Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 00:25

General

  • Target

    9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe

  • Size

    3.7MB

  • MD5

    6f2466923bafbabe0788c6126ff713d9

  • SHA1

    2fb2911f4a08458e9aa922e4b8f6e6b4a7c2c81c

  • SHA256

    9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad

  • SHA512

    ebc5f71d041828eb54781d5fee466b0026586dfe6929fb2327a7bfb016b13427f2177b7d405523ff3457f8a1808335d76fc24467de4ef0a9dcc0a41a638f5d30

  • SSDEEP

    98304:+XXAzJltvwAu5QfCWC2UxdYZhOIeBXJcu3O:+HAzXtzu5QfCWPK+/2tJcz

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe
    "C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\bridgeComponentRuntimehostnet\RUoOQWhVCa6Opchlz1AD.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\bridgeComponentRuntimehostnet\worw0dI33.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4716
        • C:\bridgeComponentRuntimehostnet\componentRef.exe
          "C:\bridgeComponentRuntimehostnet\componentRef.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:332
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DZ8Dwvi6fQ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:696
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3396
              • C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe
                "C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3480
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1837dce6-ccdc-4b94-9bd2-a3daef544867.vbs"
                  7⤵
                    PID:1688
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac48c4b-3cc5-4e10-9f14-837ae7bd1257.vbs"
                    7⤵
                      PID:3112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1308
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:716
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2704
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Videos\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4896
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1808
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5012
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3224
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2676
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2280
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4276
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3220
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2204
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3436
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2396
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\SKB\LanguageModels\taskhostw.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:224
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\SKB\LanguageModels\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3180
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4800
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1280
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3712
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4140
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4728
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3348
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2968
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2256
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3776

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1837dce6-ccdc-4b94-9bd2-a3daef544867.vbs

          Filesize

          739B

          MD5

          d627f60ba2b58d0e9f08b372c2288bba

          SHA1

          952b3daceb679e24df8d910e9dc135fe545f90ef

          SHA256

          ae366485892bd07d2d38d7d478a04a3ebd208f364d85797fe79eed1996985d22

          SHA512

          96a6d2cf025e18697b20de0d1322e1859d6863296cd7ed093815eb65cc8a4547930f7753cde576fe1e1357221ea81c2d5039423b5baf7c89589c379458239ea9

        • C:\Users\Admin\AppData\Local\Temp\5ac48c4b-3cc5-4e10-9f14-837ae7bd1257.vbs

          Filesize

          515B

          MD5

          fd71bf046507149a02b8266bea39ca5a

          SHA1

          547858e0af078794b058e4c0d729129600687225

          SHA256

          248de724be4295206e483acc7e3e7c7c908401e1224ec18269ee9042f2e72021

          SHA512

          462d716864457f76b78cf1a3d720b7a2cc9fc9a72f482bfabdbef89c907e97f1a12a15c59811cfabc0d83e685abc292410234ee8312e60139d37c083b3942f68

        • C:\Users\Admin\AppData\Local\Temp\DZ8Dwvi6fQ.bat

          Filesize

          228B

          MD5

          27fa206b2865a6116d20efd9a5321c47

          SHA1

          6c2b8aeb48da6001ae176a3b4c64543aea98ae5f

          SHA256

          ae3624eac1d2c2a289cdfaa037cb086673e92a53dbcaead32c5c34642bcd4873

          SHA512

          4bd0b318d1ba75842262685edf001719953dff61da317035765cd9ded595c49b09bd7ba314ed38a8cb13e2ff0c8d3993c0628be01fffbded1cec13207d810a39

        • C:\bridgeComponentRuntimehostnet\RUoOQWhVCa6Opchlz1AD.vbe

          Filesize

          215B

          MD5

          403a1462c9f6034000cc5f6180be08b3

          SHA1

          fd7f04eafaaa752786aaffba321366fc1938c062

          SHA256

          adaf424ebd8d37a552019d5e4c8394031fadffa5411420db2a0ed8b002834424

          SHA512

          61437b7aa711a1f6d598a00bcbb4919be2b72d58be5b6ad525272657992726c90ff79d39436dcae07a81f73978e01a223bcd11d0a2dce2423ac12de54d4f1e2c

        • C:\bridgeComponentRuntimehostnet\componentRef.exe

          Filesize

          2.4MB

          MD5

          526153cbd86009228ad53cd262a9c6b3

          SHA1

          6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2

          SHA256

          5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48

          SHA512

          9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665

        • C:\bridgeComponentRuntimehostnet\worw0dI33.bat

          Filesize

          51B

          MD5

          349cd009e089597bd6a43bdb489cd4d3

          SHA1

          732820f42c008d4d5d10c04bc0f49ffcc9855619

          SHA256

          e4039e78bca312c284c412fc8a05d28521421824776faa4a5549a7b32742f671

          SHA512

          c5941a91c608027c924a366c38adff267fdad0f89b82b72db10ee632219bb5622255e97a0b02d4f46a2dd34130593ab1cf5d1c2b518b52e1c2d633c39bd9fd50

        • memory/332-20-0x000000001C240000-0x000000001C256000-memory.dmp

          Filesize

          88KB

        • memory/332-25-0x000000001C280000-0x000000001C288000-memory.dmp

          Filesize

          32KB

        • memory/332-18-0x000000001C290000-0x000000001C2E0000-memory.dmp

          Filesize

          320KB

        • memory/332-19-0x00000000019C0000-0x00000000019C8000-memory.dmp

          Filesize

          32KB

        • memory/332-15-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp

          Filesize

          8KB

        • memory/332-21-0x000000001C2E0000-0x000000001C336000-memory.dmp

          Filesize

          344KB

        • memory/332-22-0x000000001C260000-0x000000001C26C000-memory.dmp

          Filesize

          48KB

        • memory/332-23-0x000000001C270000-0x000000001C282000-memory.dmp

          Filesize

          72KB

        • memory/332-24-0x000000001CBD0000-0x000000001D0F8000-memory.dmp

          Filesize

          5.2MB

        • memory/332-17-0x000000001BD10000-0x000000001BD2C000-memory.dmp

          Filesize

          112KB

        • memory/332-28-0x000000001C350000-0x000000001C35C000-memory.dmp

          Filesize

          48KB

        • memory/332-27-0x000000001C460000-0x000000001C46E000-memory.dmp

          Filesize

          56KB

        • memory/332-26-0x000000001C450000-0x000000001C45A000-memory.dmp

          Filesize

          40KB

        • memory/332-16-0x0000000000E80000-0x00000000010F6000-memory.dmp

          Filesize

          2.5MB

        • memory/1700-0-0x00000000007F0000-0x0000000000BF1000-memory.dmp

          Filesize

          4.0MB

        • memory/1700-10-0x00000000007F0000-0x0000000000BF1000-memory.dmp

          Filesize

          4.0MB

        • memory/3480-126-0x000000001E2A0000-0x000000001E449000-memory.dmp

          Filesize

          1.7MB