Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 04:36
Behavioral task
behavioral1
Sample
6386C6BC5C2E9E6EA345B370F67868B6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6386C6BC5C2E9E6EA345B370F67868B6.exe
Resource
win10v2004-20240508-en
General
-
Target
6386C6BC5C2E9E6EA345B370F67868B6.exe
-
Size
1.2MB
-
MD5
6386c6bc5c2e9e6ea345b370f67868b6
-
SHA1
534e13f301e9816d6df34ac36d31bfc1b03c1a39
-
SHA256
d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae
-
SHA512
85004597a30f91b42b857e66d2a186c0b359a884981f3ace452e270f618776233d2ed489e66b06aa8e6c0f25dedc76c827480c2bcb608bf6b17408c7d62712dd
-
SSDEEP
24576:/2G/nvxW3WxE37uuHjiOZmd3Oq+PaEzSJUmgvPgyGGsOfCGHsIIm:/bA3HLffCG7rs4Hsg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 2880 schtasks.exe -
Processes:
resource yara_rule C:\portServercrt\Comcommon.exe dcrat behavioral2/memory/4360-13-0x00000000001C0000-0x00000000002C0000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeComcommon.exe6386C6BC5C2E9E6EA345B370F67868B6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Comcommon.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 6386C6BC5C2E9E6EA345B370F67868B6.exe -
Executes dropped EXE 2 IoCs
Processes:
Comcommon.exefontdrvhost.exepid process 4360 Comcommon.exe 2684 fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 ipinfo.io 39 ipinfo.io -
Drops file in Program Files directory 3 IoCs
Processes:
Comcommon.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe Comcommon.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\6ccacd8608530f Comcommon.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe Comcommon.exe -
Drops file in Windows directory 1 IoCs
Processes:
Comcommon.exedescription ioc process File created C:\Windows\Boot\PCAT\es-MX\dllhost.exe Comcommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3684 schtasks.exe 4616 schtasks.exe 4880 schtasks.exe 3976 schtasks.exe 4148 schtasks.exe 1928 schtasks.exe 3168 schtasks.exe 1912 schtasks.exe 3932 schtasks.exe 3968 schtasks.exe 3116 schtasks.exe 1028 schtasks.exe 1588 schtasks.exe 4720 schtasks.exe 1596 schtasks.exe 4864 schtasks.exe 644 schtasks.exe 4556 schtasks.exe 960 schtasks.exe 4852 schtasks.exe 1624 schtasks.exe 4884 schtasks.exe 3224 schtasks.exe 984 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
6386C6BC5C2E9E6EA345B370F67868B6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 6386C6BC5C2E9E6EA345B370F67868B6.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Comcommon.exefontdrvhost.exepid process 4360 Comcommon.exe 2684 fontdrvhost.exe 2684 fontdrvhost.exe 2684 fontdrvhost.exe 2684 fontdrvhost.exe 2684 fontdrvhost.exe 2684 fontdrvhost.exe 2684 fontdrvhost.exe 2684 fontdrvhost.exe 2684 fontdrvhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
fontdrvhost.exepid process 2684 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Comcommon.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 4360 Comcommon.exe Token: SeDebugPrivilege 2684 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
6386C6BC5C2E9E6EA345B370F67868B6.exeWScript.execmd.exeComcommon.exedescription pid process target process PID 3092 wrote to memory of 4236 3092 6386C6BC5C2E9E6EA345B370F67868B6.exe WScript.exe PID 3092 wrote to memory of 4236 3092 6386C6BC5C2E9E6EA345B370F67868B6.exe WScript.exe PID 3092 wrote to memory of 4236 3092 6386C6BC5C2E9E6EA345B370F67868B6.exe WScript.exe PID 4236 wrote to memory of 4632 4236 WScript.exe cmd.exe PID 4236 wrote to memory of 4632 4236 WScript.exe cmd.exe PID 4236 wrote to memory of 4632 4236 WScript.exe cmd.exe PID 4632 wrote to memory of 4360 4632 cmd.exe Comcommon.exe PID 4632 wrote to memory of 4360 4632 cmd.exe Comcommon.exe PID 4360 wrote to memory of 2684 4360 Comcommon.exe fontdrvhost.exe PID 4360 wrote to memory of 2684 4360 Comcommon.exe fontdrvhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6386C6BC5C2E9E6EA345B370F67868B6.exe"C:\Users\Admin\AppData\Local\Temp\6386C6BC5C2E9E6EA345B370F67868B6.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\portServercrt\Comcommon.exe"C:\portServercrt\Comcommon.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\portServercrt\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\portServercrt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\portServercrt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\portServercrt\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\portServercrt\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\portServercrt\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\portServercrt\Comcommon.exeFilesize
997KB
MD51c3c6b206b20d18d049ed7586e330929
SHA1aa9e8e3adb308b5a1a7d1c0495febd3ab72aacc2
SHA256b670fb654e4d987a06482ce19145d0a487245da4e67b90175d81233e3529424e
SHA512a81ccdfb60c92d8bd4e718fff38bae956eed71009b829d007db3975c60c361a198d94349256d558221cc90dad8215e58aa7197ae1d5c449a0c6417d027cabc53
-
C:\portServercrt\DwNQE.vbeFilesize
203B
MD5588844585deebaa15919f153bc9447f0
SHA16e067e41f4abea125c891cf1672d9062d771d209
SHA2567070398fff90d278d0f5681fa9a7923eea74811856972eaf0adaa1d738a7fcd1
SHA512dfe8093be45de5f5b9df7310b270e3e7fc26cebcb94e5146bfab85dcc954eeb8a5d8a35d9286015493df6e087b34400df92b117390816464e1698e8f9ad4635d
-
C:\portServercrt\ZHAklq6LBoJU.batFilesize
32B
MD5db82c18bb79cfc990b4cde2874b61c10
SHA1183605f521813b881e1a5847e569b831232c0fd1
SHA256943267a241c1e345f7e010e95299b1af5b5cade19faddbbf46784282dbc50f13
SHA5127cef1f08019c7bd5ed13acb8d960352acc014e88b3d2ac0708478889d117bf826346ce080e4a68bfebe10d6ffee634cd1672903ab187c60a3643f3871e72c471
-
memory/2684-44-0x000000001CB50000-0x000000001CD12000-memory.dmpFilesize
1.8MB
-
memory/2684-45-0x000000001D5F0000-0x000000001DB18000-memory.dmpFilesize
5.2MB
-
memory/4360-12-0x00007FFF5D493000-0x00007FFF5D495000-memory.dmpFilesize
8KB
-
memory/4360-13-0x00000000001C0000-0x00000000002C0000-memory.dmpFilesize
1024KB
-
memory/4360-14-0x000000001B4D0000-0x000000001B4DE000-memory.dmpFilesize
56KB
-
memory/4360-15-0x000000001B4E0000-0x000000001B4EC000-memory.dmpFilesize
48KB
-
memory/4360-16-0x000000001B4F0000-0x000000001B4FC000-memory.dmpFilesize
48KB