Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 13:39
Behavioral task
behavioral1
Sample
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
Resource
win10v2004-20240226-en
General
-
Target
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
-
Size
829KB
-
MD5
3bd8d1abdfdf35856a1b35c6824bd6f2
-
SHA1
3e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
-
SHA256
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
-
SHA512
11387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797
-
SSDEEP
12288:Qu1cCMKdiaT3Ok1MVBFdpkj6fe9BSbwfKyw8:VOlKUaT3O7VBFdpLWQEfKyP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4296 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 3136 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3928 3136 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/1972-1-0x0000000000030000-0x0000000000106000-memory.dmp dcrat C:\odt\taskhostw.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Executes dropped EXE 1 IoCs
Processes:
taskhostw.exepid process 4032 taskhostw.exe -
Drops file in Program Files directory 13 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process File created C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\ModifiableWindowsApps\MusNotification.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\MsEdgeCrashpad\winlogon.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\9e8d7a4ca61bd9 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\Uninstall Information\6203df4a6bafc7 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Windows Multimedia Platform\56085415360792 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\RuntimeBroker.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\Uninstall Information\lsass.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\e1ef82546f0b02 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\MsEdgeCrashpad\cc11b995f2a76d 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Drops file in Windows directory 2 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process File created C:\Windows\debug\dllhost.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Windows\debug\5940a34987c991 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2196 schtasks.exe 1680 schtasks.exe 4908 schtasks.exe 2480 schtasks.exe 2552 schtasks.exe 3612 schtasks.exe 4300 schtasks.exe 1548 schtasks.exe 2044 schtasks.exe 1912 schtasks.exe 4092 schtasks.exe 2208 schtasks.exe 4296 schtasks.exe 2432 schtasks.exe 3580 schtasks.exe 5080 schtasks.exe 3928 schtasks.exe 1856 schtasks.exe 1012 schtasks.exe 4568 schtasks.exe 2784 schtasks.exe 2156 schtasks.exe 2120 schtasks.exe 1840 schtasks.exe 2388 schtasks.exe 3420 schtasks.exe 2276 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exetaskhostw.exepid process 1972 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1972 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1972 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 1972 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4032 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exetaskhostw.exedescription pid process Token: SeDebugPrivilege 1972 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe Token: SeDebugPrivilege 4032 taskhostw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.execmd.exedescription pid process target process PID 1972 wrote to memory of 3540 1972 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe cmd.exe PID 1972 wrote to memory of 3540 1972 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe cmd.exe PID 3540 wrote to memory of 1716 3540 cmd.exe w32tm.exe PID 3540 wrote to memory of 1716 3540 cmd.exe w32tm.exe PID 3540 wrote to memory of 4032 3540 cmd.exe taskhostw.exe PID 3540 wrote to memory of 4032 3540 cmd.exe taskhostw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rhhPZ95vdJ.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1716
-
-
C:\odt\taskhostw.exe"C:\odt\taskhostw.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\MsEdgeCrashpad\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\MsEdgeCrashpad\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\odt\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:4268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185B
MD5a6f2a59b1d904cff8d0582c3219682d0
SHA13cf1b1a6d16bc2da8805742fd8f6c74c29694ec1
SHA25614b8bbce36ce5f8e9c540be631a0569385fb6cbdb92df2fe99516dcd67586594
SHA512323a9b81847016ac21d48b816a3a5f129f5264e6399b9a41d2a6aa782e46e430e57aa9aa68f836c54f772cd7cca79ca0a77feebf54e106287b63454ee13269cf
-
Filesize
829KB
MD53bd8d1abdfdf35856a1b35c6824bd6f2
SHA13e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
SHA256439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
SHA51211387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797