Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 01:06

General

  • Target

    2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe

  • Size

    1.1MB

  • MD5

    586551303debdcf610645e79397bba4d

  • SHA1

    3ebc6e5ae076f40c5b65a955549efb20af93db4c

  • SHA256

    2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9

  • SHA512

    21cab4ac88765f77682f8271d9de126b92fc57e793b702c7ae8d5aefefdfb245c2ad1b9880635ebdfc857ed6739fa9582a4380f7c95545aa8261526e812072a7

  • SSDEEP

    24576:U2G/nvxW3Ww0tfSxBXpxsfdnRegCieaho8AAe:UbA30f8xsVnRegCXQfO

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe
    "C:\Users\Admin\AppData\Local\Temp\2d578ea6dc9a22d8b7ef1ed05429560daebb9847de4c4e42d84de61b2cecb8d9.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Bridgeperfmonitor\Okr5BLwtARysGVz5KIiKrQ4stl1.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Bridgeperfmonitor\mVYPBQ4QEo2wIKyAZnDKAnqv22.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Bridgeperfmonitor\blockbrowser.exe
          "C:\Bridgeperfmonitor\blockbrowser.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hCe3yjkG4Z.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4436
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1628
              • C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe
                "C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2304
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1756
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\CbsTemp\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\CbsTemp\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2388
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Bridgeperfmonitor\Okr5BLwtARysGVz5KIiKrQ4stl1.vbe
      Filesize

      220B

      MD5

      1b20f3dc25276310b5d6cfaed4a33b7c

      SHA1

      7ae42214f2c13396a52d03663e258c327da709f7

      SHA256

      0cae9a0b5bea3b264a98449dc617d942dba020635f4a890fa3d8ca3561fb99b9

      SHA512

      997bff21f51187fd5911a5c6e1d298892e6a35d127e50d8df0e2375c64e346f35f5d22bb879ba4bb87ef76d853976a09fe3ed3b735a14575c3c88c3533c7ceee

    • C:\Bridgeperfmonitor\blockbrowser.exe
      Filesize

      828KB

      MD5

      72f4befd780dfd7a742491bd9530a414

      SHA1

      33c6b52892da0063fd2106beaaddfafee7d48989

      SHA256

      e6cd6de8708a8c6112e24bebc33cd6f5ed004ef6db10e5fa1ca82987bb62589e

      SHA512

      0505131abd115659c4c2070e7133487de301249f5693de2c00a4965cb58ca9feef61ec456c44fa8270f53faf0d29a02ddbbbd541e1290519edf05a2a0f1ae16b

    • C:\Bridgeperfmonitor\mVYPBQ4QEo2wIKyAZnDKAnqv22.bat
      Filesize

      39B

      MD5

      ecc0b37d413fa823b389d0b5c56b2730

      SHA1

      d3ea7dce841ec52d88415f5a7c509a2c6639093b

      SHA256

      0ff3f98f6426addb5c7bd25c7fdac293431467095d9cd37aa253f44b37c81697

      SHA512

      6f0c242eedc331ef59e150fab857c4a07f63c647df83a98f854cc906cceb677a5b4d8eb00ce58319d75480d281ff24cd50b381d1da1da8e2f3e7cbf0480af8e0

    • C:\Users\Admin\AppData\Local\Temp\hCe3yjkG4Z.bat
      Filesize

      246B

      MD5

      3530a81166b6f4de33aff62fd7922015

      SHA1

      5e8358aea000d08b40ca45c575d85e33a02afd01

      SHA256

      911c59669c46d5aa8c4bdebf43d2344054156b013bd982f4956cf5f1ddd66468

      SHA512

      f05ce9c133d177b361312b661ce72dec77ce27f28cc70547c8111f332a6c4e2ed7d37799a5468c3624388206da408d83a6dc6d50d084786da98a85bd8be16b7f

    • memory/2932-12-0x00007FF9BC7E3000-0x00007FF9BC7E5000-memory.dmp
      Filesize

      8KB

    • memory/2932-13-0x0000000000F80000-0x0000000001056000-memory.dmp
      Filesize

      856KB