Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 04:21
Static task
static1
Behavioral task
behavioral1
Sample
844679E76D8254BEDD67C98610F7D7AC.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
844679E76D8254BEDD67C98610F7D7AC.exe
Resource
win10v2004-20241007-en
General
-
Target
844679E76D8254BEDD67C98610F7D7AC.exe
-
Size
1.6MB
-
MD5
844679e76d8254bedd67c98610f7d7ac
-
SHA1
4222ebbb055830096b829f072783423dbe255932
-
SHA256
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942
-
SHA512
fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05
-
SSDEEP
24576:2ztKoZmCJ4YrujnaOBDEzKt3pJqc7BnA8js2TvgAts0qB0FjbpcKSzQy8v1:O995MUzKNac7BnbbTvgCFTYQy+
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3344 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2392 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 2392 schtasks.exe 88 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 844679E76D8254BEDD67C98610F7D7AC.exe -
Executes dropped EXE 1 IoCs
pid Process 1644 StartMenuExperienceHost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe 844679E76D8254BEDD67C98610F7D7AC.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\55b276f4edf653 844679E76D8254BEDD67C98610F7D7AC.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Prefetch\ReadyBoot\services.exe 844679E76D8254BEDD67C98610F7D7AC.exe File created C:\Windows\Prefetch\ReadyBoot\c5b4cb5e9653cc 844679E76D8254BEDD67C98610F7D7AC.exe File created C:\Windows\twain_32\sihost.exe 844679E76D8254BEDD67C98610F7D7AC.exe File created C:\Windows\twain_32\66fc9ff0ee96c2 844679E76D8254BEDD67C98610F7D7AC.exe File created C:\Windows\ja-JP\RuntimeBroker.exe 844679E76D8254BEDD67C98610F7D7AC.exe File created C:\Windows\ja-JP\9e8d7a4ca61bd9 844679E76D8254BEDD67C98610F7D7AC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2508 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings 844679E76D8254BEDD67C98610F7D7AC.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2508 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1928 schtasks.exe 2852 schtasks.exe 1256 schtasks.exe 1332 schtasks.exe 1728 schtasks.exe 3344 schtasks.exe 2376 schtasks.exe 1416 schtasks.exe 3760 schtasks.exe 2204 schtasks.exe 3644 schtasks.exe 3648 schtasks.exe 4660 schtasks.exe 4908 schtasks.exe 3108 schtasks.exe 432 schtasks.exe 4124 schtasks.exe 4384 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 2360 844679E76D8254BEDD67C98610F7D7AC.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe 1644 StartMenuExperienceHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1644 StartMenuExperienceHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2360 844679E76D8254BEDD67C98610F7D7AC.exe Token: SeDebugPrivilege 1644 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2360 wrote to memory of 4092 2360 844679E76D8254BEDD67C98610F7D7AC.exe 108 PID 2360 wrote to memory of 4092 2360 844679E76D8254BEDD67C98610F7D7AC.exe 108 PID 4092 wrote to memory of 3404 4092 cmd.exe 110 PID 4092 wrote to memory of 3404 4092 cmd.exe 110 PID 4092 wrote to memory of 2508 4092 cmd.exe 111 PID 4092 wrote to memory of 2508 4092 cmd.exe 111 PID 4092 wrote to memory of 1644 4092 cmd.exe 118 PID 4092 wrote to memory of 1644 4092 cmd.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\844679E76D8254BEDD67C98610F7D7AC.exe"C:\Users\Admin\AppData\Local\Temp\844679E76D8254BEDD67C98610F7D7AC.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JPh5HE80jW.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3404
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2508
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\twain_32\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "844679E76D8254BEDD67C98610F7D7AC8" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\844679E76D8254BEDD67C98610F7D7AC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "844679E76D8254BEDD67C98610F7D7AC" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\844679E76D8254BEDD67C98610F7D7AC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "844679E76D8254BEDD67C98610F7D7AC8" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\844679E76D8254BEDD67C98610F7D7AC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5844679e76d8254bedd67c98610f7d7ac
SHA14222ebbb055830096b829f072783423dbe255932
SHA2569b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942
SHA512fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05
-
Filesize
209B
MD5d5dfd070a710e36fc30c0f3ef418ba72
SHA12871b50e00b4aa2a94382d71bb0906ebb16b93cf
SHA256ecf18fb690a4187541018ff27d7350705ff55d27b7d6874a8e1803488f971d85
SHA5129afe712f6177da3f3c5707712ca8c31742f00f606ddd9abeec168e556cca068eec1cd4ddd1efb1cffdf0685c90adf949f0e068a3267a7c989af9ba2f295339c7