Analysis
-
max time kernel
136s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 01:09
Behavioral task
behavioral1
Sample
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe
Resource
win10v2004-20240611-en
General
-
Target
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe
-
Size
827KB
-
MD5
33ab5cbb351fa75f5d4f3e3b5aa064a9
-
SHA1
ac9bcf69aecff1ff5d4108df204a4a2b572e1eef
-
SHA256
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17
-
SHA512
4e62650b49ae86c152463742a04980627d54dc8efc7dd3443625210d13db815f279989d846bbca4376cd127595403cfd53160c0fa78f3d198bf400da5655a98e
-
SSDEEP
12288:6HggW+CSPHjaphInx+6XlRitt/tNRWCkQu:6AgW+C4jaqZlR4/jRWCkT
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 3628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 3628 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4568-0-0x0000000000DB0000-0x0000000000E86000-memory.dmp dcrat C:\Windows\Containers\serviced\RuntimeBroker.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe -
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 4900 RuntimeBroker.exe -
Drops file in Program Files directory 3 IoCs
Processes:
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exedescription ioc process File created C:\Program Files (x86)\Windows Mail\aa97147c4c782d 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe File created C:\Program Files (x86)\Windows Mail\MusNotification.exe 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe File opened for modification C:\Program Files (x86)\Windows Mail\MusNotification.exe 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe -
Drops file in Windows directory 4 IoCs
Processes:
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exedescription ioc process File created C:\Windows\Containers\serviced\9e8d7a4ca61bd9 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe File created C:\Windows\Globalization\Time Zone\upfc.exe 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe File created C:\Windows\Globalization\Time Zone\ea1d8f6d871115 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe File created C:\Windows\Containers\serviced\RuntimeBroker.exe 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4504 schtasks.exe 2464 schtasks.exe 4724 schtasks.exe 216 schtasks.exe 4660 schtasks.exe 1672 schtasks.exe 224 schtasks.exe 4652 schtasks.exe 924 schtasks.exe 3472 schtasks.exe 4112 schtasks.exe 5052 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exeRuntimeBroker.exepid process 4568 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe 4568 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe 4568 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe 4568 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe 4568 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe 4900 RuntimeBroker.exe 4900 RuntimeBroker.exe 4900 RuntimeBroker.exe 4900 RuntimeBroker.exe 4900 RuntimeBroker.exe 4900 RuntimeBroker.exe 4900 RuntimeBroker.exe 4900 RuntimeBroker.exe 4900 RuntimeBroker.exe 4900 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 4900 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 4568 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe Token: SeDebugPrivilege 4900 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.execmd.exedescription pid process target process PID 4568 wrote to memory of 4564 4568 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe cmd.exe PID 4568 wrote to memory of 4564 4568 2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe cmd.exe PID 4564 wrote to memory of 3376 4564 cmd.exe w32tm.exe PID 4564 wrote to memory of 3376 4564 cmd.exe w32tm.exe PID 4564 wrote to memory of 4900 4564 cmd.exe RuntimeBroker.exe PID 4564 wrote to memory of 4900 4564 cmd.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe"C:\Users\Admin\AppData\Local\Temp\2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bdeYQE4Pv.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3376
-
C:\Windows\Containers\serviced\RuntimeBroker.exe"C:\Windows\Containers\serviced\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\Time Zone\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\Time Zone\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Containers\serviced\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\serviced\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4076,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:81⤵PID:3492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5bdeYQE4Pv.batFilesize
213B
MD5fa9172111cea454fbeccea153941b210
SHA1ce0020963f3c1f612989e3d362791708845a2172
SHA256eb8ce3485117df88cd1e4ed65373d4a6a6fd8aef502fddbc62b33f5e591a4dc9
SHA512b4218245ba92caf2558a1235d08333e4931fa07f4261584371dd290111f0ecd28fa72a283aa6eabefda44a938067e8654e5b4b3537ee5ca5856bd0f3775a4abe
-
C:\Windows\Containers\serviced\RuntimeBroker.exeFilesize
827KB
MD533ab5cbb351fa75f5d4f3e3b5aa064a9
SHA1ac9bcf69aecff1ff5d4108df204a4a2b572e1eef
SHA2562e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17
SHA5124e62650b49ae86c152463742a04980627d54dc8efc7dd3443625210d13db815f279989d846bbca4376cd127595403cfd53160c0fa78f3d198bf400da5655a98e
-
memory/4568-1-0x00007FF8F10D3000-0x00007FF8F10D5000-memory.dmpFilesize
8KB
-
memory/4568-0-0x0000000000DB0000-0x0000000000E86000-memory.dmpFilesize
856KB
-
memory/4568-4-0x00007FF8F10D0000-0x00007FF8F1B91000-memory.dmpFilesize
10.8MB
-
memory/4568-17-0x00007FF8F10D0000-0x00007FF8F1B91000-memory.dmpFilesize
10.8MB