Overview

overview

10

Static

static

10

taskHostw.exe

windows7-x64

10

taskHostw.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/01/2025, 15:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    taskHostw.exe

  • Size

    1.1MB

  • MD5

    9acac2f1709100c4f471c5c4d9a6559a

  • SHA1

    b0de7b3d1340bb3edc9b67a6ae2be9d25f1e6172

  • SHA256

    e7fe25f706806440e04205b7fbe8c4dc0bef064327770b7ba7682917090509f5

  • SHA512

    196cea984b335b1cd03032d9002d799cb9bc85fb252f102510da8d3b14e0f02c15627f82c64cdc6ce086cf91e1960c0e3d6fc1bc539c657f1b0ff2e94276f1b8

  • SSDEEP

    24576:U2G/nvxW3Ww0tGyuDFfYdKDe17qJSZLQ+r/kDIdCCj:UbA30yFbaqerDPdF

Score
10/10
dcratdefense_evasiondiscoveryinfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\taskHostw.exe
    "C:\Users\Admin\AppData\Local\Temp\taskHostw.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\webfontSessionBrokerHost\Ur1NipdNxN.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\webfontSessionBrokerHost\SpdD9zKqJDT3l.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3948
        • C:\webfontSessionBrokerHost\Bridgebrokerperf.exe
          "C:\webfontSessionBrokerHost\Bridgebrokerperf.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4596
          • C:\Recovery\WindowsRE\dllhost.exe
            "C:\Recovery\WindowsRE\dllhost.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:1624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3812
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1156
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4376
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4432
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\webfontSessionBrokerHost\sysmon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\webfontSessionBrokerHost\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\webfontSessionBrokerHost\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "BridgebrokerperfB" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\Bridgebrokerperf.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Bridgebrokerperf" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\Bridgebrokerperf.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "BridgebrokerperfB" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\Bridgebrokerperf.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3984
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\webfontSessionBrokerHost\SppExtComObj.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3964
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\webfontSessionBrokerHost\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\webfontSessionBrokerHost\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\webfontSessionBrokerHost\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\webfontSessionBrokerHost\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\webfontSessionBrokerHost\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3368
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4804

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5.114.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.114.82.104.in-addr.arpa
    IN PTR
    Response
    5.114.82.104.in-addr.arpa
    IN PTR
    a104-82-114-5deploystaticakamaitechnologiescom
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ppasovtv.beget.tech
    dllhost.exe
    Remote address:
    8.8.8.8:53
    Request
    ppasovtv.beget.tech
    IN A
    Response
    ppasovtv.beget.tech
    IN A
    5.101.153.201
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    112.27.33.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    112.27.33.23.in-addr.arpa
    IN PTR
    Response
    112.27.33.23.in-addr.arpa
    IN PTR
    a23-33-27-112deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 5.101.153.201:80
    ppasovtv.beget.tech
    dllhost.exe
    260 B
     5
  • 5.101.153.201:80
    ppasovtv.beget.tech
    dllhost.exe
    260 B
     5
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    5.114.82.104.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    5.114.82.104.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    ppasovtv.beget.tech
    dns
    dllhost.exe
    65 B
     81 B
     1
    1

    DNS Request

    ppasovtv.beget.tech

    DNS Response

    5.101.153.201

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    112.27.33.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    112.27.33.23.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\webfontSessionBrokerHost\Bridgebrokerperf.exe
    Filesize

    865KB

    MD5

    1465b464ff78a41cf8af12d58ca62588

    SHA1

    9c4904b19b2b111c9c96cb0aba28aa3413b54c83

    SHA256

    485228dc5bfeb7694133fd50861f0c48f314003f8ee1030db3d063d07930bd3a

    SHA512

    c609086d161150a3754240aab9f76904a221314374b7b5c373bd9548bce6ec1cce509564523c9b8b2a16710f8ecbe558dd7b8f62adecc2007fe83320a19bdb0b

    Download Submit

  • C:\webfontSessionBrokerHost\SpdD9zKqJDT3l.bat
    Filesize

    50B

    MD5

    37e781c64e1e5057220cc587925258d4

    SHA1

    3cd34c35d3d528b8ec2952d6c616cc3896b2dc66

    SHA256

    24510bbfd8f20c029b17d88853e82dbc2d2637b52dc76be8ceebf57243cac344

    SHA512

    3fa6c68ea554401af69bdf21061b17d9c068a2e7f42b2901c4a3e18d14aae7b52706fd24edc2f2da06db806a8b3d00dbdbfe3b963d72945af0801c8c3c9840ba

    Download Submit

  • C:\webfontSessionBrokerHost\Ur1NipdNxN.vbe
    Filesize

    215B

    MD5

    56f8dfb763248f67943afcc431c9a28c

    SHA1

    b31a8e990b3971d27bbb0ff1c9bcff6fbaf33211

    SHA256

    db5202acf3a53d23f14faa846e27c2415cb33c26b5ac151a298209a0e7a1e4ac

    SHA512

    c0a81de45024a042abfc5876f3fde486b2ae809ac2d5ff099cd2d288ba863b0bff86cf4d6fda335a7eb40a2c26218e3ffb417d20b7167c9dd54be4b74e921b6b

    Download Submit

  • memory/1624-48-0x000000001C350000-0x000000001C452000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1624-53-0x000000001C350000-0x000000001C452000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4596-12-0x00007FFF60733000-0x00007FFF60735000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4596-13-0x0000000000A70000-0x0000000000B50000-memory.dmp

    Filesize

    896KB

    Download

  • memory/4596-14-0x0000000001260000-0x000000000126A000-memory.dmp

    Filesize

    40KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.