Analysis

  • max time kernel
    135s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 02:33

General

  • Target

    b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe

  • Size

    2.7MB

  • MD5

    9508912e063cac5e940efba1f85ce86f

  • SHA1

    e6d15f29a811c4470f4b7a245207e9f2d1051e62

  • SHA256

    b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf

  • SHA512

    2581361c9c99904ff11beb75208e3689ef310cdb98fd8a0d71a3f0a3d5480f696fc14a5b8e42075d3df79b89bb2623114763ff75820fa454e053f5f72b875f27

  • SSDEEP

    49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe
    "C:\Users\Admin\AppData\Local\Temp\b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3176
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Q5RNa0biU.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2112
        • C:\Recovery\WindowsRE\OfficeClickToRun.exe
          "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:4924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Windows NT\fontdrvhost.exe

      Filesize

      2.7MB

      MD5

      9508912e063cac5e940efba1f85ce86f

      SHA1

      e6d15f29a811c4470f4b7a245207e9f2d1051e62

      SHA256

      b7a7803345ff48799486bb3d6e45598c956d5217f6d5571ee684f5421198e0cf

      SHA512

      2581361c9c99904ff11beb75208e3689ef310cdb98fd8a0d71a3f0a3d5480f696fc14a5b8e42075d3df79b89bb2623114763ff75820fa454e053f5f72b875f27

    • C:\Users\Admin\AppData\Local\Temp\2Q5RNa0biU.bat

      Filesize

      207B

      MD5

      6bb33abc76b51d5e4c4ce9006e6b3ead

      SHA1

      75fa1ca7685c0d8ac578751e76006a9c47a2600a

      SHA256

      b3378c21302b3978b1734c12a19f6d7b3638790c078718f2dc71fbd5e0106f7b

      SHA512

      fb79d6e568f8af56920059ae1aebaa95e0b12e37edc1e93e9361534c57a9f9d04d9de898c644f01dfd0689a698691d72e4871a698a4d3bb67c62733c13ade82f

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4whoeya.snd.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/1020-14-0x000000001BB60000-0x000000001BB68000-memory.dmp

      Filesize

      32KB

    • memory/1020-2-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

      Filesize

      10.8MB

    • memory/1020-6-0x0000000001690000-0x0000000001698000-memory.dmp

      Filesize

      32KB

    • memory/1020-5-0x000000001C230000-0x000000001C280000-memory.dmp

      Filesize

      320KB

    • memory/1020-11-0x000000001BB40000-0x000000001BB50000-memory.dmp

      Filesize

      64KB

    • memory/1020-10-0x00000000018B0000-0x00000000018B8000-memory.dmp

      Filesize

      32KB

    • memory/1020-19-0x000000001BCC0000-0x000000001BCCC000-memory.dmp

      Filesize

      48KB

    • memory/1020-9-0x00000000018A0000-0x00000000018A8000-memory.dmp

      Filesize

      32KB

    • memory/1020-8-0x0000000001870000-0x0000000001886000-memory.dmp

      Filesize

      88KB

    • memory/1020-13-0x000000001C1E0000-0x000000001C236000-memory.dmp

      Filesize

      344KB

    • memory/1020-3-0x0000000001680000-0x0000000001688000-memory.dmp

      Filesize

      32KB

    • memory/1020-15-0x000000001BB70000-0x000000001BB78000-memory.dmp

      Filesize

      32KB

    • memory/1020-16-0x000000001BC90000-0x000000001BC9C000-memory.dmp

      Filesize

      48KB

    • memory/1020-0-0x00007FF8E8B03000-0x00007FF8E8B05000-memory.dmp

      Filesize

      8KB

    • memory/1020-18-0x000000001BCB0000-0x000000001BCBC000-memory.dmp

      Filesize

      48KB

    • memory/1020-7-0x0000000001860000-0x0000000001870000-memory.dmp

      Filesize

      64KB

    • memory/1020-12-0x000000001BB50000-0x000000001BB5A000-memory.dmp

      Filesize

      40KB

    • memory/1020-20-0x000000001C380000-0x000000001C388000-memory.dmp

      Filesize

      32KB

    • memory/1020-23-0x000000001C4B0000-0x000000001C4BC000-memory.dmp

      Filesize

      48KB

    • memory/1020-22-0x000000001C3A0000-0x000000001C3AC000-memory.dmp

      Filesize

      48KB

    • memory/1020-21-0x000000001C390000-0x000000001C398000-memory.dmp

      Filesize

      32KB

    • memory/1020-24-0x000000001C500000-0x000000001C508000-memory.dmp

      Filesize

      32KB

    • memory/1020-25-0x000000001C510000-0x000000001C51A000-memory.dmp

      Filesize

      40KB

    • memory/1020-26-0x000000001C520000-0x000000001C52C000-memory.dmp

      Filesize

      48KB

    • memory/1020-29-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

      Filesize

      10.8MB

    • memory/1020-30-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

      Filesize

      10.8MB

    • memory/1020-4-0x0000000001840000-0x000000000185C000-memory.dmp

      Filesize

      112KB

    • memory/1020-72-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

      Filesize

      10.8MB

    • memory/1020-1-0x0000000000C00000-0x0000000000EC0000-memory.dmp

      Filesize

      2.8MB

    • memory/1020-17-0x000000001BCA0000-0x000000001BCA8000-memory.dmp

      Filesize

      32KB

    • memory/3176-74-0x000001F40BD60000-0x000001F40BD82000-memory.dmp

      Filesize

      136KB

    • memory/4924-89-0x000000001C2C0000-0x000000001C316000-memory.dmp

      Filesize

      344KB