Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 01:27
Behavioral task
behavioral1
Sample
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe
Resource
win10v2004-20240611-en
General
-
Target
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe
-
Size
1.1MB
-
MD5
105e56a8f722fc60cb17281dc8a0d073
-
SHA1
85bcb8e6b6c83f2a64260ae3ad2386b7e4aa0434
-
SHA256
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab
-
SHA512
6b4fd698cb80400d610629b0390314de0d06067d3648ba893a1fed5198bb6f0194e52685d95c7f0afc79eace95188668dcc05f4c6f19b89ee6ca05ca6d2b1172
-
SSDEEP
24576:U2G/nvxW3Ww0txUX597x0D6TmBqndcQ71Ee:UbA30GPWD6BNd
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 4348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 4348 schtasks.exe -
Processes:
resource yara_rule C:\winDhcp\browserhostnet.exe dcrat behavioral2/memory/4380-13-0x0000000000A80000-0x0000000000B56000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exeWScript.exebrowserhostnet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation browserhostnet.exe -
Executes dropped EXE 2 IoCs
Processes:
browserhostnet.exeRuntimeBroker.exepid process 4380 browserhostnet.exe 708 RuntimeBroker.exe -
Drops file in System32 directory 3 IoCs
Processes:
browserhostnet.exedescription ioc process File created C:\Windows\SysWOW64\pl-PL\RuntimeBroker.exe browserhostnet.exe File opened for modification C:\Windows\SysWOW64\pl-PL\RuntimeBroker.exe browserhostnet.exe File created C:\Windows\SysWOW64\pl-PL\9e8d7a4ca61bd9 browserhostnet.exe -
Drops file in Program Files directory 2 IoCs
Processes:
browserhostnet.exedescription ioc process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0 browserhostnet.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe browserhostnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings 9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4664 schtasks.exe 1472 schtasks.exe 4492 schtasks.exe 4460 schtasks.exe 1744 schtasks.exe 2604 schtasks.exe 1376 schtasks.exe 4552 schtasks.exe 2276 schtasks.exe 2720 schtasks.exe 3860 schtasks.exe 4776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
browserhostnet.exeRuntimeBroker.exepid process 4380 browserhostnet.exe 4380 browserhostnet.exe 4380 browserhostnet.exe 4380 browserhostnet.exe 4380 browserhostnet.exe 708 RuntimeBroker.exe 708 RuntimeBroker.exe 708 RuntimeBroker.exe 708 RuntimeBroker.exe 708 RuntimeBroker.exe 708 RuntimeBroker.exe 708 RuntimeBroker.exe 708 RuntimeBroker.exe 708 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 708 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
browserhostnet.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 4380 browserhostnet.exe Token: SeDebugPrivilege 708 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exeWScript.execmd.exebrowserhostnet.exedescription pid process target process PID 3808 wrote to memory of 2128 3808 9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe WScript.exe PID 3808 wrote to memory of 2128 3808 9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe WScript.exe PID 3808 wrote to memory of 2128 3808 9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe WScript.exe PID 2128 wrote to memory of 1540 2128 WScript.exe cmd.exe PID 2128 wrote to memory of 1540 2128 WScript.exe cmd.exe PID 2128 wrote to memory of 1540 2128 WScript.exe cmd.exe PID 1540 wrote to memory of 4380 1540 cmd.exe browserhostnet.exe PID 1540 wrote to memory of 4380 1540 cmd.exe browserhostnet.exe PID 4380 wrote to memory of 708 4380 browserhostnet.exe RuntimeBroker.exe PID 4380 wrote to memory of 708 4380 browserhostnet.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe"C:\Users\Admin\AppData\Local\Temp\9d589087ac7d4203c78508ac474c2070a9a3df778288899dc5c8cd7b4ea296ab.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winDhcp\DyOE67CiXFDK4.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\winDhcp\QlWrCKPitO3EBDJkoooUbfBub6XAu.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\winDhcp\browserhostnet.exe"C:\winDhcp\browserhostnet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\pl-PL\RuntimeBroker.exe"C:\Windows\SysWOW64\pl-PL\RuntimeBroker.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\pl-PL\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SysWOW64\pl-PL\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\pl-PL\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\winDhcp\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\winDhcp\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\winDhcp\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\winDhcp\DyOE67CiXFDK4.vbeFilesize
213B
MD5a6895e1baccdda4b4f131a5d6b29884a
SHA15e53063494d49c65bb3f940edf030462a9646b0b
SHA2567218700f0f012caf18a92e2f012d56b3f1241414d11bb38d69e0633a33d80ff9
SHA512439eff2b5e330a534d582501053290dcf7a44f4de685cacb8b7a6b91bd76a59f044208f1e7eca52f857fe18a8c93441c0d4a62495a30b308035c6edce1b7e8a1
-
C:\winDhcp\QlWrCKPitO3EBDJkoooUbfBub6XAu.batFilesize
31B
MD50783953e91c834463a8af6965b8a6e82
SHA166d1c6db94b36f6112e393e33ae94f4b963f1b31
SHA256f1abb9924b1d91414efe342d4b3a2b7e9e49aaaeef4300f5f3a0cda9e7ad853d
SHA5120054fc1f4dbdc09ba5137d5b581d9da43878c23efb1ae888b71fbde8e28c09f9c39728423697dd5479063050fd5819c251856bb6b58155e9e8de99d8ee67165a
-
C:\winDhcp\browserhostnet.exeFilesize
827KB
MD568491d301f2370e9484c90a4ca8c458a
SHA157a7952959c07c419a2204939c1da301f6a47030
SHA256b92fd00e3af0abf5d62269056cf1a43e7da0efbf70467070ad2923bf41554c97
SHA5123e1f8e620ce892d222a624fe5a3d791e58ae5a3ac5048639854a5021099844feda6a32109ca78666690113014eea3c29821b955d462db73cd9c1807e2e815558
-
memory/4380-12-0x00007FFA5AD63000-0x00007FFA5AD65000-memory.dmpFilesize
8KB
-
memory/4380-13-0x0000000000A80000-0x0000000000B56000-memory.dmpFilesize
856KB