Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 04:36

General

  • Target

    6386C6BC5C2E9E6EA345B370F67868B6.exe

  • Size

    1.2MB

  • MD5

    6386c6bc5c2e9e6ea345b370f67868b6

  • SHA1

    534e13f301e9816d6df34ac36d31bfc1b03c1a39

  • SHA256

    d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae

  • SHA512

    85004597a30f91b42b857e66d2a186c0b359a884981f3ace452e270f618776233d2ed489e66b06aa8e6c0f25dedc76c827480c2bcb608bf6b17408c7d62712dd

  • SSDEEP

    24576:/2G/nvxW3WxE37uuHjiOZmd3Oq+PaEzSJUmgvPgyGGsOfCGHsIIm:/bA3HLffCG7rs4Hsg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6386C6BC5C2E9E6EA345B370F67868B6.exe
    "C:\Users\Admin\AppData\Local\Temp\6386C6BC5C2E9E6EA345B370F67868B6.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\portServercrt\Comcommon.exe
          "C:\portServercrt\Comcommon.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4360
          • C:\Recovery\WindowsRE\fontdrvhost.exe
            "C:\Recovery\WindowsRE\fontdrvhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4616
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\portServercrt\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4880
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\portServercrt\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3968
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\portServercrt\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:644
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\portServercrt\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\portServercrt\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\portServercrt\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3224
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4148
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1028
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\MoUsoCoreWorker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4556
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\MoUsoCoreWorker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\MoUsoCoreWorker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:984
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4720
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4852
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\unsecapp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\portServercrt\Comcommon.exe
    Filesize

    997KB

    MD5

    1c3c6b206b20d18d049ed7586e330929

    SHA1

    aa9e8e3adb308b5a1a7d1c0495febd3ab72aacc2

    SHA256

    b670fb654e4d987a06482ce19145d0a487245da4e67b90175d81233e3529424e

    SHA512

    a81ccdfb60c92d8bd4e718fff38bae956eed71009b829d007db3975c60c361a198d94349256d558221cc90dad8215e58aa7197ae1d5c449a0c6417d027cabc53

  • C:\portServercrt\DwNQE.vbe
    Filesize

    203B

    MD5

    588844585deebaa15919f153bc9447f0

    SHA1

    6e067e41f4abea125c891cf1672d9062d771d209

    SHA256

    7070398fff90d278d0f5681fa9a7923eea74811856972eaf0adaa1d738a7fcd1

    SHA512

    dfe8093be45de5f5b9df7310b270e3e7fc26cebcb94e5146bfab85dcc954eeb8a5d8a35d9286015493df6e087b34400df92b117390816464e1698e8f9ad4635d

  • C:\portServercrt\ZHAklq6LBoJU.bat
    Filesize

    32B

    MD5

    db82c18bb79cfc990b4cde2874b61c10

    SHA1

    183605f521813b881e1a5847e569b831232c0fd1

    SHA256

    943267a241c1e345f7e010e95299b1af5b5cade19faddbbf46784282dbc50f13

    SHA512

    7cef1f08019c7bd5ed13acb8d960352acc014e88b3d2ac0708478889d117bf826346ce080e4a68bfebe10d6ffee634cd1672903ab187c60a3643f3871e72c471

  • memory/2684-44-0x000000001CB50000-0x000000001CD12000-memory.dmp
    Filesize

    1.8MB

  • memory/2684-45-0x000000001D5F0000-0x000000001DB18000-memory.dmp
    Filesize

    5.2MB

  • memory/4360-12-0x00007FFF5D493000-0x00007FFF5D495000-memory.dmp
    Filesize

    8KB

  • memory/4360-13-0x00000000001C0000-0x00000000002C0000-memory.dmp
    Filesize

    1024KB

  • memory/4360-14-0x000000001B4D0000-0x000000001B4DE000-memory.dmp
    Filesize

    56KB

  • memory/4360-15-0x000000001B4E0000-0x000000001B4EC000-memory.dmp
    Filesize

    48KB

  • memory/4360-16-0x000000001B4F0000-0x000000001B4FC000-memory.dmp
    Filesize

    48KB