Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 03:20
Behavioral task
behavioral1
Sample
Gamesense.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Gamesense.exe
Resource
win10v2004-20240611-en
General
-
Target
Gamesense.exe
-
Size
2.5MB
-
MD5
6e292e2932951e7a1cb7dfc313121a6b
-
SHA1
72cf74f7ecf405b1f72fd3e42f541c30b2ff9fba
-
SHA256
ebcefb989d32ca643f3560d4223e47cbbe2ea3c97755cf93b9b3fbabaf3545cf
-
SHA512
ba6dda938a6c1beb724277b9c1b819d54467ce125de99619d19438d432f2273e785b94cd8c02ee747ceafe91159ce27d6fc891ba57f6365e2d4ff3afb1f06ed9
-
SSDEEP
49152:UbA30sHoNElLsaAB3Olt0BSXYAnjE5fqpCUdwUencN9:UbgHjlLsxeAIj5pCweO
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 1216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 1216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 1216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 1216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 1216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 1216 schtasks.exe -
Processes:
resource yara_rule C:\bridgeFont\Blockdriverhost.exe dcrat behavioral2/memory/4224-13-0x00000000002E0000-0x000000000050E000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
taskhostw.exeGamesense.exeWScript.exeBlockdriverhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation Gamesense.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation Blockdriverhost.exe -
Executes dropped EXE 2 IoCs
Processes:
Blockdriverhost.exetaskhostw.exepid process 4224 Blockdriverhost.exe 1920 taskhostw.exe -
Drops file in System32 directory 3 IoCs
Processes:
Blockdriverhost.exedescription ioc process File created C:\Windows\System32\pt-PT\csrss.exe Blockdriverhost.exe File opened for modification C:\Windows\System32\pt-PT\csrss.exe Blockdriverhost.exe File created C:\Windows\System32\pt-PT\886983d96e3d3e Blockdriverhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
Blockdriverhost.exedescription ioc process File created C:\Windows\Cursors\taskhostw.exe Blockdriverhost.exe File created C:\Windows\Cursors\ea9f0e6c9e2dcd Blockdriverhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
Gamesense.exetaskhostw.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings Gamesense.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings taskhostw.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4600 schtasks.exe 3148 schtasks.exe 2852 schtasks.exe 4940 schtasks.exe 5056 schtasks.exe 4084 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Blockdriverhost.exetaskhostw.exepid process 4224 Blockdriverhost.exe 4224 Blockdriverhost.exe 4224 Blockdriverhost.exe 4224 Blockdriverhost.exe 4224 Blockdriverhost.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe 1920 taskhostw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskhostw.exepid process 1920 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Blockdriverhost.exetaskhostw.exevssvc.exedescription pid process Token: SeDebugPrivilege 4224 Blockdriverhost.exe Token: SeDebugPrivilege 1920 taskhostw.exe Token: SeBackupPrivilege 2296 vssvc.exe Token: SeRestorePrivilege 2296 vssvc.exe Token: SeAuditPrivilege 2296 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Gamesense.exeWScript.execmd.exeBlockdriverhost.exetaskhostw.exedescription pid process target process PID 3912 wrote to memory of 1696 3912 Gamesense.exe WScript.exe PID 3912 wrote to memory of 1696 3912 Gamesense.exe WScript.exe PID 3912 wrote to memory of 1696 3912 Gamesense.exe WScript.exe PID 1696 wrote to memory of 1192 1696 WScript.exe cmd.exe PID 1696 wrote to memory of 1192 1696 WScript.exe cmd.exe PID 1696 wrote to memory of 1192 1696 WScript.exe cmd.exe PID 1192 wrote to memory of 4224 1192 cmd.exe Blockdriverhost.exe PID 1192 wrote to memory of 4224 1192 cmd.exe Blockdriverhost.exe PID 4224 wrote to memory of 1920 4224 Blockdriverhost.exe taskhostw.exe PID 4224 wrote to memory of 1920 4224 Blockdriverhost.exe taskhostw.exe PID 1920 wrote to memory of 3628 1920 taskhostw.exe WScript.exe PID 1920 wrote to memory of 3628 1920 taskhostw.exe WScript.exe PID 1920 wrote to memory of 4528 1920 taskhostw.exe WScript.exe PID 1920 wrote to memory of 4528 1920 taskhostw.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeFont\A6eEKUh9zDmgALE.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\bridgeFont\Blockdriverhost.exe"C:\bridgeFont\Blockdriverhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\Cursors\taskhostw.exe"C:\Windows\Cursors\taskhostw.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aedf1044-dcfc-4868-a24a-efe0f02a72e8.vbs"6⤵PID:3628
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a194954c-002b-43e3-956a-3f9ebcef4094.vbs"6⤵PID:4528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3584,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:81⤵PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\pt-PT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\pt-PT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\System32\pt-PT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Cursors\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a194954c-002b-43e3-956a-3f9ebcef4094.vbsFilesize
484B
MD524e158b87d7e5908e3bf726dacb748ee
SHA186b12a08718fedbe8bbe6c7abd8e46ce604e8677
SHA256ae9f8c339391df937a2640b6f34fd7428e225d49ea366dec4b2261036a395c8b
SHA5120f8c10d39e82023ffa320e25fbaa9fd1ac2dcd194cb81bb2448542d99143a2e8c2690434bacd6ae285b902b2e3dedb93d4ac0c8555ce051a6e8580a28d384c27
-
C:\Users\Admin\AppData\Local\Temp\aedf1044-dcfc-4868-a24a-efe0f02a72e8.vbsFilesize
708B
MD5e14b64dac82c5ee089cf907792c1f0fb
SHA1b14f298836c23c6241194175e5fcd57a3d841ae3
SHA25655547f6f3b2b83c60fb7a3c33c67c642573ab926cea35c88e1dca2eefb705500
SHA512d5993dc873c55188ed347807205309737d944fd350fef4fc8e35a27dd48ef6ff7519786f13730be1ec66203ca908987098d6de78dbd36baaee568b91f6dede1e
-
C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbeFilesize
203B
MD5f834877689aa9f2dbd0d2084bb779fb4
SHA15bcadc4ef4b14e7c41b7fb0b9cf8d918bfabea67
SHA25621f91b10a8abe860f6cc78e0c229737187e13f30f773af62f27e630534039768
SHA512abbade5f776f7e1515bee59b5c01d7d39f89c14f12f72795b5fed7d7c82efb6508c34cbd267a5f6b16e285ae590f5769e28db6522187e5556da14d2bc1886034
-
C:\bridgeFont\A6eEKUh9zDmgALE.batFilesize
35B
MD5a254cc5bfb66a33ccdee83d23ff8d10b
SHA140461cbacf4b71e94dd321fc30d7d69febd1e8ee
SHA256f34a02f3f74a210905c17a168415de23a429c4f33f1943fd6ff7d86421ddcf87
SHA512f5f9a32b0e5ace91ee1b4a113c8413a7d61b3d2cc9878b73256e89cb3c59896b8b91b98e9adfb711ffbdd21137d030ddf6489c7fdd587c1b2955a8e65afea05e
-
C:\bridgeFont\Blockdriverhost.exeFilesize
2.2MB
MD54021df69fad7e54ef1154a5322b1eece
SHA1ece1a3140a5a394c4a57f110609b9d494e6f59f5
SHA2563bf9e41b570eeb923ed1f44e1fffa81fbd3dfe9f0324c594327d2d271af8cc6f
SHA5120e0a18d8b319f2ff1de023ef8f43d905bbb47e08515ce91a02a868c5ed948fb02ee62576967512582c67da5593618526be8ae272a6e9b3fc4c664d40bd51e9d4
-
memory/4224-17-0x0000000002640000-0x000000000264C000-memory.dmpFilesize
48KB
-
memory/4224-15-0x000000001B7C0000-0x000000001B816000-memory.dmpFilesize
344KB
-
memory/4224-16-0x0000000002630000-0x000000000263C000-memory.dmpFilesize
48KB
-
memory/4224-14-0x0000000002620000-0x0000000002628000-memory.dmpFilesize
32KB
-
memory/4224-18-0x0000000002660000-0x0000000002672000-memory.dmpFilesize
72KB
-
memory/4224-19-0x000000001BD40000-0x000000001C268000-memory.dmpFilesize
5.2MB
-
memory/4224-20-0x000000001B170000-0x000000001B17C000-memory.dmpFilesize
48KB
-
memory/4224-21-0x000000001B180000-0x000000001B18A000-memory.dmpFilesize
40KB
-
memory/4224-22-0x000000001B190000-0x000000001B198000-memory.dmpFilesize
32KB
-
memory/4224-23-0x000000001B1A0000-0x000000001B1AC000-memory.dmpFilesize
48KB
-
memory/4224-13-0x00000000002E0000-0x000000000050E000-memory.dmpFilesize
2.2MB
-
memory/4224-12-0x00007FFD91BF3000-0x00007FFD91BF5000-memory.dmpFilesize
8KB