Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 22:12

General

  • Target

    DCRatBuild.exe

  • Size

    1.1MB

  • MD5

    e51b55377c7602f0eacb8af9e4fa53d3

  • SHA1

    4cccdcb78e94204674815279286d78e7e25761b4

  • SHA256

    f1a6b6c5088e24c8dc8dc4399fdc8b7e23ee5c45e6f85f5b4098bb8e4d27adf4

  • SHA512

    0b8cfeb359b4e6c5cc3d2fcc4104f1c6636b0dfd8203ac2afe8aebd8ad5e8e4505f98bd6233f1934af58d189d21b2ea4605885c6d4f970b2270c765c763fb72e

  • SSDEEP

    24576:U2G/nvxW3Ww0trbiGRpWastlqwqZEmLcfMPfwdxZ3:UbA303ieEnvkofx9

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hyperagentbrowser\sIkx60UivJbECkmVom5fVRQUr0MyvR.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\hyperagentbrowser\Y39U9P6FjUjXWhvxMeo7wJZi.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\hyperagentbrowser\FontNet.exe
          "C:\hyperagentbrowser\FontNet.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\hyperagentbrowser\FontNet.exe
            "C:\hyperagentbrowser\FontNet.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:816
            • C:\hyperagentbrowser\csrss.exe
              "C:\hyperagentbrowser\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2188
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1420
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3592
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4084
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4348
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1216
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2356
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2416
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2296
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2200
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4480
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4308
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4812
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3244
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1432
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2492
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5072
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1836
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3104
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\hyperagentbrowser\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\hyperagentbrowser\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:384
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\hyperagentbrowser\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2880
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2052
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\it-IT\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\it-IT\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1236
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\WindowsRE\29c1c3cc0f7685
    Filesize

    595B

    MD5

    86e1af71bc223e045c78579f7453fd24

    SHA1

    bfbccae867763ce394d960faeb8a0f1825425243

    SHA256

    752d0024311c0d8184a1bfb9e63dfaa3c4e731cf46255af6667c31d99c236a0a

    SHA512

    eca45031948009c4700fed826b37653299324a3d54bfc2fac4486b0eaca65ecbc3e91f8840950afa74729bc08307d9ca2bd423e6537376f538d70c2871741597

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FontNet.exe.log
    Filesize

    1KB

    MD5

    7f3c0ae41f0d9ae10a8985a2c327b8fb

    SHA1

    d58622bf6b5071beacf3b35bb505bde2000983e3

    SHA256

    519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

    SHA512

    8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

  • C:\hyperagentbrowser\FontNet.exe
    Filesize

    827KB

    MD5

    2b7abb9de0e5f40bccf06c67ab062c97

    SHA1

    d3b4ec613ab6f49f6dec8fc4eb8293febca43ffc

    SHA256

    c20b0e6c4feaca10a1c37c4b97633710d73b94c89a13885d26000c854a1da639

    SHA512

    a171ab31100336e54ee4f47388f51dd667842b61d7ec8cbd1e59ec3af9a568166aa5de2127e6548a32dde9488ea4daa9a5c448a884216b9cad702c896b915e29

  • C:\hyperagentbrowser\Y39U9P6FjUjXWhvxMeo7wJZi.bat
    Filesize

    34B

    MD5

    5a60eec2789b14807ebc19b14cdb820a

    SHA1

    dac18a72b8c33431f2814d95044f3a5ef8495a3c

    SHA256

    6b99b3bb538dba8326d708a0f5bbe6a50a752cf7631c7df9e7ab40e28a48cf80

    SHA512

    b85a17fe060c130fcbf5c2a909bdf2d9d38d8073d55cfa63e150e30346a6dde5e4e22f1f523a518e8e8be3e4293b9bac6cef84078dc23685bd4d2a6fcc95458c

  • C:\hyperagentbrowser\sIkx60UivJbECkmVom5fVRQUr0MyvR.vbe
    Filesize

    218B

    MD5

    0e4b3aa07580c946c384391cd6b91d8e

    SHA1

    85b0d045bcb7f79de8b59e14509160c4fee8efcb

    SHA256

    383a9bf02abc85e3b13853febf64a69e306251f8481c7341d66ba501d6320fe9

    SHA512

    ca13beced01dceee5ef67ab463994a8145a1f09d8190e70aa6bf6541f717a8cf13bcd839e6695bc2423ff72e1af6bc8229c2d59eae43ffc3523e5b8d95a0aaad

  • memory/1644-12-0x00007FFF9A0D3000-0x00007FFF9A0D5000-memory.dmp
    Filesize

    8KB

  • memory/1644-13-0x0000000000160000-0x0000000000236000-memory.dmp
    Filesize

    856KB