Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 17:06
Behavioral task
behavioral1
Sample
0870f1c7c11ccccdf633fd048f7b4ca6.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
0870f1c7c11ccccdf633fd048f7b4ca6.exe
Resource
win10v2004-20240709-en
General
-
Target
0870f1c7c11ccccdf633fd048f7b4ca6.exe
-
Size
886KB
-
MD5
0870f1c7c11ccccdf633fd048f7b4ca6
-
SHA1
adbd47390c26c0126ae459a4edc7eaddff444f47
-
SHA256
e7df2a5597fe4ba4dc5c82b1b0b8d38b145bf01131dc23655113ecb9014b2853
-
SHA512
70bcb89ce7aae98278f9ffc46987da2635e8dbc060d3de0560b474ac400d8793ebcae75cfeb10ded85fa94591099e0e17a899ee57efebf62cfca215289a6be42
-
SSDEEP
24576:YRXEdpvgXk0IvSWPoOHK4PsRHUWEapE1:YRXEgXnKnGjK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 412 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 456 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 1860 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 1860 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/5080-1-0x0000000000180000-0x0000000000264000-memory.dmp dcrat C:\Windows\Registration\CRMLog\System.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0870f1c7c11ccccdf633fd048f7b4ca6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 0870f1c7c11ccccdf633fd048f7b4ca6.exe -
Executes dropped EXE 1 IoCs
Processes:
SearchApp.exepid process 4784 SearchApp.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 ipinfo.io 27 ipinfo.io -
Drops file in Program Files directory 6 IoCs
Processes:
0870f1c7c11ccccdf633fd048f7b4ca6.exedescription ioc process File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\c5b4cb5e9653cc 0870f1c7c11ccccdf633fd048f7b4ca6.exe File created C:\Program Files (x86)\MSBuild\SearchApp.exe 0870f1c7c11ccccdf633fd048f7b4ca6.exe File created C:\Program Files (x86)\MSBuild\38384e6a620884 0870f1c7c11ccccdf633fd048f7b4ca6.exe File created C:\Program Files (x86)\Windows Photo Viewer\0870f1c7c11ccccdf633fd048f7b4ca6.exe 0870f1c7c11ccccdf633fd048f7b4ca6.exe File created C:\Program Files (x86)\Windows Photo Viewer\fab92a8346406f 0870f1c7c11ccccdf633fd048f7b4ca6.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe 0870f1c7c11ccccdf633fd048f7b4ca6.exe -
Drops file in Windows directory 2 IoCs
Processes:
0870f1c7c11ccccdf633fd048f7b4ca6.exedescription ioc process File created C:\Windows\Registration\CRMLog\System.exe 0870f1c7c11ccccdf633fd048f7b4ca6.exe File created C:\Windows\Registration\CRMLog\27d1bcfc3c54e0 0870f1c7c11ccccdf633fd048f7b4ca6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4040 schtasks.exe 4308 schtasks.exe 1892 schtasks.exe 548 schtasks.exe 456 schtasks.exe 4540 schtasks.exe 3572 schtasks.exe 1236 schtasks.exe 3472 schtasks.exe 3016 schtasks.exe 4964 schtasks.exe 3348 schtasks.exe 412 schtasks.exe 1528 schtasks.exe 320 schtasks.exe 2940 schtasks.exe 2052 schtasks.exe 3048 schtasks.exe 1464 schtasks.exe 1388 schtasks.exe 4604 schtasks.exe 2936 schtasks.exe 4596 schtasks.exe 2124 schtasks.exe 4588 schtasks.exe 1956 schtasks.exe 3364 schtasks.exe 1336 schtasks.exe 2432 schtasks.exe 2668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
0870f1c7c11ccccdf633fd048f7b4ca6.exeSearchApp.exepid process 5080 0870f1c7c11ccccdf633fd048f7b4ca6.exe 5080 0870f1c7c11ccccdf633fd048f7b4ca6.exe 5080 0870f1c7c11ccccdf633fd048f7b4ca6.exe 4784 SearchApp.exe 4784 SearchApp.exe 4784 SearchApp.exe 4784 SearchApp.exe 4784 SearchApp.exe 4784 SearchApp.exe 4784 SearchApp.exe 4784 SearchApp.exe 4784 SearchApp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SearchApp.exepid process 4784 SearchApp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0870f1c7c11ccccdf633fd048f7b4ca6.exeSearchApp.exedescription pid process Token: SeDebugPrivilege 5080 0870f1c7c11ccccdf633fd048f7b4ca6.exe Token: SeDebugPrivilege 4784 SearchApp.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
0870f1c7c11ccccdf633fd048f7b4ca6.exedescription pid process target process PID 5080 wrote to memory of 4784 5080 0870f1c7c11ccccdf633fd048f7b4ca6.exe SearchApp.exe PID 5080 wrote to memory of 4784 5080 0870f1c7c11ccccdf633fd048f7b4ca6.exe SearchApp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0870f1c7c11ccccdf633fd048f7b4ca6.exe"C:\Users\Admin\AppData\Local\Temp\0870f1c7c11ccccdf633fd048f7b4ca6.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Program Files (x86)\MSBuild\SearchApp.exe"C:\Program Files (x86)\MSBuild\SearchApp.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0870f1c7c11ccccdf633fd048f7b4ca60" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\0870f1c7c11ccccdf633fd048f7b4ca6.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0870f1c7c11ccccdf633fd048f7b4ca6" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\0870f1c7c11ccccdf633fd048f7b4ca6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "0870f1c7c11ccccdf633fd048f7b4ca60" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\0870f1c7c11ccccdf633fd048f7b4ca6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
886KB
MD50870f1c7c11ccccdf633fd048f7b4ca6
SHA1adbd47390c26c0126ae459a4edc7eaddff444f47
SHA256e7df2a5597fe4ba4dc5c82b1b0b8d38b145bf01131dc23655113ecb9014b2853
SHA51270bcb89ce7aae98278f9ffc46987da2635e8dbc060d3de0560b474ac400d8793ebcae75cfeb10ded85fa94591099e0e17a899ee57efebf62cfca215289a6be42