp

          Filesize

          64KB

        • memory/1260-40-0x00007FFEEE710000-0x00007FFEEF1D1000-memory.dmp

          Filesize

          10.8MB

        • memory/4324-41-0x00007FFEEE710000-0x00007FFEEF1D1000-memory.dmp

          Filesize

          10.8MB

        • memory/4324-42-0x000000001B560000-0x000000001B570000-memory.dmp

          Filesize

          64KB

        • memory/4324-43-0x00007FFEEE710000-0x00007FFEEF1D1000-memory.dmp

          Filesize

          10.8MB

        • memory/4324-44-0x000000001B560000-0x000000001B570000-memory.dmp

          Filesize

          64KB

        • memory/4324-46-0x00007FFEEE710000-0x00007FFEEF1D1000-memory.dmp

          Filesize

          10.8MB