Analysis
-
max time kernel
12s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-05-2024 19:33
Behavioral task
behavioral1
Sample
19oa2h6ibyxkuece.exe
Resource
win11-20240426-en
Behavioral task
behavioral2
Sample
19oa2h6ibyxkuece.exe
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral3
Sample
19oa2h6ibyxkuece.exe
Resource
ubuntu2004-amd64-20240508-en
General
-
Target
19oa2h6ibyxkuece.exe
-
Size
1.4MB
-
MD5
2117cf8f045e569e65a6acd57d4a349f
-
SHA1
22c2bad783d7a33a655f386c1fffaa23a08319cc
-
SHA256
96e667b3511fd706f966946c64f7764b26f26c93b5297b36d8a6961921fb6eaa
-
SHA512
51326e4ef772bb809796935d06800ca6e823a4f1b6db21d80316e125c8ba77b3378b4fe50bf8e47c3eac8451d2876e37696b2c1ba6249525971ffba5d9c12c45
-
SSDEEP
24576:T2G/nvxW3WHfmfz5BLKfaoyIOFxZBMrQ7x1WzDfLURIb3jyAm7OcbFY49:TbA3Wm7gXWxX37xuhXDwOc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 19 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3456 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 1616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 1616 schtasks.exe -
Processes:
resource yara_rule C:\BrowserfontWininto\hyperagentsvc.exe dcrat behavioral1/memory/2840-13-0x00000000000D0000-0x0000000000202000-memory.dmp dcrat C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe dcrat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3456 schtasks.exe 768 schtasks.exe 3932 schtasks.exe 5016 schtasks.exe 852 schtasks.exe 3528 schtasks.exe 1748 schtasks.exe 2256 schtasks.exe 2488 schtasks.exe 4956 schtasks.exe 3040 schtasks.exe 2584 schtasks.exe 2976 schtasks.exe 3012 schtasks.exe 2912 schtasks.exe 3064 schtasks.exe 2704 schtasks.exe 2612 schtasks.exe 2632 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
19oa2h6ibyxkuece.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings 19oa2h6ibyxkuece.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
19oa2h6ibyxkuece.exedescription pid process target process PID 4760 wrote to memory of 3976 4760 19oa2h6ibyxkuece.exe WScript.exe PID 4760 wrote to memory of 3976 4760 19oa2h6ibyxkuece.exe WScript.exe PID 4760 wrote to memory of 3976 4760 19oa2h6ibyxkuece.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe"C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BrowserfontWininto\3dlXE8sYrHdS9t5pGyfBIdd4.vbe"2⤵PID:3976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BrowserfontWininto\O9huK39vJg2D.bat" "3⤵PID:1968
-
C:\BrowserfontWininto\hyperagentsvc.exe"C:\BrowserfontWininto\hyperagentsvc.exe"4⤵PID:2840
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\BrowserfontWininto\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Videos\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BrowserfontWininto\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\BrowserfontWininto\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD5b8e2e37054ea4d38065ca952d6d84b44
SHA12e53e2f24a6a8980ffe933f07604dbd47f29e35d
SHA2560098c79333600eb0a4121fd7c7a17e6c66ba8decad28dfd7a4b27be56b517cb2
SHA5126f477a8a943f02afe5c3a7c2ba2c48a57ec2e8a4af029b9396b84e9eb84835a0a12e08c6aac9c128c2d243632f9a051d2b443a525b51ff5efa5d6f0bd29f2f47
-
Filesize
41B
MD5749eca6bd4b12b325159837abc0797b2
SHA1837b704e4ec038468364c09df18d879164483c14
SHA256255513dd588a6e344367c566daef338d25e68e6150481c5d345aeb2c4f099708
SHA5121b34ff9fd39a1c631485ff26faa30a2dfc9a6cd773d016a4841ebd6776e77980ea71207f5ee608833b7e78798c7a47497cfb57336585f0d862973797aec49253
-
Filesize
1.2MB
MD5764d2b855ffa643d2b4f69bb6bc616fa
SHA1c519ec7f05277231cf5a6541525f398bedee0ebc
SHA256a9dcf34f68612934c8bb265f6e679b52f7b92c64be84d6d96ef2d0cca0a50f87
SHA512804d1bc07be9437cca40971d4d889dd86e5b732f47e73ac74fcef1e50d64c73aab2d8900f4bc4e5352be515d8396fd16ff969bc23f57ea259b8c4d62bc0a8967
-
Filesize
1.1MB
MD5dca1fab69bdcab1a75787e7c1ec1ec14
SHA12676f0ff21ab83b506eaa11dcf79cb3c99744320
SHA25660b51783cb0a44b6397cf90145a24c8678b126ef740d56d8e8a8a17d59a9a6df
SHA512bd184e3fb09c854de92c71a76725945c1fef11a1133ce28c3ee03006268a577b74168420ccbd153bda67e91d590c7202a1890f937ff013dc726dac37694adfa2