Overview
overview
10Static
static
10dc/10.exe
windows10-2004-x64
10dc/12.exe
windows10-2004-x64
7dc/13.exe
windows10-2004-x64
10dc/15.exe
windows10-2004-x64
8dc/16.exe
windows10-2004-x64
10dc/17.exe
windows10-2004-x64
3dc/19.exe
windows10-2004-x64
10dc/22.exe
windows10-2004-x64
10dc/23.exe
windows10-2004-x64
10dc/3.exe
windows10-2004-x64
10dc/4.exe
windows10-2004-x64
3dc/5.exe
windows10-2004-x64
10dc/6.exe
windows10-2004-x64
10dc/7.exe
windows10-2004-x64
9dc/9.exe
windows10-2004-x64
10Analysis
-
max time kernel
58s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 01:25
Behavioral task
behavioral1
Sample
dc/10.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
dc/12.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
dc/13.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
dc/15.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
dc/16.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
dc/17.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
dc/19.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
dc/22.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
dc/23.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
dc/3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
dc/4.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
dc/5.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
dc/6.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
dc/7.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
dc/9.exe
Resource
win10v2004-20240802-en
General
-
Target
dc/6.exe
-
Size
2.9MB
-
MD5
901347c38d0559eb5bf5bab62e6d2407
-
SHA1
34f7c5863b6d38a2c9fafcb0460d75a108b97512
-
SHA256
71f2a4f7f3abece865c8b648031a3a1cd8cb185b097ff232704307972c0141f1
-
SHA512
f9440261b64b46070d917d1fb8fbfae6ff4d201887c86a3b5c1d1561b4b5e88dc112b9aabbba234d422b02d76ff035ff95db70fca4acafca97b588eb32604701
-
SSDEEP
49152:UbA30pNm1SFq104+pXNhYaPr+igbvj+vPiNxU0qb00tfUFIdva:UbVSSF3Nsaj+z8PiuQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 4924 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 4924 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 4924 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4032 4924 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 4924 schtasks.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 4924 schtasks.exe 91 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" portbroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" portbroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" portbroker.exe -
resource yara_rule behavioral13/files/0x000700000002346c-10.dat dcrat behavioral13/memory/344-13-0x0000000000960000-0x0000000000C06000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 6.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation portbroker.exe -
Executes dropped EXE 2 IoCs
pid Process 344 portbroker.exe 3468 wininit.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA portbroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" portbroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows NT\TextInputHost.exe portbroker.exe File created C:\Program Files\Windows NT\22eafd247d37c3 portbroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings 6.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2436 schtasks.exe 4976 schtasks.exe 4480 schtasks.exe 4032 schtasks.exe 1968 schtasks.exe 5112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 344 portbroker.exe 3468 wininit.exe 3468 wininit.exe 3468 wininit.exe 3468 wininit.exe 3468 wininit.exe 3468 wininit.exe 3468 wininit.exe 3468 wininit.exe 3468 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3468 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 344 portbroker.exe Token: SeDebugPrivilege 3468 wininit.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1784 wrote to memory of 1016 1784 6.exe 87 PID 1784 wrote to memory of 1016 1784 6.exe 87 PID 1784 wrote to memory of 1016 1784 6.exe 87 PID 1016 wrote to memory of 3960 1016 WScript.exe 92 PID 1016 wrote to memory of 3960 1016 WScript.exe 92 PID 1016 wrote to memory of 3960 1016 WScript.exe 92 PID 3960 wrote to memory of 344 3960 cmd.exe 94 PID 3960 wrote to memory of 344 3960 cmd.exe 94 PID 344 wrote to memory of 3468 344 portbroker.exe 102 PID 344 wrote to memory of 3468 344 portbroker.exe 102 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" portbroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" portbroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" portbroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc\6.exe"C:\Users\Admin\AppData\Local\Temp\dc\6.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Webcrt\x6psj9c6RDgdJEN.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Webcrt\jksxI0Jf41NNj.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Webcrt\portbroker.exe"C:\Webcrt\portbroker.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:344 -
C:\Recovery\WindowsRE\wininit.exe"C:\Recovery\WindowsRE\wininit.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3468
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26B
MD57ea9dfd9a49e4a20f9c9cc4e150e1351
SHA1ad710f54515a6eeddce4b7f4d05b807edd3b53d5
SHA256d2533863097a39b9bc0de4afcaad8dabab678901ddc903519d62a5fe2784d1d5
SHA512a59fbb4c5b719959367dd814ee1bf7ab6f9c9baefeaa975a057fc3f532da5d69e66ef695616b9ac7cee5e5e01e8f665c55747c05724fe7ae518443e92f3e0ed9
-
Filesize
2.6MB
MD5440092cd483a7c102f86d3041a7872fa
SHA18d860fa9a4bed126f6f5a14e024eb55a1e98303b
SHA256ad0b0b01c0a5d2feb02e59b366a1ddc9574dedda9e8e6249260a86debe8a4a6c
SHA5121f65b8499ee074801809da51a54f164df9bae1475ebd04b9ea7afb3824da1869a5aac60d794de89ff47a853aef80fb46573dda5ddd894f9a676908c00fe3524a
-
Filesize
196B
MD51cd766665224c78545090b0d4ffb05f7
SHA1702340dfd5963ebbe0d71774257a70337bd9045a
SHA256720ddfa26c37d499c619ba4faadaec7295e91bb6bc9b74965bfab86af0285835
SHA512b1625e6af6550846b350f4939067b068a2bc634848d1b0af9c1e69829a5bd99252b3ec5fec443abba1b2d7b462bccd345d91820f82931fa2ca83a9a3b7798243