Overview
overview
10Static
static
10-pril-main...th.exe
windows10-2004-x64
10-pril-main...aw.exe
windows10-2004-x64
10-pril-main...wd.exe
windows10-2004-x64
7-pril-main...gh.exe
windows10-2004-x64
10-pril-main...se.exe
windows10-2004-x64
10-pril-main...ed.exe
windows10-2004-x64
10Installer/CapCut.exe
windows10-2004-x64
10start-main...on.exe
windows10-2004-x64
8start-main/Sushi.exe
windows10-2004-x64
10start-main...wd.exe
windows10-2004-x64
1start-main...sd.exe
windows10-2004-x64
10start-main...fd.exe
windows10-2004-x64
10start-main...we.exe
windows10-2004-x64
5start-main...wd.exe
windows10-2004-x64
10start-main...pu.exe
windows10-2004-x64
10start-main...th.exe
windows10-2004-x64
5start-main...ed.exe
windows10-2004-x64
10start-main...fk.exe
windows10-2004-x64
5start-main...ha.exe
windows10-2004-x64
10start-main...ha.exe
windows10-2004-x64
10start-main...ea.exe
windows10-2004-x64
10start-main...as.exe
windows10-2004-x64
7start-main...dw.exe
windows10-2004-x64
8start-main...ha.exe
windows10-2004-x64
1start-main...wt.exe
windows10-2004-x64
10start-main...wd.exe
windows10-2004-x64
10start-main...gh.exe
windows10-2004-x64
3start-main/pdf.exe
windows10-2004-x64
10start-main...dh.exe
windows10-2004-x64
10start-main...as.exe
windows10-2004-x64
7start-main...tj.exe
windows10-2004-x64
10Analysis
-
max time kernel
131s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 08:01
Static task
static1
Behavioral task
behavioral1
Sample
-pril-main/dwthjadth.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
-pril-main/feuiyjjdaw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
-pril-main/kldrgawdtjawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
-pril-main/pothjadwtrgh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
-pril-main/ptjjsekfthse.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
-pril-main/thadkythjawed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Installer/CapCut.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
start-main/Session.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
start-main/Sushi.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
start-main/fgthawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
start-main/gawdrgasd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
start-main/hbfgjhhesfd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
start-main/hdawuithjawe.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
start-main/hnfsefawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
start-main/jerniuiopu.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
start-main/jthusjefth.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
start-main/jythjadthawed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
start-main/khseofk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
start-main/khtoawdltrha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
start-main/ksfawtyha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
start-main/ktyhpldea.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
start-main/lhoefskghas.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
start-main/ltpohpadw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
start-main/mhbiwejrtgha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
start-main/njrtdhadawt.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
start-main/odrsfgawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
start-main/opthjdkawrtgh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
start-main/pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
start-main/pthjadh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
start-main/ptihjawdthas.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
start-main/yjadyjasfdtj.exe
Resource
win10v2004-20241007-en
General
-
Target
start-main/ksfawtyha.exe
-
Size
855KB
-
MD5
fda06a638ce0756950f40dff83a675e8
-
SHA1
7d121e94b2c4885f8838a2a18ffaa4a25afd96d0
-
SHA256
6b986293d3057fb2ffb8759b53182756595f68aa95c584d73b9e1e9e3997826d
-
SHA512
26d033f6d3e490a1773622072674001c1c962214a19b38d9a0a63383cde9fbfadf6658359895f19c9a68890d5c8a21a047beb578134d35ecd18f733dd002d1e0
-
SSDEEP
12288:OWTns93nQb1f13TH3XmaZ4JJMA+zpW3Ari4VVyZC0+1cp9rcDNpTWDTQGFZ6:OWTnbb1f1bmaZKJMA+z3iE0nTr/6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
ksfawtyha.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\"" ksfawtyha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\ksfawtyha.exe\"" ksfawtyha.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 212 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 212 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 212 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 212 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 212 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 212 schtasks.exe 89 -
DCRat payload 1 IoCs
Processes:
resource yara_rule behavioral20/memory/1084-1-0x0000000000B30000-0x0000000000C0C000-memory.dmp family_dcrat_v2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ksfawtyha.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation ksfawtyha.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
ksfawtyha.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\"" ksfawtyha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\"" ksfawtyha.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksfawtyha = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\ksfawtyha.exe\"" ksfawtyha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksfawtyha = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\ksfawtyha.exe\"" ksfawtyha.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ipinfo.io 51 ipinfo.io 52 ipinfo.io 9 ipinfo.io -
Drops file in System32 directory 2 IoCs
Processes:
csc.exedescription ioc Process File created \??\c:\Windows\System32\CSCDCC71A6DB17D4DF29ABC23D74CF7E2D1.TMP csc.exe File created \??\c:\Windows\System32\hnaorh.exe csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
ksfawtyha.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings ksfawtyha.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 2648 schtasks.exe 3360 schtasks.exe 1556 schtasks.exe 2804 schtasks.exe 3340 schtasks.exe 2488 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ksfawtyha.exepid Process 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe 1084 ksfawtyha.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ksfawtyha.exeksfawtyha.exedescription pid Process Token: SeDebugPrivilege 1084 ksfawtyha.exe Token: SeDebugPrivilege 4412 ksfawtyha.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ksfawtyha.execsc.execmd.exedescription pid Process procid_target PID 1084 wrote to memory of 1888 1084 ksfawtyha.exe 93 PID 1084 wrote to memory of 1888 1084 ksfawtyha.exe 93 PID 1888 wrote to memory of 4860 1888 csc.exe 95 PID 1888 wrote to memory of 4860 1888 csc.exe 95 PID 1084 wrote to memory of 380 1084 ksfawtyha.exe 102 PID 1084 wrote to memory of 380 1084 ksfawtyha.exe 102 PID 380 wrote to memory of 4268 380 cmd.exe 104 PID 380 wrote to memory of 4268 380 cmd.exe 104 PID 380 wrote to memory of 4604 380 cmd.exe 105 PID 380 wrote to memory of 4604 380 cmd.exe 105 PID 380 wrote to memory of 4412 380 cmd.exe 109 PID 380 wrote to memory of 4412 380 cmd.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe"C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fuvpqbve\fuvpqbve.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC62E.tmp" "c:\Windows\System32\CSCDCC71A6DB17D4DF29ABC23D74CF7E2D1.TMP"3⤵PID:4860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wfCcJpotGA.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4268
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4604
-
-
C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe"C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ksfawtyhak" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ksfawtyha" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ksfawtyhak" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD534ff77a14aec2a0e3fff7660e7506da8
SHA1168cdfbdc68f6a56d0fb35bb7605aab83a2c1837
SHA256a14bc9f57c725c55f9e5281f6cfee0bd5fcd262df65b5fca9883137aa2fa0c66
SHA5121c430fd847c40dba7820d93c5db0cab90a6666e06fd9dc5349173af4991432f6eec6c8e79ff25834d6e218cc02868f6f82d1feea61e2b9d5dfdbcb9c45bd760a
-
Filesize
1KB
MD5b595c9403ccf73aac4c35e343f7c9a29
SHA146158858d3cf55cf615dc9ac53ba2195f2e06888
SHA25693ba612b18d5654e016791f1672666161a35572fdbd3308cd53fa5b0ae46a2d6
SHA512e714c55774921aea76dafbfd3a1767ece445ac09cf8db4801a02d25d73a4522d5fbbb7e98ff49e12640b057a4353b634c0d0bee47fb1d15190ca3869a6ded73b
-
Filesize
234B
MD50b0e1cede18d58d5a5d38298b9c4a26f
SHA1f6512843ac155f5878d31b58494949d7d743a8c0
SHA25671d07654d475bb8f1c534568c9e8306e0a3cebc0b6727ea9ab495f6690f81ac1
SHA5129213f15652a65864cbc5a7d961067ab6cb56c783f3013335ca5bc1428cf290e1bec2dbe5069f38b45742a072103659a6bfa686a5360b1c0242b26ac54c480f6c
-
Filesize
372B
MD5ffaf8924eca8bff4ffe86e26a5f1c063
SHA16ac8afffe3ce2dc5e35503dcb7acad798f3a624c
SHA25674386e105780fd97570c67a82aa7937853db3f0009ebf608391db8138dc56ff1
SHA512b546abe3f62cc0ef2ee952cb3610a16128efa83bb51cdf186879d32bde7fd59dd8b74ed6a45fd2819cea9a3b06c25d2c273ea3e4a8e004aaf7185725c2281822
-
Filesize
235B
MD557ce1fe729fad74ca08d905fb74d401d
SHA1ce0d6ae4b703717f33736859d1278a14cef53fba
SHA2566b1d922522710b797a104539a8f55abf8bc9d47250595ae440262e173c0da3e0
SHA51218c1519725792b2959d22105d98d8a6e794bf210b8ef9c3204ba0c59d0449cbd2d5f0ddfa3aa1c90a6f5c7d96a06ba8a1400e6a48304b6aaae9f499af6fdfa21
-
Filesize
1KB
MD565d5babddb4bd68783c40f9e3678613f
SHA171e76abb44dbea735b9faaccb8c0fad345b514f4
SHA256d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f
SHA51221223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf