Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 16:16
Behavioral task
behavioral1
Sample
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
Resource
win10v2004-20241007-en
General
-
Target
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe
-
Size
827KB
-
MD5
8dd4d6bc11e00b92762a60413bff8ccb
-
SHA1
b7e060163ea51cabb60aa11bbd1ec5cfb856a933
-
SHA256
495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707
-
SHA512
6bb31fbe4e5d8f13b4f243257b5f1fdb21de2526deba4081d1de1e43f0d3b37a21bc00390db6ecce19456d34db9bde01af5867e74433648c85482d3ef7c50a97
-
SSDEEP
24576:8mkzClvITluS4gHdPvqh0utgaHDS+6nf/Z:8/aIT2gtzYgajSf
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3552 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3812 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 4508 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 4508 schtasks.exe 82 -
resource yara_rule behavioral2/memory/4400-1-0x0000000000060000-0x0000000000136000-memory.dmp dcrat behavioral2/files/0x000e000000023bc3-11.dat dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe -
Executes dropped EXE 1 IoCs
pid Process 2280 RuntimeBroker.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\9e8d7a4ca61bd9 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Google\StartMenuExperienceHost.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Google\55b276f4edf653 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Windows Portable Devices\lsass.exe 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe File created C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2660 schtasks.exe 2396 schtasks.exe 4604 schtasks.exe 780 schtasks.exe 3176 schtasks.exe 4156 schtasks.exe 4872 schtasks.exe 4532 schtasks.exe 2516 schtasks.exe 636 schtasks.exe 4648 schtasks.exe 4920 schtasks.exe 4656 schtasks.exe 3552 schtasks.exe 2896 schtasks.exe 2488 schtasks.exe 2972 schtasks.exe 2268 schtasks.exe 3436 schtasks.exe 4976 schtasks.exe 2364 schtasks.exe 3812 schtasks.exe 2636 schtasks.exe 3088 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4400 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 4400 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 4400 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 4400 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 4400 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 2280 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4400 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe Token: SeDebugPrivilege 2280 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4400 wrote to memory of 2280 4400 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 107 PID 4400 wrote to memory of 2280 4400 495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe"C:\Users\Admin\AppData\Local\Temp\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b57074" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b57074" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\USOShared\Logs\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\USOShared\Logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD58dd4d6bc11e00b92762a60413bff8ccb
SHA1b7e060163ea51cabb60aa11bbd1ec5cfb856a933
SHA256495384b217ec6d09dc67abbce357e82813d6194741988a93030181309f5b5707
SHA5126bb31fbe4e5d8f13b4f243257b5f1fdb21de2526deba4081d1de1e43f0d3b37a21bc00390db6ecce19456d34db9bde01af5867e74433648c85482d3ef7c50a97