Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 20:58

General

  • Target

    47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe

  • Size

    3.7MB

  • MD5

    3aff466445051bd93a7ea3ae519587ef

  • SHA1

    516c1e9da912f6d988146fb812d88bdc7b30588a

  • SHA256

    47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e

  • SHA512

    3870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f

  • SSDEEP

    49152:UbA30nPNSHQAjwNVYyHycT6JYRAwWPScqhWtkOTwol8FxMQFQnSMvTklif/:UbhwTNJytcqgtkzoEOSMvTwif/

Malware Config

Signatures

  • DcRat 13 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe
    "C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4112
        • C:\Bridgeserverintocommon\intobroker.exe
          "C:\Bridgeserverintocommon\intobroker.exe"
          4⤵
          • Modifies WinLogon for persistence
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1012
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FYJQVhD8a8.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4844
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1076
              • C:\Windows\SKB\LanguageModels\dllhost.exe
                "C:\Windows\SKB\LanguageModels\dllhost.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:3528
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73e9bcbb-0c3a-45d0-92ab-0e2bc3fbb0fc.vbs"
                  7⤵
                    PID:1956
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f270df3-9232-4433-be85-6919e96bea0b.vbs"
                    7⤵
                      PID:4448
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"
            2⤵
              PID:2128
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1136
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4024
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3436
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\msedge.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3332
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\msedge.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3388
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\msedge.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:836
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4600
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3220
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WaaSMedicAgent.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3920
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\All Users\WaaSMedicAgent.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WaaSMedicAgent.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1220
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3320 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:3648
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:832
            • C:\Windows\system32\wbem\WmiApSrv.exe
              C:\Windows\system32\wbem\WmiApSrv.exe
              1⤵
                PID:748

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat

                Filesize

                42B

                MD5

                9005984f23c241ae6504691edad99db9

                SHA1

                50ec3cca58fd37b1853bd144854fb0242019d2b9

                SHA256

                e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de

                SHA512

                183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff

              • C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe

                Filesize

                227B

                MD5

                8ad651de9eab5382f5aeb6e0a38e22bc

                SHA1

                c45b320fdec6e25ccacc31bdf3999a6fec82c9a0

                SHA256

                adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01

                SHA512

                6fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a

              • C:\Bridgeserverintocommon\file.vbs

                Filesize

                34B

                MD5

                677cc4360477c72cb0ce00406a949c61

                SHA1

                b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

                SHA256

                f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

                SHA512

                7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

              • C:\Bridgeserverintocommon\intobroker.exe

                Filesize

                3.4MB

                MD5

                34f09d31d624cddea4794d6b60fb342a

                SHA1

                21dae839ec2ac251c1d80d51e32e5b0f7c9c208f

                SHA256

                fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f

                SHA512

                e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873

              • C:\Users\Admin\AppData\Local\Temp\4f270df3-9232-4433-be85-6919e96bea0b.vbs

                Filesize

                493B

                MD5

                e9faf03e1737b1b4437a1534a274456e

                SHA1

                b8c5b8061adc0e33c24dc1f9805720168cf80348

                SHA256

                0a26607d929362016eab130f3f6abae585293a52f19697acd945e355cede51d9

                SHA512

                6aa752954c5ac864664d76a8184cb597b7097c87777f5e33d6dd6fe0daff7d7040dd3ec3ea1ae247222094249b6f872a71693f59cd7b37d5e866f5b8ae19cd08

              • C:\Users\Admin\AppData\Local\Temp\73e9bcbb-0c3a-45d0-92ab-0e2bc3fbb0fc.vbs

                Filesize

                717B

                MD5

                23407a95b742c9f1ba704c067ca8ffa4

                SHA1

                9c7d0273d80a33079ba78243c43c95ce19acdb2c

                SHA256

                7fab4928d4f76868eacc6d6ff946e20550ab030af17448668e2762a5d6429268

                SHA512

                497c3e3329edf9a6b7b60610e548f72acde3ef6a8d003c4c17c5773a8e5ee5b207ceaad3bd4f007855afc8f2dbdf1ecd2c448fa06767d6f8820d7eebad2ac235

              • C:\Users\Admin\AppData\Local\Temp\FYJQVhD8a8.bat

                Filesize

                206B

                MD5

                32f81aea9006bea6cb1a5d126cf15787

                SHA1

                1a82649f968deb656c39aeb6e93e4a125238cc70

                SHA256

                6be00242e62c03251c336a9c76774e6c72b23cc8e1cf72e196bd894262b4d52e

                SHA512

                357589860ed09c49fe4df8a874a22219dad012d89fe0b775f9f6e4ccd5628b2059a11549996791e9f4789264abb770f8ec0b3fbc11435fb76f422cb826c67627

              • memory/1012-35-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

                Filesize

                48KB

              • memory/1012-39-0x000000001C440000-0x000000001C44C000-memory.dmp

                Filesize

                48KB

              • memory/1012-22-0x000000001C220000-0x000000001C270000-memory.dmp

                Filesize

                320KB

              • memory/1012-25-0x000000001C1D0000-0x000000001C1E6000-memory.dmp

                Filesize

                88KB

              • memory/1012-24-0x000000001BB90000-0x000000001BBA0000-memory.dmp

                Filesize

                64KB

              • memory/1012-23-0x000000001BB80000-0x000000001BB88000-memory.dmp

                Filesize

                32KB

              • memory/1012-26-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

                Filesize

                48KB

              • memory/1012-27-0x000000001C1F0000-0x000000001C202000-memory.dmp

                Filesize

                72KB

              • memory/1012-28-0x000000001C200000-0x000000001C20C000-memory.dmp

                Filesize

                48KB

              • memory/1012-29-0x000000001C380000-0x000000001C388000-memory.dmp

                Filesize

                32KB

              • memory/1012-30-0x000000001C490000-0x000000001C4A0000-memory.dmp

                Filesize

                64KB

              • memory/1012-31-0x000000001C210000-0x000000001C21A000-memory.dmp

                Filesize

                40KB

              • memory/1012-32-0x000000001C390000-0x000000001C3E6000-memory.dmp

                Filesize

                344KB

              • memory/1012-33-0x000000001C370000-0x000000001C37C000-memory.dmp

                Filesize

                48KB

              • memory/1012-34-0x000000001C3E0000-0x000000001C3E8000-memory.dmp

                Filesize

                32KB

              • memory/1012-21-0x000000001BB60000-0x000000001BB7C000-memory.dmp

                Filesize

                112KB

              • memory/1012-36-0x000000001C400000-0x000000001C408000-memory.dmp

                Filesize

                32KB

              • memory/1012-37-0x000000001C410000-0x000000001C422000-memory.dmp

                Filesize

                72KB

              • memory/1012-38-0x000000001C9D0000-0x000000001CEF8000-memory.dmp

                Filesize

                5.2MB

              • memory/1012-20-0x0000000003160000-0x0000000003168000-memory.dmp

                Filesize

                32KB

              • memory/1012-40-0x000000001C450000-0x000000001C458000-memory.dmp

                Filesize

                32KB

              • memory/1012-41-0x000000001C460000-0x000000001C46C000-memory.dmp

                Filesize

                48KB

              • memory/1012-42-0x000000001C470000-0x000000001C47C000-memory.dmp

                Filesize

                48KB

              • memory/1012-43-0x000000001C480000-0x000000001C488000-memory.dmp

                Filesize

                32KB

              • memory/1012-44-0x000000001C6A0000-0x000000001C6AC000-memory.dmp

                Filesize

                48KB

              • memory/1012-45-0x000000001C6B0000-0x000000001C6BA000-memory.dmp

                Filesize

                40KB

              • memory/1012-46-0x000000001C6C0000-0x000000001C6CE000-memory.dmp

                Filesize

                56KB

              • memory/1012-47-0x000000001C6D0000-0x000000001C6D8000-memory.dmp

                Filesize

                32KB

              • memory/1012-48-0x000000001C6E0000-0x000000001C6EE000-memory.dmp

                Filesize

                56KB

              • memory/1012-49-0x000000001C6F0000-0x000000001C6F8000-memory.dmp

                Filesize

                32KB

              • memory/1012-50-0x000000001C700000-0x000000001C70C000-memory.dmp

                Filesize

                48KB

              • memory/1012-51-0x000000001C710000-0x000000001C718000-memory.dmp

                Filesize

                32KB

              • memory/1012-52-0x000000001C820000-0x000000001C82A000-memory.dmp

                Filesize

                40KB

              • memory/1012-19-0x0000000003150000-0x000000000315E000-memory.dmp

                Filesize

                56KB

              • memory/1012-18-0x0000000001890000-0x000000000189E000-memory.dmp

                Filesize

                56KB

              • memory/1012-17-0x0000000000C10000-0x0000000000F78000-memory.dmp

                Filesize

                3.4MB

              • memory/3528-79-0x000000001E2B0000-0x000000001E472000-memory.dmp

                Filesize

                1.8MB