Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 02:21
Behavioral task
behavioral1
Sample
4a8fd7bb970c86e0650a3e110fb5e6d0.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4a8fd7bb970c86e0650a3e110fb5e6d0.exe
Resource
win10v2004-20240426-en
General
-
Target
4a8fd7bb970c86e0650a3e110fb5e6d0.exe
-
Size
901KB
-
MD5
4a8fd7bb970c86e0650a3e110fb5e6d0
-
SHA1
514e8249d87435de3b34bfd06e3dea9a6fb0fc96
-
SHA256
86e9ac84264ae29059d78e2a3ebedea8d3b6c1083d03b82bdab8e32d306fd8a9
-
SHA512
390a7e834dec74cbcc49efeee1adddb05bbe2e972e08a0ec5e6cfbecc92e4a864f6c33ce1a1d293acd42cc4f8f6ca89a8226820819170f8d86ff5e5d301e5910
-
SSDEEP
12288:ZRlDmSxJVEcVQ8KNIeyYzXIpv+KX5x3JfjaOCXzP8bGUwqHGrgc:zlDVLfVQ8KMYD/KXZfjaV8bGjqHGrF
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4624 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 3884 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/1972-1-0x0000000000AD0000-0x0000000000BB8000-memory.dmp dcrat C:\Program Files\Uninstall Information\sppsvc.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4a8fd7bb970c86e0650a3e110fb5e6d0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 4a8fd7bb970c86e0650a3e110fb5e6d0.exe -
Executes dropped EXE 1 IoCs
Processes:
backgroundTaskHost.exepid process 4792 backgroundTaskHost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Drops file in Program Files directory 7 IoCs
Processes:
4a8fd7bb970c86e0650a3e110fb5e6d0.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\eddb19405b7ce1 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Uninstall Information\sppsvc.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Uninstall Information\0a1fd5f707cd16 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991 4a8fd7bb970c86e0650a3e110fb5e6d0.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe 4a8fd7bb970c86e0650a3e110fb5e6d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4804 schtasks.exe 4624 schtasks.exe 1260 schtasks.exe 2748 schtasks.exe 1008 schtasks.exe 1556 schtasks.exe 3084 schtasks.exe 1752 schtasks.exe 4388 schtasks.exe 3560 schtasks.exe 1780 schtasks.exe 1608 schtasks.exe 1760 schtasks.exe 2540 schtasks.exe 2884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
4a8fd7bb970c86e0650a3e110fb5e6d0.exebackgroundTaskHost.exepid process 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe 4792 backgroundTaskHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
backgroundTaskHost.exepid process 4792 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4a8fd7bb970c86e0650a3e110fb5e6d0.exebackgroundTaskHost.exedescription pid process Token: SeDebugPrivilege 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe Token: SeDebugPrivilege 4792 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
4a8fd7bb970c86e0650a3e110fb5e6d0.exedescription pid process target process PID 1972 wrote to memory of 4792 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe backgroundTaskHost.exe PID 1972 wrote to memory of 4792 1972 4a8fd7bb970c86e0650a3e110fb5e6d0.exe backgroundTaskHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a8fd7bb970c86e0650a3e110fb5e6d0.exe"C:\Users\Admin\AppData\Local\Temp\4a8fd7bb970c86e0650a3e110fb5e6d0.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe"C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Favorites\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Favorites\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
901KB
MD54a8fd7bb970c86e0650a3e110fb5e6d0
SHA1514e8249d87435de3b34bfd06e3dea9a6fb0fc96
SHA25686e9ac84264ae29059d78e2a3ebedea8d3b6c1083d03b82bdab8e32d306fd8a9
SHA512390a7e834dec74cbcc49efeee1adddb05bbe2e972e08a0ec5e6cfbecc92e4a864f6c33ce1a1d293acd42cc4f8f6ca89a8226820819170f8d86ff5e5d301e5910