Analysis
-
max time kernel
104s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 09:38
Behavioral task
behavioral1
Sample
a57378db4d26609de5f519dd2659ae60N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a57378db4d26609de5f519dd2659ae60N.exe
Resource
win10v2004-20240709-en
General
-
Target
a57378db4d26609de5f519dd2659ae60N.exe
-
Size
784KB
-
MD5
a57378db4d26609de5f519dd2659ae60
-
SHA1
56f0f96c01ca12792cea6b7ea0814f0f568fe095
-
SHA256
cb667550264f5028045377419da9a935006e09b136ebe69a409a520dbf8db587
-
SHA512
6bfa4635da5753f2713c826ade75910bd0d8488915c8b80e5893b52c7c8696538edb5d4a4fba68636b1a92de6d487a184fabafb945ee35eecb6015bf4163cf33
-
SSDEEP
12288:eqnO8YpD1oOJp+Ce1PSiG2jfIBoI5DyDwYMDxFesH0ioBw7oKk2:e+ORToOWSi5gBoS4wYUJ0eo2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4036 1280 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 1280 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 1280 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 1280 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 1280 schtasks.exe -
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe -
Processes:
resource yara_rule behavioral2/memory/4876-1-0x00000000003B0000-0x000000000047A000-memory.dmp dcrat C:\Users\Default\Documents\dllhost.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a57378db4d26609de5f519dd2659ae60N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation a57378db4d26609de5f519dd2659ae60N.exe -
Executes dropped EXE 1 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exepid process 3316 a57378db4d26609de5f519dd2659ae60N.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\splwow64\\sysmon.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\cleanmgr\\sihost.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\My Documents\\dllhost.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a57378db4d26609de5f519dd2659ae60N = "\"C:\\ProgramData\\Desktop\\a57378db4d26609de5f519dd2659ae60N.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\InputMethod\\SHARED\\backgroundTaskHost.exe\"" a57378db4d26609de5f519dd2659ae60N.exe -
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe -
Drops file in System32 directory 4 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exedescription ioc process File created C:\Windows\System32\cleanmgr\sihost.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\cleanmgr\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\cleanmgr\RCXB53A.tmp a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\cleanmgr\sihost.exe a57378db4d26609de5f519dd2659ae60N.exe -
Drops file in Windows directory 8 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exedescription ioc process File opened for modification C:\Windows\InputMethod\SHARED\RCXB0B4.tmp a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\InputMethod\SHARED\backgroundTaskHost.exe a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\splwow64\RCXB336.tmp a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\splwow64\sysmon.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\InputMethod\SHARED\backgroundTaskHost.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\InputMethod\SHARED\eddb19405b7ce1152b3e19997f2b467f0b72b3d3 a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\splwow64\sysmon.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\splwow64\121e5b5079f7c0e46d90f99b3864022518bbbda9 a57378db4d26609de5f519dd2659ae60N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings a57378db4d26609de5f519dd2659ae60N.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4036 schtasks.exe 2384 schtasks.exe 4416 schtasks.exe 624 schtasks.exe 1368 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exepid process 4876 a57378db4d26609de5f519dd2659ae60N.exe 4876 a57378db4d26609de5f519dd2659ae60N.exe 4876 a57378db4d26609de5f519dd2659ae60N.exe 4876 a57378db4d26609de5f519dd2659ae60N.exe 4876 a57378db4d26609de5f519dd2659ae60N.exe 4876 a57378db4d26609de5f519dd2659ae60N.exe 4876 a57378db4d26609de5f519dd2659ae60N.exe 4876 a57378db4d26609de5f519dd2659ae60N.exe 4876 a57378db4d26609de5f519dd2659ae60N.exe 4876 a57378db4d26609de5f519dd2659ae60N.exe 3316 a57378db4d26609de5f519dd2659ae60N.exe 3316 a57378db4d26609de5f519dd2659ae60N.exe 3316 a57378db4d26609de5f519dd2659ae60N.exe 3316 a57378db4d26609de5f519dd2659ae60N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exedescription pid process Token: SeDebugPrivilege 4876 a57378db4d26609de5f519dd2659ae60N.exe Token: SeDebugPrivilege 3316 a57378db4d26609de5f519dd2659ae60N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.execmd.exedescription pid process target process PID 4876 wrote to memory of 940 4876 a57378db4d26609de5f519dd2659ae60N.exe cmd.exe PID 4876 wrote to memory of 940 4876 a57378db4d26609de5f519dd2659ae60N.exe cmd.exe PID 940 wrote to memory of 2428 940 cmd.exe w32tm.exe PID 940 wrote to memory of 2428 940 cmd.exe w32tm.exe PID 940 wrote to memory of 3316 940 cmd.exe a57378db4d26609de5f519dd2659ae60N.exe PID 940 wrote to memory of 3316 940 cmd.exe a57378db4d26609de5f519dd2659ae60N.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a57378db4d26609de5f519dd2659ae60N.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a57378db4d26609de5f519dd2659ae60N.exe"C:\Users\Admin\AppData\Local\Temp\a57378db4d26609de5f519dd2659ae60N.exe"1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OXh4IkWU9A.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2428
-
-
C:\ProgramData\Desktop\a57378db4d26609de5f519dd2659ae60N.exe"C:\ProgramData\Desktop\a57378db4d26609de5f519dd2659ae60N.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3316
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a57378db4d26609de5f519dd2659ae60N" /sc ONLOGON /tr "'C:\ProgramData\Desktop\a57378db4d26609de5f519dd2659ae60N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\splwow64\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\cleanmgr\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7c0c43fc7804baaa7dc87152cdc9554
SHA11bab62bd56af745678d4e967d91e1ccfdeed4038
SHA25646386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457
SHA5129fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769
-
Filesize
224B
MD5a01cb2045dfe6434f6ef7833b850c3b1
SHA17e08a73864ae0f51da3c3c58da43a8ef41e07b02
SHA25657508272382617d73c58d03d4a7fad023f8fa09fb6f5956e530bf6b8097ce843
SHA512bd8590649e3064d2d096dbb41677720797375fc93d0e15c4e761ffb3fa89f388f3a0196346e914da602daae49ab8ec210ba9b0741c6265bafc829c1cbb511185
-
Filesize
784KB
MD5a57378db4d26609de5f519dd2659ae60
SHA156f0f96c01ca12792cea6b7ea0814f0f568fe095
SHA256cb667550264f5028045377419da9a935006e09b136ebe69a409a520dbf8db587
SHA5126bfa4635da5753f2713c826ade75910bd0d8488915c8b80e5893b52c7c8696538edb5d4a4fba68636b1a92de6d487a184fabafb945ee35eecb6015bf4163cf33