Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 23:45
Behavioral task
behavioral1
Sample
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe
Resource
win10v2004-20240709-en
General
-
Target
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe
-
Size
784KB
-
MD5
46a0e2b153610307b9e60b7a799e452e
-
SHA1
c97dddaa1d48cd01cf7d7172cce619db86bc037f
-
SHA256
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a
-
SHA512
d3139a243ea3d067b0ae64c432ed08911fa0fb14e174ab5a499556a428b03496d90b1ef64f2a72ec6ab74f31c3544755cb041db8de99daa69a6ad97ea2cf949e
-
SSDEEP
12288:eqnO8YpD1oOJp+Ce1PSiG2jfIBoI5DyDwYMDxFesH0ioBw7oKk2:e+ORToOWSi5gBoS4wYUJ0eo2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 4252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 4252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 4252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 4252 schtasks.exe -
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe -
Processes:
resource yara_rule behavioral2/memory/4016-1-0x0000000000EF0000-0x0000000000FBA000-memory.dmp dcrat C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe -
Executes dropped EXE 1 IoCs
Processes:
StartMenuExperienceHost.exepid process 4924 StartMenuExperienceHost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\WsmSvc\\dllhost.exe\"" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\"" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\CloudNotifications\\lsass.exe\"" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\MSBuild\\SearchApp.exe\"" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe -
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe -
Drops file in System32 directory 8 IoCs
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exedescription ioc process File created C:\Windows\System32\WsmSvc\5940a34987c99120d96dace90a3f93f329dcad63 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File opened for modification C:\Windows\System32\CloudNotifications\RCXB9EC.tmp 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File opened for modification C:\Windows\System32\CloudNotifications\lsass.exe 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File opened for modification C:\Windows\System32\WsmSvc\RCXBE72.tmp 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File opened for modification C:\Windows\System32\WsmSvc\dllhost.exe 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File created C:\Windows\System32\CloudNotifications\lsass.exe 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File created C:\Windows\System32\CloudNotifications\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File created C:\Windows\System32\WsmSvc\dllhost.exe 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe -
Drops file in Program Files directory 4 IoCs
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exedescription ioc process File created C:\Program Files (x86)\MSBuild\SearchApp.exe 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File created C:\Program Files (x86)\MSBuild\38384e6a620884a6b69bcc56f80d556f9200171c 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File opened for modification C:\Program Files (x86)\MSBuild\RCXBC5E.tmp 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File opened for modification C:\Program Files (x86)\MSBuild\SearchApp.exe 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe -
Drops file in Windows directory 4 IoCs
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exedescription ioc process File opened for modification C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\55b276f4edf653fe07efe8f1ecc32d3d195abd16 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\RCXB7D7.tmp 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5008 schtasks.exe 3120 schtasks.exe 264 schtasks.exe 3192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exepid process 4016 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe 4016 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe 4016 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe 4016 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe 4016 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe 4016 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe 4016 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exeStartMenuExperienceHost.exedescription pid process Token: SeDebugPrivilege 4016 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe Token: SeDebugPrivilege 4924 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exedescription pid process target process PID 4016 wrote to memory of 4924 4016 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe StartMenuExperienceHost.exe PID 4016 wrote to memory of 4924 4016 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe StartMenuExperienceHost.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe"C:\Users\Admin\AppData\Local\Temp\865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a.exe"1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4016 -
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\CloudNotifications\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\WsmSvc\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe
Filesize784KB
MD546a0e2b153610307b9e60b7a799e452e
SHA1c97dddaa1d48cd01cf7d7172cce619db86bc037f
SHA256865e772c568fd4c46de0c6f9004ecd450e9c14ef3506b8df064014441d02f79a
SHA512d3139a243ea3d067b0ae64c432ed08911fa0fb14e174ab5a499556a428b03496d90b1ef64f2a72ec6ab74f31c3544755cb041db8de99daa69a6ad97ea2cf949e