Analysis
-
max time kernel
93s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:08
Behavioral task
behavioral1
Sample
2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe
Resource
win10v2004-20241007-en
General
-
Target
2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe
-
Size
1.1MB
-
MD5
027bbb0a4d9b911c6d707866e98c1314
-
SHA1
bfbdb849dcf89395492d916b69308505b87bb7fc
-
SHA256
2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c
-
SHA512
a66535cebff5e208c685c9f7a880e7bf36a70872cabd512ffdb8e97497c9f4438f7ebc213303487d9a652f1dabdbc438b5bd98be1cd0ed1accfe896cac69e94c
-
SSDEEP
24576:U2G/nvxW3Ww0t9XYOIWhhyjpaMwvhIhL2pCrC:UbA309YOIXEElW
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 5108 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 5108 schtasks.exe 90 -
resource yara_rule behavioral2/files/0x0007000000023cd6-10.dat dcrat behavioral2/memory/2200-13-0x00000000002D0000-0x00000000003A6000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation msbrowser.exe -
Executes dropped EXE 2 IoCs
pid Process 2200 msbrowser.exe 544 SppExtComObj.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Microsoft Office 15\ClientX64\6ccacd8608530f msbrowser.exe File created C:\Program Files\7-Zip\Lang\dwm.exe msbrowser.exe File created C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3 msbrowser.exe File created C:\Program Files\Microsoft Office 15\ClientX64\Idle.exe msbrowser.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\debug\csrss.exe msbrowser.exe File opened for modification C:\Windows\debug\csrss.exe msbrowser.exe File created C:\Windows\debug\886983d96e3d3e msbrowser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings msbrowser.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4252 schtasks.exe 2760 schtasks.exe 3668 schtasks.exe 4224 schtasks.exe 3168 schtasks.exe 3972 schtasks.exe 2792 schtasks.exe 3900 schtasks.exe 4896 schtasks.exe 752 schtasks.exe 1244 schtasks.exe 4940 schtasks.exe 2968 schtasks.exe 1740 schtasks.exe 2416 schtasks.exe 4788 schtasks.exe 4796 schtasks.exe 2520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2200 msbrowser.exe 2200 msbrowser.exe 2200 msbrowser.exe 544 SppExtComObj.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2200 msbrowser.exe Token: SeDebugPrivilege 544 SppExtComObj.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2804 wrote to memory of 1984 2804 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe 85 PID 2804 wrote to memory of 1984 2804 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe 85 PID 2804 wrote to memory of 1984 2804 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe 85 PID 1984 wrote to memory of 3640 1984 WScript.exe 87 PID 1984 wrote to memory of 3640 1984 WScript.exe 87 PID 1984 wrote to memory of 3640 1984 WScript.exe 87 PID 3640 wrote to memory of 2200 3640 cmd.exe 89 PID 3640 wrote to memory of 2200 3640 cmd.exe 89 PID 2200 wrote to memory of 2344 2200 msbrowser.exe 110 PID 2200 wrote to memory of 2344 2200 msbrowser.exe 110 PID 2344 wrote to memory of 1508 2344 cmd.exe 112 PID 2344 wrote to memory of 1508 2344 cmd.exe 112 PID 2344 wrote to memory of 544 2344 cmd.exe 121 PID 2344 wrote to memory of 544 2344 cmd.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe"C:\Users\Admin\AppData\Local\Temp\2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\refBrokerDhcp\QElwSQf83XBFhMyqm1gWbbiKf8tDaQ.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\refBrokerDhcp\eop7KwarhdN0r.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\refBrokerDhcp\msbrowser.exe"C:\refBrokerDhcp\msbrowser.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tKvCd3mm0w.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1508
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203B
MD54107ec216c41040becf6bef77a6801d7
SHA12554eb8fe971cc56cb96655af7fd3b77e5da24e6
SHA2565144cb03f52535e7201c98a9c143b719595353b6c202e7fb605022a7521dc98c
SHA5125e67cef2e1f0dabd6eefdb66c12e6045865d322e47af54f4523d062398599e443e0933c4b50035d313c60fee70bea4f0c78fa5be903f754d7a26bc9d510b448a
-
Filesize
203B
MD5c54e49eaeb59c57e0d7bb2398e8ea617
SHA13e6bed8fb43f94c190bcdbfe33e9ba826275dfd6
SHA2560bcb8b3296b1b862104bc1917793a1b743afc9e623d91f5136fbf30ae7e022ed
SHA512d24dcd18188176f796b92d150b30d3b99c03654257fe48019308cca5ebb062c7312047fec43e0fa6823ff4ea29649c4f8db61f2ba950881df8a52ec15b662b85
-
Filesize
32B
MD565cbca0f14030e37f4536942be742fed
SHA11823a610cfb0945e0e234651d4045931aa241ba5
SHA2567d881d8c2a5a8756b85abe067e24efdc7c657d1af28ba1132d0e9ae443941d5d
SHA51287eb63d67e28c0f42c1b89c631c4573d0d8f9dc145f3720d26d3af8f7dc76e7d105b0598fe398f9e73d95e814301678097be811977c184ea2e101d4e0e8cc044
-
Filesize
828KB
MD53d428539f2cddf97abfe6586df2f2c1d
SHA1e828475a8e5ea8db3854cb66f0102c6532a0a997
SHA25658a180ba10aad7f5a7c9b86b2f93213fde5e2f4816393d7a19ddc9202bc1f7a4
SHA512325d96a63e0ddec4bb2c4c9fafa28b38c6961af0f4c282763eb82677037a50971ac2770c8277a11a80d7853218cc560600c18f7d201f23057387e0a858d05ccc