Analysis

  • max time kernel
    20s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 14:27

General

  • Target

    AgE312YolF45.exe

  • Size

    2.0MB

  • MD5

    3c85f943f1f46c62c996d02b335ead81

  • SHA1

    d19a217efea23a93c24541c0027e2bb19a32a148

  • SHA256

    3f55ade4a555c326fc309c8478b1abe8acb9d24ca3496d5a3e65256c35b81ee7

  • SHA512

    24220be76b6723f87c8a3b690d1ef3f876682e6fd156f5dc087d88ca7d1e020e6171354838ece2952341835babf63e51f4bd89626a2420f730b524787be34b8b

  • SSDEEP

    24576:u2G/nvxW3WieCYSoWse8bvSGOkDSqMdxcXZLE2XTo6+2lXgW8/ezB8diUV6gwvB+:ubA3jYSovbvSXqGsLw6RXRgBdF6rZYdt

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe
    "C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ReviewRuntimenet\21ZjY.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ReviewRuntimenet\TQG4xYGlGcFKVrVpNsWy.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\ReviewRuntimenet\ServerSaveshost.exe
          "C:\ReviewRuntimenet\ServerSaveshost.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4876
          • C:\Windows\Web\System.exe
            "C:\Windows\Web\System.exe"
            5⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1864
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0473d2-6cca-4c25-8989-06bbf8b71137.vbs"
              6⤵
                PID:396
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\475384d0-59a6-448f-a3f4-f7e0cc3df93c.vbs"
                6⤵
                  PID:4908
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              4⤵
              • Modifies registry key
              PID:780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\twain_32\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1872
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3992
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1196
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1344
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3904
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:632
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4632

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ReviewRuntimenet\21ZjY.vbe
        Filesize

        213B

        MD5

        09a35d6cb1e2ea076586988cdbcc940a

        SHA1

        7e062f07474330abdab5d77ad336bc0a3532ca89

        SHA256

        6d8ba67017098b244d617acea6d2e70b47db126ca14924b9a82703bae95a5c38

        SHA512

        2f3100f18b3aa18abdbead9e8955af0eebdf451ed0ec987306fcc73bda195933b8fe8c59be7a8f777192890260efb96edaf6b3c04ce56e3151c7a0c9ee960f7c

      • C:\ReviewRuntimenet\ServerSaveshost.exe
        Filesize

        1.7MB

        MD5

        88e250828f656440b29f7be2b67b5d44

        SHA1

        86c19cccc181827c99f8703f017ee2d22a1ffe1e

        SHA256

        67d4916350ff960cd46e98f0c1d00290b63eb8a6c94c3595e76245d4ae4706d0

        SHA512

        11c7da52c1a67af894608dad046cf85947f64e74ecaae20edbf3f748ee0a9b65d3a5a03ceb1a690016de883fa39a5fba384cb6d031a09a086e323367f7de3c1f

      • C:\ReviewRuntimenet\TQG4xYGlGcFKVrVpNsWy.bat
        Filesize

        153B

        MD5

        285b91a7a5b84ebdca3dc8f49a68638c

        SHA1

        61c9262f49da3afdf6310efd11108adb9b8283ff

        SHA256

        59ddfb2705077e864946fe450625206671a1faafc9e46704ca108b4196d24f99

        SHA512

        7ce8348ddb6571aaadcce2e8780d3032055a2bded51e9dd4a2eb1aa1f7f24ea9258322dae8c15223ed92b83681f2b5333b0e828239624b1e929771a4b670601d

      • C:\Users\Admin\AppData\Local\Temp\475384d0-59a6-448f-a3f4-f7e0cc3df93c.vbs
        Filesize

        477B

        MD5

        d4a421b84b238345a2c4ffc54255046c

        SHA1

        15d3ac77e9459b2fd2bfaa8437cff3cf4595ad0b

        SHA256

        d643000d9584ce97c67833a314ca28e25152cbe1728f326b95048d65a03e5dbd

        SHA512

        b2c0b412758217683ccfbf0e395911b58ff38601f89a32ca04bb09bd7915865ced92b4cd84de30fa0c6c2e55336e1a0bd5b267f3cdce15bd48ddf67cc678b73e

      • C:\Users\Admin\AppData\Local\Temp\bc0473d2-6cca-4c25-8989-06bbf8b71137.vbs
        Filesize

        701B

        MD5

        35575a15c51e5c12fc337c149f834fb2

        SHA1

        e741545a864d8a99b02e248651dafdbe529a3dee

        SHA256

        858513d9c5e2ee0ef43986f67c757022180ae557d2e1a684b899dc8f1b52d126

        SHA512

        2a89c47eb21fc2114800e62beb23388d1d750e8e69dcdb96fe8a37d844dedf4d28a6f22750fae9f101a155a7d1daef8678084f875ae22efc91d6fb435ed2c1d0

      • memory/1864-56-0x0000000002870000-0x0000000002882000-memory.dmp
        Filesize

        72KB

      • memory/4876-21-0x000000001BA60000-0x000000001BA6C000-memory.dmp
        Filesize

        48KB

      • memory/4876-24-0x000000001BAA0000-0x000000001BAAC000-memory.dmp
        Filesize

        48KB

      • memory/4876-17-0x00000000030E0000-0x00000000030F0000-memory.dmp
        Filesize

        64KB

      • memory/4876-18-0x00000000030F0000-0x0000000003106000-memory.dmp
        Filesize

        88KB

      • memory/4876-19-0x0000000003110000-0x0000000003118000-memory.dmp
        Filesize

        32KB

      • memory/4876-20-0x0000000003120000-0x000000000312A000-memory.dmp
        Filesize

        40KB

      • memory/4876-15-0x000000001BA10000-0x000000001BA60000-memory.dmp
        Filesize

        320KB

      • memory/4876-22-0x000000001BA70000-0x000000001BA82000-memory.dmp
        Filesize

        72KB

      • memory/4876-23-0x000000001C730000-0x000000001CC58000-memory.dmp
        Filesize

        5.2MB

      • memory/4876-16-0x00000000016C0000-0x00000000016C8000-memory.dmp
        Filesize

        32KB

      • memory/4876-25-0x000000001BAB0000-0x000000001BABC000-memory.dmp
        Filesize

        48KB

      • memory/4876-26-0x000000001C450000-0x000000001C45A000-memory.dmp
        Filesize

        40KB

      • memory/4876-29-0x000000001BBE0000-0x000000001BBEA000-memory.dmp
        Filesize

        40KB

      • memory/4876-28-0x000000001BAC0000-0x000000001BAC8000-memory.dmp
        Filesize

        32KB

      • memory/4876-30-0x000000001C300000-0x000000001C30C000-memory.dmp
        Filesize

        48KB

      • memory/4876-27-0x000000001C460000-0x000000001C46E000-memory.dmp
        Filesize

        56KB

      • memory/4876-14-0x00000000030C0000-0x00000000030DC000-memory.dmp
        Filesize

        112KB

      • memory/4876-13-0x0000000000CE0000-0x0000000000E94000-memory.dmp
        Filesize

        1.7MB

      • memory/4876-12-0x00007FFFB9DA3000-0x00007FFFB9DA5000-memory.dmp
        Filesize

        8KB