Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 04:51

General

  • Target

    526153CBD86009228AD53CD262A9C6B3.exe

  • Size

    2.4MB

  • MD5

    526153cbd86009228ad53cd262a9c6b3

  • SHA1

    6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2

  • SHA256

    5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48

  • SHA512

    9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665

  • SSDEEP

    49152:TF42UxdKzPsUdtK7iOgwNwjlYrdnXJc9Qn3z4:TC2UxdYZhOIeBXJcu3

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe
    "C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Public\dllhost.exe
      "C:\Users\Public\dllhost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\755249da-4526-41d8-a065-4c340cdfef29.vbs"
        3⤵
          PID:3284
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9458e87-3fd5-46c9-b7e4-7375f630a4f6.vbs"
          3⤵
            PID:1288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4364
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2104
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1492
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2484
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3688
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2328
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:332
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:744
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\DiagTrack\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3148
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2792
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5068
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe

        Filesize

        2.4MB

        MD5

        526153cbd86009228ad53cd262a9c6b3

        SHA1

        6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2

        SHA256

        5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48

        SHA512

        9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665

      • C:\Users\Admin\AppData\Local\Temp\755249da-4526-41d8-a065-4c340cdfef29.vbs

        Filesize

        703B

        MD5

        8639b865a655e634a8ac101667ca27f2

        SHA1

        9b956668bce1e13694f12a0ae4c99aac461449a9

        SHA256

        945c11447fa6dd6f1cfb903039a40d954427359e522ed38e28d189bd60e13736

        SHA512

        883e60e8295a07b7734a3408ecd2dfb568a79d9450cc85868dc9596257db4db87ceec12900b127e1cfdb2fcf8663a5a64eba235653e8f1be75362da9c90be044

      • C:\Users\Admin\AppData\Local\Temp\e9458e87-3fd5-46c9-b7e4-7375f630a4f6.vbs

        Filesize

        479B

        MD5

        2ebedb5c507ba00c6edd4888940e2a8b

        SHA1

        16cda38cfff9e043c17b086efd82db85b3eeb25e

        SHA256

        0b5b8bce363126144965824542c5de8c5024e6c728c3c163842bb0313e7d94bf

        SHA512

        fbd9efad128ee5dd8ef62cf0425a2726c709bbf4005711c114d8bdc6e7590da64aa80d546426a61c88c533728cef53598745bb1114cbb937f937db1c873db4be

      • memory/2032-7-0x0000000002570000-0x00000000025C6000-memory.dmp

        Filesize

        344KB

      • memory/2032-13-0x000000001B160000-0x000000001B16E000-memory.dmp

        Filesize

        56KB

      • memory/2032-0-0x00007FFB32EF3000-0x00007FFB32EF5000-memory.dmp

        Filesize

        8KB

      • memory/2032-6-0x0000000002550000-0x0000000002566000-memory.dmp

        Filesize

        88KB

      • memory/2032-5-0x0000000000B50000-0x0000000000B58000-memory.dmp

        Filesize

        32KB

      • memory/2032-8-0x00000000025C0000-0x00000000025CC000-memory.dmp

        Filesize

        48KB

      • memory/2032-9-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

      • memory/2032-10-0x000000001C0E0000-0x000000001C608000-memory.dmp

        Filesize

        5.2MB

      • memory/2032-11-0x0000000002760000-0x0000000002768000-memory.dmp

        Filesize

        32KB

      • memory/2032-4-0x00000000026F0000-0x0000000002740000-memory.dmp

        Filesize

        320KB

      • memory/2032-14-0x000000001B170000-0x000000001B17C000-memory.dmp

        Filesize

        48KB

      • memory/2032-12-0x000000001B150000-0x000000001B15A000-memory.dmp

        Filesize

        40KB

      • memory/2032-3-0x0000000000AD0000-0x0000000000AEC000-memory.dmp

        Filesize

        112KB

      • memory/2032-44-0x00007FFB32EF0000-0x00007FFB339B1000-memory.dmp

        Filesize

        10.8MB

      • memory/2032-1-0x0000000000190000-0x0000000000406000-memory.dmp

        Filesize

        2.5MB

      • memory/2032-2-0x00007FFB32EF0000-0x00007FFB339B1000-memory.dmp

        Filesize

        10.8MB

      • memory/2160-45-0x000000001B840000-0x000000001B852000-memory.dmp

        Filesize

        72KB