Analysis

  • max time kernel
    12s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-05-2024 19:33

General

  • Target

    19oa2h6ibyxkuece.exe

  • Size

    1.4MB

  • MD5

    2117cf8f045e569e65a6acd57d4a349f

  • SHA1

    22c2bad783d7a33a655f386c1fffaa23a08319cc

  • SHA256

    96e667b3511fd706f966946c64f7764b26f26c93b5297b36d8a6961921fb6eaa

  • SHA512

    51326e4ef772bb809796935d06800ca6e823a4f1b6db21d80316e125c8ba77b3378b4fe50bf8e47c3eac8451d2876e37696b2c1ba6249525971ffba5d9c12c45

  • SSDEEP

    24576:T2G/nvxW3WHfmfz5BLKfaoyIOFxZBMrQ7x1WzDfLURIb3jyAm7OcbFY49:TbA3Wm7gXWxX37xuhXDwOc

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 19 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 19 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe
    "C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\BrowserfontWininto\3dlXE8sYrHdS9t5pGyfBIdd4.vbe"
      2⤵
        PID:3976
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\BrowserfontWininto\O9huK39vJg2D.bat" "
          3⤵
            PID:1968
            • C:\BrowserfontWininto\hyperagentsvc.exe
              "C:\BrowserfontWininto\hyperagentsvc.exe"
              4⤵
                PID:2840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2584
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2256
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2632
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\BrowserfontWininto\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2488
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5016
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3456
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:768
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Videos\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:852
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3012
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BrowserfontWininto\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2912
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\BrowserfontWininto\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\sysmon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2704
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2612

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\BrowserfontWininto\3dlXE8sYrHdS9t5pGyfBIdd4.vbe

          Filesize

          208B

          MD5

          b8e2e37054ea4d38065ca952d6d84b44

          SHA1

          2e53e2f24a6a8980ffe933f07604dbd47f29e35d

          SHA256

          0098c79333600eb0a4121fd7c7a17e6c66ba8decad28dfd7a4b27be56b517cb2

          SHA512

          6f477a8a943f02afe5c3a7c2ba2c48a57ec2e8a4af029b9396b84e9eb84835a0a12e08c6aac9c128c2d243632f9a051d2b443a525b51ff5efa5d6f0bd29f2f47

        • C:\BrowserfontWininto\O9huK39vJg2D.bat

          Filesize

          41B

          MD5

          749eca6bd4b12b325159837abc0797b2

          SHA1

          837b704e4ec038468364c09df18d879164483c14

          SHA256

          255513dd588a6e344367c566daef338d25e68e6150481c5d345aeb2c4f099708

          SHA512

          1b34ff9fd39a1c631485ff26faa30a2dfc9a6cd773d016a4841ebd6776e77980ea71207f5ee608833b7e78798c7a47497cfb57336585f0d862973797aec49253

        • C:\BrowserfontWininto\hyperagentsvc.exe

          Filesize

          1.2MB

          MD5

          764d2b855ffa643d2b4f69bb6bc616fa

          SHA1

          c519ec7f05277231cf5a6541525f398bedee0ebc

          SHA256

          a9dcf34f68612934c8bb265f6e679b52f7b92c64be84d6d96ef2d0cca0a50f87

          SHA512

          804d1bc07be9437cca40971d4d889dd86e5b732f47e73ac74fcef1e50d64c73aab2d8900f4bc4e5352be515d8396fd16ff969bc23f57ea259b8c4d62bc0a8967

        • C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

          Filesize

          1.1MB

          MD5

          dca1fab69bdcab1a75787e7c1ec1ec14

          SHA1

          2676f0ff21ab83b506eaa11dcf79cb3c99744320

          SHA256

          60b51783cb0a44b6397cf90145a24c8678b126ef740d56d8e8a8a17d59a9a6df

          SHA512

          bd184e3fb09c854de92c71a76725945c1fef11a1133ce28c3ee03006268a577b74168420ccbd153bda67e91d590c7202a1890f937ff013dc726dac37694adfa2

        • memory/2840-12-0x00007FFDCFA93000-0x00007FFDCFA95000-memory.dmp

          Filesize

          8KB

        • memory/2840-13-0x00000000000D0000-0x0000000000202000-memory.dmp

          Filesize

          1.2MB

        • memory/2840-16-0x000000001AEC0000-0x000000001AED6000-memory.dmp

          Filesize

          88KB

        • memory/2840-17-0x0000000000A80000-0x0000000000A8C000-memory.dmp

          Filesize

          48KB

        • memory/2840-15-0x000000001B590000-0x000000001B5E0000-memory.dmp

          Filesize

          320KB

        • memory/2840-14-0x0000000000A60000-0x0000000000A7C000-memory.dmp

          Filesize

          112KB