Analysis
-
max time kernel
133s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 11:32
Behavioral task
behavioral1
Sample
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
Resource
win10v2004-20240426-en
General
-
Target
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe
-
Size
829KB
-
MD5
3bd8d1abdfdf35856a1b35c6824bd6f2
-
SHA1
3e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
-
SHA256
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
-
SHA512
11387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797
-
SSDEEP
12288:Qu1cCMKdiaT3Ok1MVBFdpkj6fe9BSbwfKyw8:VOlKUaT3O7VBFdpLWQEfKyP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3236 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 412 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3784 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3464 3400 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 3400 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4424-1-0x0000000000ED0000-0x0000000000FA6000-memory.dmp dcrat C:\Recovery\WindowsRE\taskhostw.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 2196 System.exe -
Drops file in Program Files directory 8 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\sihost.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\Windows Sidebar\66fc9ff0ee96c2 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files (x86)\WindowsPowerShell\5b884080fd4f94 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\Windows Mail\System.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\Windows Mail\27d1bcfc3c54e0 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\Windows Photo Viewer\en-US\upfc.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe File created C:\Program Files\Windows Photo Viewer\en-US\ea1d8f6d871115 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Drops file in Windows directory 1 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process File created C:\Windows\ServiceState\SEMgrSvc\Data\lsass.exe 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3968 schtasks.exe 4080 schtasks.exe 700 schtasks.exe 4496 schtasks.exe 3548 schtasks.exe 840 schtasks.exe 3784 schtasks.exe 1508 schtasks.exe 1412 schtasks.exe 3472 schtasks.exe 4104 schtasks.exe 968 schtasks.exe 1184 schtasks.exe 3332 schtasks.exe 212 schtasks.exe 1156 schtasks.exe 4224 schtasks.exe 3392 schtasks.exe 3668 schtasks.exe 3236 schtasks.exe 516 schtasks.exe 412 schtasks.exe 4444 schtasks.exe 2116 schtasks.exe 552 schtasks.exe 400 schtasks.exe 3464 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exeSystem.exepid process 4424 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4424 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4424 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4424 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4424 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4424 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 4424 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe 2196 System.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exeSystem.exedescription pid process Token: SeDebugPrivilege 4424 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe Token: SeDebugPrivilege 2196 System.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.execmd.exedescription pid process target process PID 4424 wrote to memory of 3536 4424 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe cmd.exe PID 4424 wrote to memory of 3536 4424 439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe cmd.exe PID 3536 wrote to memory of 2368 3536 cmd.exe w32tm.exe PID 3536 wrote to memory of 2368 3536 cmd.exe w32tm.exe PID 3536 wrote to memory of 2196 3536 cmd.exe System.exe PID 3536 wrote to memory of 2196 3536 cmd.exe System.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"C:\Users\Admin\AppData\Local\Temp\439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pNOrydYYDi.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2368
-
C:\Program Files\Windows Mail\System.exe"C:\Program Files\Windows Mail\System.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\en-US\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\en-US\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD53bd8d1abdfdf35856a1b35c6824bd6f2
SHA13e6e83f044690b2e5ffec74ebdef0ec9d4e8a02b
SHA256439bcad86efe793e25a896bedbebbcbb1de01905eece9fa49cb5856a1bd562d4
SHA51211387da3bb436ce4968eeaa03d0880b2eaa5cba780a8e393c060b0828e187d9527c24dd545f8fe3f8ad02a834cc0831d78d70e823047bf758ba42da01e0fc797
-
Filesize
205B
MD525806ca93eb1886d592eead5bceec133
SHA193f3672e4807dccfd0da189ebcd75f1ce8b5a8c2
SHA256e3421ab6729c919e4710464f0a342304540bde8a693ffc10555ce80659fb540c
SHA512ccd41946c39b2eae483088931bd857aee0905fe498bd18c4be01ea2b2f27bcb8175434ad2f459ddc2d35a5eafad9149e59d36568612064a9cdcc9f33780045b5