Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 04:51
Behavioral task
behavioral1
Sample
526153CBD86009228AD53CD262A9C6B3.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
526153CBD86009228AD53CD262A9C6B3.exe
Resource
win10v2004-20240426-en
General
-
Target
526153CBD86009228AD53CD262A9C6B3.exe
-
Size
2.4MB
-
MD5
526153cbd86009228ad53cd262a9c6b3
-
SHA1
6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2
-
SHA256
5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
-
SHA512
9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665
-
SSDEEP
49152:TF42UxdKzPsUdtK7iOgwNwjlYrdnXJc9Qn3z4:TC2UxdYZhOIeBXJcu3
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 1008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 1008 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/2032-1-0x0000000000190000-0x0000000000406000-memory.dmp dcrat C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dllhost.exe526153CBD86009228AD53CD262A9C6B3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 526153CBD86009228AD53CD262A9C6B3.exe -
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 2160 dllhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 8 IoCs
Processes:
526153CBD86009228AD53CD262A9C6B3.exedescription ioc process File created C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\ea1d8f6d871115 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Program Files\Mozilla Firefox\lsass.exe 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Program Files\Mozilla Firefox\6203df4a6bafc7 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Program Files\ModifiableWindowsApps\fontdrvhost.exe 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe 526153CBD86009228AD53CD262A9C6B3.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Program Files (x86)\Windows Defender\es-ES\29c1c3cc0f7685 526153CBD86009228AD53CD262A9C6B3.exe -
Drops file in Windows directory 6 IoCs
Processes:
526153CBD86009228AD53CD262A9C6B3.exedescription ioc process File created C:\Windows\DiagTrack\lsass.exe 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Windows\DiagTrack\6203df4a6bafc7 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\69ddcba757bf72 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Windows\PLA\spoolsv.exe 526153CBD86009228AD53CD262A9C6B3.exe File created C:\Windows\PLA\f3b6ecef712a24 526153CBD86009228AD53CD262A9C6B3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3688 schtasks.exe 2328 schtasks.exe 2916 schtasks.exe 632 schtasks.exe 4880 schtasks.exe 4964 schtasks.exe 2104 schtasks.exe 2072 schtasks.exe 1500 schtasks.exe 1056 schtasks.exe 2908 schtasks.exe 2368 schtasks.exe 1276 schtasks.exe 5036 schtasks.exe 332 schtasks.exe 744 schtasks.exe 4364 schtasks.exe 5068 schtasks.exe 1492 schtasks.exe 2792 schtasks.exe 2944 schtasks.exe 3148 schtasks.exe 5004 schtasks.exe 3752 schtasks.exe 2484 schtasks.exe 1920 schtasks.exe 1544 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
dllhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings dllhost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
526153CBD86009228AD53CD262A9C6B3.exedllhost.exepid process 2032 526153CBD86009228AD53CD262A9C6B3.exe 2032 526153CBD86009228AD53CD262A9C6B3.exe 2032 526153CBD86009228AD53CD262A9C6B3.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe 2160 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 2160 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
526153CBD86009228AD53CD262A9C6B3.exedllhost.exedescription pid process Token: SeDebugPrivilege 2032 526153CBD86009228AD53CD262A9C6B3.exe Token: SeDebugPrivilege 2160 dllhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
526153CBD86009228AD53CD262A9C6B3.exedllhost.exedescription pid process target process PID 2032 wrote to memory of 2160 2032 526153CBD86009228AD53CD262A9C6B3.exe dllhost.exe PID 2032 wrote to memory of 2160 2032 526153CBD86009228AD53CD262A9C6B3.exe dllhost.exe PID 2160 wrote to memory of 3284 2160 dllhost.exe WScript.exe PID 2160 wrote to memory of 3284 2160 dllhost.exe WScript.exe PID 2160 wrote to memory of 1288 2160 dllhost.exe WScript.exe PID 2160 wrote to memory of 1288 2160 dllhost.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe"C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Public\dllhost.exe"C:\Users\Public\dllhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\755249da-4526-41d8-a065-4c340cdfef29.vbs"3⤵PID:3284
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9458e87-3fd5-46c9-b7e4-7375f630a4f6.vbs"3⤵PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\DiagTrack\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5526153cbd86009228ad53cd262a9c6b3
SHA16bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2
SHA2565cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
SHA5129b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665
-
Filesize
703B
MD58639b865a655e634a8ac101667ca27f2
SHA19b956668bce1e13694f12a0ae4c99aac461449a9
SHA256945c11447fa6dd6f1cfb903039a40d954427359e522ed38e28d189bd60e13736
SHA512883e60e8295a07b7734a3408ecd2dfb568a79d9450cc85868dc9596257db4db87ceec12900b127e1cfdb2fcf8663a5a64eba235653e8f1be75362da9c90be044
-
Filesize
479B
MD52ebedb5c507ba00c6edd4888940e2a8b
SHA116cda38cfff9e043c17b086efd82db85b3eeb25e
SHA2560b5b8bce363126144965824542c5de8c5024e6c728c3c163842bb0313e7d94bf
SHA512fbd9efad128ee5dd8ef62cf0425a2726c709bbf4005711c114d8bdc6e7590da64aa80d546426a61c88c533728cef53598745bb1114cbb937f937db1c873db4be