Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
24-04-2024 13:40
General
-
Target
1c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee.exe
-
Size
2.0MB
-
MD5
1b4f235c3e17aaf137d6b7f9b2c52edc
-
SHA1
045ce4c79fa77bcd0224e40b44156536b8f92f4b
-
SHA256
1c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee
-
SHA512
3c52f5af66758465842be11cc2e3760963c3cfbf660ddab1cf70a8d0d99a6a4458f7acdf6da5622c7fb1d80b5fd7345f5aca36c0a9dd9bae0d4ad79f59f8a1c7
-
SSDEEP
24576:kn2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:SaTUv0jmtEttc
Score
10/10
Malware Config
Signatures
-
DcRat 45 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 15 IoCs
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 7 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Detects executables containing bas64 encoded gzip files 7 IoCs
-
Detects executables packed with SmartAssembly 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 30 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee.exe"C:\Users\Admin\AppData\Local\Temp\1c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe"C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\security\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\security\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\security\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\pris\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\pris\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\pris\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee1" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\1c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\1c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee1" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\1c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exeFilesize
2.0MB
MD57303426ffee1ba56604466586413d313
SHA18366768ea69ca763c63a0d1876ceded959e97410
SHA256f56382afefe83b71f7e2ec1d4750a120390264fa0ef150420232880fbbc8b5e2
SHA512a9366eb8b0d58d4b163eb206f256203b805f8790900fb00aad81eab92dfa1c8eed1ea87f4663a3869632f0b492f43551a6d63b4e82e7a91988af2141f6bd9169
-
C:\Recovery\WindowsRE\fontdrvhost.exeFilesize
2.0MB
MD5018d6b44ed74b074e1ae75e61141c111
SHA16130c664275c31429a8ec4e64abb64599eb6a944
SHA2562ea60eb19024ac584f75f1d355538a79dd548a0a70e654cdd48b3c4aae42235e
SHA512f5488e89eea05fb2d384a244a6117a31909d58be368159ebd0b37198d70119c1c01f96eebb4da9adc5924652c778681da96f2111d346f77aa3e50fa1823ae45c
-
C:\Recovery\WindowsRE\sihost.exeFilesize
2.0MB
MD5b6bfa31615828698c28e0b411391df81
SHA197f9381ac150135a2a96eae212bde14b3ba6ef04
SHA256626fac4203f6eacb617da4486f90ed6573ed26893a62a60a98d2b5c2e0e8f4bc
SHA5129cd584611082c69172db61c2fb5fbe597afa9bb71b2037a3cc53eb69603a27a6c59eeb87d3c5e56fa63e105ba3817102dce57e82fda63ac965c71d931e238199
-
C:\Windows\Migration\WTR\fontdrvhost.exeFilesize
2.0MB
MD51b4f235c3e17aaf137d6b7f9b2c52edc
SHA1045ce4c79fa77bcd0224e40b44156536b8f92f4b
SHA2561c2f57889f877f43050288b06f044339713ed427a6ec909ab57330203cb905ee
SHA5123c52f5af66758465842be11cc2e3760963c3cfbf660ddab1cf70a8d0d99a6a4458f7acdf6da5622c7fb1d80b5fd7345f5aca36c0a9dd9bae0d4ad79f59f8a1c7
-
C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\pris\sppsvc.exeFilesize
2.0MB
MD5327e8fe24e66252153fb45e39cf5ef7e
SHA19b875f8a880d23c4bcca770580b16da444b4a479
SHA256c2d1c126157ae09c8fba9624f0c752198fcb52aa04e808917ff30917dd6d7647
SHA512eae231c284d675f78b5260db82cdae46a90da5768e2cb5126036fedd4b08b2710860ebac9df961ca0fc37c1f3f7a91af78a32a42748cf08bf11edad7bf572441
-
memory/3992-6-0x000000001B3A0000-0x000000001B3B0000-memory.dmpFilesize
64KB
-
memory/3992-4-0x000000001B530000-0x000000001B580000-memory.dmpFilesize
320KB
-
memory/3992-7-0x000000001B3B0000-0x000000001B3C6000-memory.dmpFilesize
88KB
-
memory/3992-8-0x000000001B3D0000-0x000000001B426000-memory.dmpFilesize
344KB
-
memory/3992-9-0x000000001B580000-0x000000001B58C000-memory.dmpFilesize
48KB
-
memory/3992-10-0x000000001B590000-0x000000001B59C000-memory.dmpFilesize
48KB
-
memory/3992-11-0x000000001B5A0000-0x000000001B5AC000-memory.dmpFilesize
48KB
-
memory/3992-12-0x000000001B5B0000-0x000000001B5BE000-memory.dmpFilesize
56KB
-
memory/3992-14-0x000000001B5D0000-0x000000001B5DA000-memory.dmpFilesize
40KB
-
memory/3992-13-0x000000001B5C0000-0x000000001B5CE000-memory.dmpFilesize
56KB
-
memory/3992-5-0x000000001B390000-0x000000001B398000-memory.dmpFilesize
32KB
-
memory/3992-0-0x0000000000670000-0x000000000087C000-memory.dmpFilesize
2.0MB
-
memory/3992-3-0x000000001B370000-0x000000001B38C000-memory.dmpFilesize
112KB
-
memory/3992-2-0x000000001B5E0000-0x000000001B5F0000-memory.dmpFilesize
64KB
-
memory/3992-1-0x00007FFDC9E50000-0x00007FFDCA911000-memory.dmpFilesize
10.8MB
-
memory/3992-284-0x00007FFDC9E50000-0x00007FFDCA911000-memory.dmpFilesize
10.8MB
-
memory/4484-283-0x0000000000430000-0x000000000063C000-memory.dmpFilesize
2.0MB
-
memory/4484-285-0x00007FFDC9E50000-0x00007FFDCA911000-memory.dmpFilesize
10.8MB
-
memory/4484-286-0x000000001B3B0000-0x000000001B3C0000-memory.dmpFilesize
64KB
-
memory/4484-287-0x000000001B810000-0x000000001B866000-memory.dmpFilesize
344KB
-
memory/4484-289-0x00007FFDC9E50000-0x00007FFDCA911000-memory.dmpFilesize
10.8MB