Overview

overview

10

Static

static

10

taskhostw.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    68s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-01-2025 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    taskhostw.exe

  • Size

    1.2MB

  • MD5

    ac904ffc13b5f221270f475065687b59

  • SHA1

    ed6b4383582eae7b72064a10e33cebc6fd3690e5

  • SHA256

    963a316c03e4f88df946a43d537f6ed2d2001eaafcde40bdb52cd15104112606

  • SHA512

    9626483209d8546c835c94cfffd89e1cf6ae813730d04dfdb9b4b4019e12ee0c9166fa76fb47426251f6e669d6c63037718ffb8c8366766cadca1a9f78c91559

  • SSDEEP

    12288:URZ+IoG/n9IQxW3OBseUUT+tcYbqTHSOOJVu1SNEC8m+P1BAyrQ/ta3iruJtDwbD:u2G/nvxW3WieC2nOJVrj8m+aSDwbA9Nq

Score
10/10
dcratdefense_evasiondiscoveryinfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\taskhostw.exe
    "C:\Users\Admin\AppData\Local\Temp\taskhostw.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\BlockBrowserWeb\73WPTP5CgKBkfusL13FoS1EalfC.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\BlockBrowserWeb\JLBdH8Facv2OZKr8pY7k2gD8clI.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\BlockBrowserWeb\ComfontHost.exe
          "C:\BlockBrowserWeb\ComfontHost.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3940
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mqpLVJwWq1.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:824
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2328
              • C:\BlockBrowserWeb\winlogon.exe
                "C:\BlockBrowserWeb\winlogon.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:1556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\BlockBrowserWeb\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\BlockBrowserWeb\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3456
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\BlockBrowserWeb\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3256
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\BlockBrowserWeb\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\BlockBrowserWeb\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\BlockBrowserWeb\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\BlockBrowserWeb\73WPTP5CgKBkfusL13FoS1EalfC.vbe
      Filesize

      230B

      MD5

      fdf72c94be3290267c930fab28fbd800

      SHA1

      a0e186ec44952baf296acd483f25327b0c6f33dd

      SHA256

      4eead935013d583296ca49f8fc8b70d38b7c32e1189204629f33cead574e2dd1

      SHA512

      a59b3fe649739e5d61d116149011f8d0f19ed8b217134aabb3f2c698dd52a5ccc4b67414209772be48fe4477158ffa7ebb2097280dccf1607955f1a95d264634

      Download Submit

    • C:\BlockBrowserWeb\ComfontHost.exe
      Filesize

      911KB

      MD5

      082141e65f26ececc48552790d6c6da4

      SHA1

      fba9667158632e2dbfa128d1fa1bd4be282e773a

      SHA256

      b49adf276a5e055ef1a3685f032701b41be76177f7f9eb85dfac2d33b5fa7c9f

      SHA512

      cbe0fef685801d436b5637a0e08df052af119284491a382d689686735ee8352d3edaa6857754f16f022a0bb43f95039bc841e4ed1e20614ea0a9976258947946

      Download Submit

    • C:\BlockBrowserWeb\JLBdH8Facv2OZKr8pY7k2gD8clI.bat
      Filesize

      47B

      MD5

      68411cfd82c251c57e0fd3e2b6e7af03

      SHA1

      26b09d13a90b0e662d57c59dc903db51dd11a177

      SHA256

      0f31379f24cbc2ab580f9b2f77e4fa36123a732377be53d88c28546228e106d7

      SHA512

      78ba2559d614ed0dbcc2e32a5f6b9ef3d3585df4cc515728ff4cccdefbd00b50f3e34774af016a5fc9f8320ff48e963bc76f9c7b04e80ad69a43eef9c18f2f2a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mqpLVJwWq1.bat
      Filesize

      196B

      MD5

      b2184a0aabdbb9b685b3e637c0f2a038

      SHA1

      6520d51c9f0a39d5c4a3defeeda0c52018014886

      SHA256

      0587bcc34e99fa1bdc33b786552b61a45736676b63915b02c28bef8ddcbef7b4

      SHA512

      827053edcf301647dab1ee36cec2468beea910575484c5381d87a72fbf1f64e3880cdc4e12c2e1b1ff5588ac35095c13d37e17d671e49130752cb606b87a940b

      Download Submit

    • memory/1556-32-0x000000001C9F0000-0x000000001C9F9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1556-31-0x000000001D300000-0x000000001D346000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1556-34-0x000000001D380000-0x000000001D39E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1556-35-0x000000001D3A0000-0x000000001D3AB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1556-33-0x000000001D370000-0x000000001D37D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3940-12-0x00007FFF55633000-0x00007FFF55635000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3940-15-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3940-14-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3940-13-0x0000000000380000-0x000000000046C000-memory.dmp

      Filesize

      944KB

      Download