Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 01:00
Behavioral task
behavioral1
Sample
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe
Resource
win10v2004-20240226-en
General
-
Target
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe
-
Size
828KB
-
MD5
1b8dc013de93bb0edf121b38e7f8ab6f
-
SHA1
2c17ada00c2b779f5e04a801265f151591e11e18
-
SHA256
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c
-
SHA512
4b23622774ea394608ade50bac520aebd64788d626e9fc316e57db8f4a4628cec221420955adae70d7ddcd7c273f6cac409d64f931e01e1a490b275788370d33
-
SSDEEP
12288:K8rQgxfLc/EHk/2Wk3D0bdxTZiLaO4Vb/5:VrzxfLFkHbXdVLVb/5
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3852 3620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 3620 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4660-1-0x00000000008F0000-0x00000000009C6000-memory.dmp dcrat C:\Program Files\Windows Sidebar\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe -
Executes dropped EXE 1 IoCs
Processes:
msedge.exepid process 988 msedge.exe -
Drops file in Program Files directory 4 IoCs
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exedescription ioc process File created C:\Program Files\Windows Sidebar\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe File created C:\Program Files\Windows Sidebar\b0313517ac0ac7 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe File created C:\Program Files\MsEdgeCrashpad\reports\taskhostw.exe 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe File created C:\Program Files\MsEdgeCrashpad\reports\ea9f0e6c9e2dcd 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe -
Drops file in Windows directory 2 IoCs
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exedescription ioc process File created C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\msedge.exe 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe File created C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\61a52ddc9dd915 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4316 schtasks.exe 1112 schtasks.exe 856 schtasks.exe 740 schtasks.exe 552 schtasks.exe 4212 schtasks.exe 3808 schtasks.exe 4420 schtasks.exe 2884 schtasks.exe 1616 schtasks.exe 908 schtasks.exe 4456 schtasks.exe 548 schtasks.exe 4620 schtasks.exe 1404 schtasks.exe 1128 schtasks.exe 2200 schtasks.exe 4892 schtasks.exe 4404 schtasks.exe 3756 schtasks.exe 3852 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exemsedge.exepid process 4660 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe 988 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exemsedge.exedescription pid process Token: SeDebugPrivilege 4660 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe Token: SeDebugPrivilege 988 msedge.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exedescription pid process target process PID 4660 wrote to memory of 988 4660 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe msedge.exe PID 4660 wrote to memory of 988 4660 00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe"C:\Users\Admin\AppData\Local\Temp\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\Saved Games\msedge.exe"C:\Users\Admin\Saved Games\msedge.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\odt\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.Management.AutopilotResources\pris\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c0" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c0" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\MsEdgeCrashpad\reports\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\reports\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\MsEdgeCrashpad\reports\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:4164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows Sidebar\00126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c.exe
Filesize828KB
MD51b8dc013de93bb0edf121b38e7f8ab6f
SHA12c17ada00c2b779f5e04a801265f151591e11e18
SHA25600126f1a772fd459793f811457950e42177537f6387a76124d26b57266a79f1c
SHA5124b23622774ea394608ade50bac520aebd64788d626e9fc316e57db8f4a4628cec221420955adae70d7ddcd7c273f6cac409d64f931e01e1a490b275788370d33