Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 06:30

General

  • Target

    05fc0bdf63407c4bf2aa13262366cec5.exe

  • Size

    624KB

  • MD5

    05fc0bdf63407c4bf2aa13262366cec5

  • SHA1

    3c25001232633ced8c5dbd159793f5db7b9bd3c8

  • SHA256

    7c00050f9a74c897dc0b917b07898b14150329571584ed3d7928d7c59b974c2b

  • SHA512

    9513fb1767b3f7c480c86e9958df83e30f19f0b487f7e37b844266a968dfe9b4275e4fe3c11118a5ccace381d69e928dab61a32b113095b3a2f3f83bc6a821e4

  • SSDEEP

    12288:aRZ+IoG/n9IQxW3OBsee2X+t4Rb/32N7QqcLCf8VIP9A2oxldxDZt:U2G/nvxW3Ww0t/32NCkC2o5xD7

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\05fc0bdf63407c4bf2aa13262366cec5.exe
    "C:\Users\Admin\AppData\Local\Temp\05fc0bdf63407c4bf2aa13262366cec5.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\browserperfMonitor\vkP8jBMFLUV3sBPqx5nb72wkkbdxGy.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\browserperfMonitor\Djd9PDHmb.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\browserperfMonitor\portProviderRef.exe
          "C:\browserperfMonitor\portProviderRef.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zK52lkeuoZ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1088
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1384
              • C:\Users\Admin\AppData\Local\RuntimeBroker.exe
                "C:/Users/Admin/AppData/Local/\RuntimeBroker.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:/Users/Admin/AppData/Local/\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\zK52lkeuoZ.bat

      Filesize

      212B

      MD5

      bd9710bb819e6393af51accf9d681b84

      SHA1

      e04ab7d05ebc46b70dfb3abff15b3298c2713189

      SHA256

      682c35e167838c336cd83e225aa077a43110785ab3cac0279fb360abfa78a186

      SHA512

      9165d1a7374f0ac7b1aab4eb4a26921c64c94a91030ae7240a439a7a189af9b220d927c7f4e8d3b7347161216e4daf5c634743dac9b6d52795446f19a86b79a7

    • C:\browserperfMonitor\Djd9PDHmb.bat

      Filesize

      43B

      MD5

      e6c63fa184d2f4c5d38e9b525bfddb81

      SHA1

      feb5e4b45154422a4e84dfcdc2279d3cb75901ff

      SHA256

      ce100b5fc38b08ad9df71883aea94f49083eb8bbec1ddc7c3a5f3c6a7514ec5b

      SHA512

      595fd643b0caaabb87fda59acd1fcd3bd953beb7b6e334e1724fd3d33fcc86d854e70d8bf080cac097eb3ddf180c95d0b9773f25aadfd66c1759adc5b2b7fe69

    • C:\browserperfMonitor\portProviderRef.exe

      Filesize

      315KB

      MD5

      0d11a32c038c7f303ad3c020717c007d

      SHA1

      fffea33c9efe66d4c343d926e30aa114e5d5967d

      SHA256

      246bbbec6cc0c1fa290496f764d38451b8f0b64d3ff08f587e0814fd49198757

      SHA512

      1afd437ee901fa934a7c425bed6a95b4b3cd303c3383e99ded4d4ef38e0e758d82febbf2030a2a7b3af131f03e1bf8d9cedf326cc221ef57e733e5c97cb24ff7

    • C:\browserperfMonitor\vkP8jBMFLUV3sBPqx5nb72wkkbdxGy.vbe

      Filesize

      201B

      MD5

      b7a2b70763db60fd1a9698cc2f1673b5

      SHA1

      233ef75d111f6b43cc8d2cd0d9e84479d04d2e2e

      SHA256

      2ed7cb88c0f405254bc9051c1fb58477bb7d046f59d94c7ec1fe7b03448751f7

      SHA512

      1c8c757064e8b1ada32149a9d2d08ecf75d3936055c5f7d4d43dd82bcbfefbb00c1f038e02e935de6713ced80e6026c9185875f4402d760842bfc804edbef74b

    • memory/2728-13-0x00007FFC0EB03000-0x00007FFC0EB05000-memory.dmp

      Filesize

      8KB

    • memory/2728-12-0x0000000000EC0000-0x0000000000F16000-memory.dmp

      Filesize

      344KB