Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 14:21
Behavioral task
behavioral1
Sample
a65ef974cf4bc255d44fa7ab8acddf50.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a65ef974cf4bc255d44fa7ab8acddf50.exe
Resource
win10v2004-20240426-en
General
-
Target
a65ef974cf4bc255d44fa7ab8acddf50.exe
-
Size
1.1MB
-
MD5
a65ef974cf4bc255d44fa7ab8acddf50
-
SHA1
dfbf0babf43166796c2f5cef62742e9bfc00c55b
-
SHA256
17df189cef5f2bdadd4265e9d5b2bf2408bbf5905389b6788aaa21bd59d889b2
-
SHA512
18bb4f417e84fea2c9b1eb20658c9bcb9a6317a50462db9c490b03ac7f7176d5c2a7c6cde9253a2991df70e866350c93ffe4ff2120f2ae85e26361d764a765dc
-
SSDEEP
24576:n8mNQarw3m8/2W9WRr0Lnw8Zaxy5KcT0zY/Or:DQa2/IRjc5K6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 2520 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 2520 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/1296-1-0x00000000003A0000-0x00000000004BA000-memory.dmp dcrat C:\Program Files\Windows Mail\services.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation a65ef974cf4bc255d44fa7ab8acddf50.exe -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 4616 services.exe -
Drops file in Program Files directory 2 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exedescription ioc process File created C:\Program Files\Windows Mail\services.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files\Windows Mail\c5b4cb5e9653cc a65ef974cf4bc255d44fa7ab8acddf50.exe -
Drops file in Windows directory 5 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exedescription ioc process File created C:\Windows\es-ES\OfficeClickToRun.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File opened for modification C:\Windows\es-ES\OfficeClickToRun.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\es-ES\e6c9b481da804f a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\Downloaded Program Files\explorer.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Windows\Downloaded Program Files\7a0fd90576e088 a65ef974cf4bc255d44fa7ab8acddf50.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3952 schtasks.exe 3116 schtasks.exe 4404 schtasks.exe 680 schtasks.exe 4664 schtasks.exe 1108 schtasks.exe 2100 schtasks.exe 3068 schtasks.exe 772 schtasks.exe 1960 schtasks.exe 1188 schtasks.exe 4228 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings a65ef974cf4bc255d44fa7ab8acddf50.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exeservices.exepid process 1296 a65ef974cf4bc255d44fa7ab8acddf50.exe 1296 a65ef974cf4bc255d44fa7ab8acddf50.exe 1296 a65ef974cf4bc255d44fa7ab8acddf50.exe 1296 a65ef974cf4bc255d44fa7ab8acddf50.exe 1296 a65ef974cf4bc255d44fa7ab8acddf50.exe 4616 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exeservices.exedescription pid process Token: SeDebugPrivilege 1296 a65ef974cf4bc255d44fa7ab8acddf50.exe Token: SeDebugPrivilege 4616 services.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.execmd.exedescription pid process target process PID 1296 wrote to memory of 4684 1296 a65ef974cf4bc255d44fa7ab8acddf50.exe cmd.exe PID 1296 wrote to memory of 4684 1296 a65ef974cf4bc255d44fa7ab8acddf50.exe cmd.exe PID 4684 wrote to memory of 3468 4684 cmd.exe w32tm.exe PID 4684 wrote to memory of 3468 4684 cmd.exe w32tm.exe PID 4684 wrote to memory of 4616 4684 cmd.exe services.exe PID 4684 wrote to memory of 4616 4684 cmd.exe services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe"C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95WxHn56ql.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3468
-
C:\Program Files\Windows Mail\services.exe"C:\Program Files\Windows Mail\services.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows Mail\services.exeFilesize
1.1MB
MD5a65ef974cf4bc255d44fa7ab8acddf50
SHA1dfbf0babf43166796c2f5cef62742e9bfc00c55b
SHA25617df189cef5f2bdadd4265e9d5b2bf2408bbf5905389b6788aaa21bd59d889b2
SHA51218bb4f417e84fea2c9b1eb20658c9bcb9a6317a50462db9c490b03ac7f7176d5c2a7c6cde9253a2991df70e866350c93ffe4ff2120f2ae85e26361d764a765dc
-
C:\Users\Admin\AppData\Local\Temp\95WxHn56ql.batFilesize
207B
MD5f49e17fc1c64987ee1c75009860feadc
SHA1467cf8050b5a32512a495c9738dfa2fb9ea38b6c
SHA25680637c9961a52ef99e7377794e186ba38a4ec3dcb761e73dbc60a862ce297cd1
SHA512d04b1bfcd255e47e6b179095f5a6185b1adc3cc326928c56fd44c5283457d948108592cd9805cccec5464821bb08a6a40de239751b325dab377c720177a86a36
-
memory/1296-0-0x00007FFE778F3000-0x00007FFE778F5000-memory.dmpFilesize
8KB
-
memory/1296-1-0x00000000003A0000-0x00000000004BA000-memory.dmpFilesize
1.1MB
-
memory/1296-2-0x00007FFE778F0000-0x00007FFE783B1000-memory.dmpFilesize
10.8MB
-
memory/1296-3-0x00000000026B0000-0x00000000026CC000-memory.dmpFilesize
112KB
-
memory/1296-4-0x000000001B040000-0x000000001B090000-memory.dmpFilesize
320KB
-
memory/1296-5-0x0000000000DA0000-0x0000000000DB2000-memory.dmpFilesize
72KB
-
memory/1296-6-0x000000001BCD0000-0x000000001C1F8000-memory.dmpFilesize
5.2MB
-
memory/1296-20-0x00007FFE778F0000-0x00007FFE783B1000-memory.dmpFilesize
10.8MB
-
memory/4616-25-0x000000001C530000-0x000000001C542000-memory.dmpFilesize
72KB