Analysis
-
max time kernel
93s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 01:18
Behavioral task
behavioral1
Sample
d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
Resource
win10v2004-20241007-en
General
-
Target
d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
-
Size
1.5MB
-
MD5
bdf8dba699d63caad5ea9a29a0f6dfda
-
SHA1
60b104b39c4b843e982fba55dc94ca89c444a315
-
SHA256
d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75
-
SHA512
d2200cbbe4312dc5f0c57d45306ac1dd988f8b4892b036ca2b7f05bf0d75f213303b7d4e20a0e0b39862c0d59966468458ba37db084e1972b58b8a6ebce3fa6a
-
SSDEEP
24576:Q2G/nvxW3W8ARZJJJJjsJJJJvJHJJJJJJ/wYnWW5Yxwo06RF91aOd9lfLQP9gMsD:QbA34VAb5J8RFyA10DsGxpQ
Malware Config
Signatures
-
DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 5088 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe 3944 schtasks.exe 2244 schtasks.exe 1944 schtasks.exe 4144 schtasks.exe -
Dcrat family
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 5008 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 5008 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 5008 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 5008 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 5008 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b79-10.dat dcrat behavioral2/memory/3676-13-0x0000000000D00000-0x0000000000DEC000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation sessionMonitordriverCrtMonitor.exe -
Executes dropped EXE 2 IoCs
pid Process 3676 sessionMonitordriverCrtMonitor.exe 2800 unsecapp.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sessionMonitordriverCrtMonitor = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\sessionMonitordriverCrtMonitor.exe\"" sessionMonitordriverCrtMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\TrustedInstaller.exe\"" sessionMonitordriverCrtMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\fr-FR\\unsecapp.exe\"" sessionMonitordriverCrtMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\comctl32\\RuntimeBroker.exe\"" sessionMonitordriverCrtMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\"" sessionMonitordriverCrtMonitor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\comctl32\RuntimeBroker.exe sessionMonitordriverCrtMonitor.exe File created C:\Windows\System32\comctl32\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d sessionMonitordriverCrtMonitor.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\ja-JP\sessionMonitordriverCrtMonitor.exe sessionMonitordriverCrtMonitor.exe File created C:\Program Files\Windows Media Player\ja-JP\7560480a87071f9d961157b1d8d2f0ab49def21c sessionMonitordriverCrtMonitor.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\TrustedInstaller.exe sessionMonitordriverCrtMonitor.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\04c1e7795967e4ccf081675b1d8567f1dfb39cfd sessionMonitordriverCrtMonitor.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\fr-FR\unsecapp.exe sessionMonitordriverCrtMonitor.exe File opened for modification C:\Windows\fr-FR\unsecapp.exe sessionMonitordriverCrtMonitor.exe File created C:\Windows\fr-FR\29c1c3cc0f76855c7e7456076a4ffc27e4947119 sessionMonitordriverCrtMonitor.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe sessionMonitordriverCrtMonitor.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\55b276f4edf653fe07efe8f1ecc32d3d195abd16 sessionMonitordriverCrtMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings sessionMonitordriverCrtMonitor.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5088 schtasks.exe 3944 schtasks.exe 2244 schtasks.exe 1944 schtasks.exe 4144 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3676 sessionMonitordriverCrtMonitor.exe 2800 unsecapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3676 sessionMonitordriverCrtMonitor.exe Token: SeDebugPrivilege 2800 unsecapp.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2236 wrote to memory of 4908 2236 d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe 82 PID 2236 wrote to memory of 4908 2236 d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe 82 PID 2236 wrote to memory of 4908 2236 d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe 82 PID 4908 wrote to memory of 2328 4908 WScript.exe 87 PID 4908 wrote to memory of 2328 4908 WScript.exe 87 PID 4908 wrote to memory of 2328 4908 WScript.exe 87 PID 2328 wrote to memory of 3676 2328 cmd.exe 90 PID 2328 wrote to memory of 3676 2328 cmd.exe 90 PID 3676 wrote to memory of 1092 3676 sessionMonitordriverCrtMonitor.exe 96 PID 3676 wrote to memory of 1092 3676 sessionMonitordriverCrtMonitor.exe 96 PID 1092 wrote to memory of 2556 1092 cmd.exe 98 PID 1092 wrote to memory of 2556 1092 cmd.exe 98 PID 1092 wrote to memory of 2800 1092 cmd.exe 101 PID 1092 wrote to memory of 2800 1092 cmd.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe"C:\Users\Admin\AppData\Local\Temp\d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe"1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\sessionMonitor\yKWvGem3BjBd.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\sessionMonitor\sAhrfeOmh26XUgm.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\sessionMonitor\sessionMonitordriverCrtMonitor.exe"C:\sessionMonitor\sessionMonitordriverCrtMonitor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzvpMeoCuQ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2556
-
-
C:\Windows\fr-FR\unsecapp.exe"C:\Windows\fr-FR\unsecapp.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\comctl32\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sessionMonitordriverCrtMonitor" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\sessionMonitordriverCrtMonitor.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193B
MD528036d5aba76ce83c1c646481068449f
SHA1c3649d7a64e1d408f25776094fca2828a4459c99
SHA256484cb2eddfe485f58eedd2b903873db8a3ce97bf9a6b8a5cfa3a321015a79dea
SHA5126004ea99cec8cdf98adf27d2cac436dc395b25bb6ba4f2f4851ec7c8a15d2ea74b6f29f3bcc93ad400426d6e015bc99cf5ee7c26fcb89e3d06c0784acc7bac22
-
Filesize
54B
MD5b768018829ff0d793581de74a77fefbc
SHA17ed52d592e48aae0f2c6d787848a551733da0992
SHA2563c4f92a5815ed7905dcf662250f92066291dd1fe3d72778ddcc5618c6fd9ac1e
SHA512c06ae8e9b5e60c7013673dc8786f8a4e0bb5749af0ed9766935a103d866ce0e79feb49fa5db02d34cdf4f93d74152852bd88cdbbbff78fc72e6a74a0d7581f91
-
Filesize
912KB
MD5ad4510fe830bfd34f52dff2e550ceda8
SHA1e5c892210dfa873f5de94f391586333af3a0e4e6
SHA2561623da1c762e72dc669be09129c7b0f201fc315f98dbefbc12ee3b8da2473a14
SHA512a1dcc93cfa30187137d6a06bd0f8aa7d2d5b43c09029a5df206682b90b070c1c57357aed38a9d98e527409a7dfffbe9ec22b4818a1643573028e2db219ddd836
-
Filesize
206B
MD5c71311d680117ae76fd803c7729b0f2e
SHA171b4746c7a7c7d13af5ef8f08e2cf7e5a8bf0c5c
SHA2561028dc026cf11c71dcfd49ffe23504013fa3b291c4a38d3554d31d9579083fe0
SHA512ccc8a8ff690948f6b3158794636960483d2a7a38be8a6be6b1bee92d9684c06ec109831d50e3f39b0df0a319e788398136c4ca91e8de79cde3a0fef560bb7c06