Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 01:09
Behavioral task
behavioral1
Sample
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe
Resource
win10v2004-20240611-en
General
-
Target
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe
-
Size
827KB
-
MD5
9c88646fc2e6a87d06ef9146d061b814
-
SHA1
a5a15178301aa854faf6e8fe6048ad1372a8ac67
-
SHA256
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983
-
SHA512
ebb5356f86cc925dcc8b47e0e96efe5dfb787b368c5921790086d378b574498c8083f5962d27451d78ab488667634a61f178c750b95cfcfe79f62f29989bc231
-
SSDEEP
12288:dEo0OhY4AtUMGEvw2vd1JdxXQJN5IsULGpSCXnRKldH5x5n76:0OG4AtUMGv21PdxXu5/hRKJfnW
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4044 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4268 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 5048 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 5048 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4912-1-0x0000000000E00000-0x0000000000ED6000-memory.dmp dcrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\backgroundTaskHost.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe -
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 3816 sihost.exe -
Drops file in Program Files directory 6 IoCs
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exedescription ioc process File created C:\Program Files\7-Zip\Lang\fontdrvhost.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files\7-Zip\Lang\5b884080fd4f94 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files (x86)\Microsoft.NET\msedge.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files (x86)\Microsoft.NET\61a52ddc9dd915 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files (x86)\Reference Assemblies\wininit.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Program Files (x86)\Reference Assemblies\56085415360792 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe -
Drops file in Windows directory 2 IoCs
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exedescription ioc process File created C:\Windows\ShellExperiences\backgroundTaskHost.exe 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe File created C:\Windows\ShellExperiences\eddb19405b7ce1 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2308 schtasks.exe 2400 schtasks.exe 3120 schtasks.exe 4268 schtasks.exe 1696 schtasks.exe 2772 schtasks.exe 1448 schtasks.exe 5032 schtasks.exe 2148 schtasks.exe 2036 schtasks.exe 4556 schtasks.exe 2288 schtasks.exe 3896 schtasks.exe 5044 schtasks.exe 2220 schtasks.exe 1424 schtasks.exe 1232 schtasks.exe 4044 schtasks.exe 4376 schtasks.exe 3572 schtasks.exe 2496 schtasks.exe 4200 schtasks.exe 2356 schtasks.exe 860 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exesihost.exepid process 4912 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe 4912 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe 4912 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe 3816 sihost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exesihost.exedescription pid process Token: SeDebugPrivilege 4912 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe Token: SeDebugPrivilege 3816 sihost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exedescription pid process target process PID 4912 wrote to memory of 3816 4912 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe sihost.exe PID 4912 wrote to memory of 3816 4912 41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe sihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe"C:\Users\Admin\AppData\Local\Temp\41ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Default\Links\sihost.exe"C:\Users\Default\Links\sihost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellExperiences\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellExperiences\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Links\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4224,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:81⤵PID:4596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\backgroundTaskHost.exeFilesize
827KB
MD59c88646fc2e6a87d06ef9146d061b814
SHA1a5a15178301aa854faf6e8fe6048ad1372a8ac67
SHA25641ac780af4899422861ef80ac9c6ac3ac9f6cb1d7edb930f8fdbdefb2bcc4983
SHA512ebb5356f86cc925dcc8b47e0e96efe5dfb787b368c5921790086d378b574498c8083f5962d27451d78ab488667634a61f178c750b95cfcfe79f62f29989bc231
-
memory/4912-1-0x0000000000E00000-0x0000000000ED6000-memory.dmpFilesize
856KB
-
memory/4912-0-0x00007FF874513000-0x00007FF874515000-memory.dmpFilesize
8KB
-
memory/4912-2-0x00007FF874510000-0x00007FF874FD1000-memory.dmpFilesize
10.8MB
-
memory/4912-30-0x00007FF874510000-0x00007FF874FD1000-memory.dmpFilesize
10.8MB