Analysis
-
max time kernel
134s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 20:11
Behavioral task
behavioral1
Sample
3bd8d1abdfdf35856a1b35c6824bd6f2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3bd8d1abdfdf35856a1b35c6824bd6f2.exe
Resource
win10v2004-20240426-en
General
-
Target
3bd8d1abdfdf35856a1b35c6824bd6f2.exe
-
Size
829KB
-
MD5
3bd8d1abdfdf35856a1b35c6824bd6f2
-
SHA1
3e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
-
SHA256
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
-
SHA512
11387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797
-
SSDEEP
12288:Qu1cCMKdiaT3Ok1MVBFdpkj6fe9BSbwfKyw8:VOlKUaT3O7VBFdpLWQEfKyP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3232 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 4364 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 4364 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/776-1-0x0000000000290000-0x0000000000366000-memory.dmp dcrat C:\Program Files\VideoLAN\VLC\plugins\gui\lsass.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3bd8d1abdfdf35856a1b35c6824bd6f2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 3bd8d1abdfdf35856a1b35c6824bd6f2.exe -
Executes dropped EXE 1 IoCs
Processes:
spoolsv.exepid process 2400 spoolsv.exe -
Drops file in Program Files directory 8 IoCs
Processes:
3bd8d1abdfdf35856a1b35c6824bd6f2.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\6cb0b6c459d5d3 3bd8d1abdfdf35856a1b35c6824bd6f2.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\sysmon.exe 3bd8d1abdfdf35856a1b35c6824bd6f2.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\121e5b5079f7c0 3bd8d1abdfdf35856a1b35c6824bd6f2.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe 3bd8d1abdfdf35856a1b35c6824bd6f2.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 3bd8d1abdfdf35856a1b35c6824bd6f2.exe File created C:\Program Files\VideoLAN\VLC\plugins\gui\lsass.exe 3bd8d1abdfdf35856a1b35c6824bd6f2.exe File created C:\Program Files\VideoLAN\VLC\plugins\gui\6203df4a6bafc7 3bd8d1abdfdf35856a1b35c6824bd6f2.exe File created C:\Program Files (x86)\Google\Temp\dwm.exe 3bd8d1abdfdf35856a1b35c6824bd6f2.exe -
Drops file in Windows directory 2 IoCs
Processes:
3bd8d1abdfdf35856a1b35c6824bd6f2.exedescription ioc process File created C:\Windows\Logs\sysmon.exe 3bd8d1abdfdf35856a1b35c6824bd6f2.exe File created C:\Windows\Logs\121e5b5079f7c0 3bd8d1abdfdf35856a1b35c6824bd6f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2076 schtasks.exe 4548 schtasks.exe 2260 schtasks.exe 1644 schtasks.exe 4968 schtasks.exe 4152 schtasks.exe 3008 schtasks.exe 1828 schtasks.exe 3232 schtasks.exe 2036 schtasks.exe 1060 schtasks.exe 3696 schtasks.exe 4544 schtasks.exe 5008 schtasks.exe 4532 schtasks.exe 4748 schtasks.exe 4080 schtasks.exe 4824 schtasks.exe 3644 schtasks.exe 4956 schtasks.exe 1056 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
3bd8d1abdfdf35856a1b35c6824bd6f2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 3bd8d1abdfdf35856a1b35c6824bd6f2.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
3bd8d1abdfdf35856a1b35c6824bd6f2.exespoolsv.exepid process 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe 2400 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3bd8d1abdfdf35856a1b35c6824bd6f2.exespoolsv.exedescription pid process Token: SeDebugPrivilege 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe Token: SeDebugPrivilege 2400 spoolsv.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3bd8d1abdfdf35856a1b35c6824bd6f2.execmd.exedescription pid process target process PID 776 wrote to memory of 1556 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe cmd.exe PID 776 wrote to memory of 1556 776 3bd8d1abdfdf35856a1b35c6824bd6f2.exe cmd.exe PID 1556 wrote to memory of 4756 1556 cmd.exe w32tm.exe PID 1556 wrote to memory of 4756 1556 cmd.exe w32tm.exe PID 1556 wrote to memory of 2400 1556 cmd.exe spoolsv.exe PID 1556 wrote to memory of 2400 1556 cmd.exe spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bd8d1abdfdf35856a1b35c6824bd6f2.exe"C:\Users\Admin\AppData\Local\Temp\3bd8d1abdfdf35856a1b35c6824bd6f2.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yVEdqimIyF.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4756
-
-
C:\Recovery\WindowsRE\spoolsv.exe"C:\Recovery\WindowsRE\spoolsv.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Templates\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Logs\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\plugins\gui\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\gui\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\plugins\gui\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD53bd8d1abdfdf35856a1b35c6824bd6f2
SHA13e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
SHA256439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
SHA51211387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797
-
Filesize
198B
MD50eb9b7b97164e54e757128aa5949169d
SHA10ab73f72195c8b795c9015b5452898fb9b5a0800
SHA256e35f21fbf4628969070bc7f5cc49856d4bcdf2d10ed59dc0cf6dd18dee45190d
SHA512c2a18bf02026c6d9606149946b59ece093e8e6b564c14904d43858300776e18cfda9fc702f5a9bbd085df92948a25cdb6b08eb4cd6f7635d65020b8668e1f447