Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
31-01-2025 02:48
General
-
Target
HORNETrat_launcher.exe
-
Size
2.9MB
-
MD5
f07b8eea2d8c8ee368b680254ad0fee5
-
SHA1
1c75b5bcabedf0e31c76df0ff6ee23ab389bae3b
-
SHA256
34947ad997759cb6aaf571df44c0996dae57e04cf4510ef4136b8b7ca16eea4e
-
SHA512
9c01412cb8aa51419f74f8b614f88383f41ce2e2698b373b7d59519d23b875e0660b6fe4a947afa0b79878223afacb8cb8b8a3164b0a44d20f8f58521ff9d21e
-
SSDEEP
49152:BB3kRVwF/UHWZU5qfD330oa5EL0h81IC4XA4QKa1lWpdh:L0ReSS05G281ICX4QKa1lWpdh
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 6 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HORNETrat_launcher.exe"C:\Users\Admin\AppData\Local\Temp\HORNETrat_launcher.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\mshyperblock\7CVEgcv.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\mshyperblock\S9mCKi92BftZwElqhr8FGhYT1zV90zFd1F.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\mshyperblock\hyperInto.exe"C:\mshyperblock/hyperInto.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BtR8dixjJV.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Windows NT\unsecapp.exe"C:\Program Files (x86)\Windows NT\unsecapp.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F0qtrCuOKA.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Program Files (x86)\Windows NT\unsecapp.exe"C:\Program Files (x86)\Windows NT\unsecapp.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FfDOv2d6gz.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Program Files (x86)\Windows NT\unsecapp.exe"C:\Program Files (x86)\Windows NT\unsecapp.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h53aanzGdD.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Program Files (x86)\Windows NT\unsecapp.exe"C:\Program Files (x86)\Windows NT\unsecapp.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lnXy25yoCy.bat"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Windows NT\unsecapp.exe"C:\Program Files (x86)\Windows NT\unsecapp.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\mshyperblock\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\mshyperblock\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\mshyperblock\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c8e311b78b67d7909e05b01de9cf1ffb
SHA1198f9411189ef79a8de60fa7fdfe957239de767b
SHA25648c4b6ae7307aca161d53a1076f8d33b5c55b2f9664804df1adfe098ab6368d2
SHA512abaece55e4fb680c0b54e3306970eef42262ea1f352728e871ee1ff19042b6e7145a67f0914039f62e8ed273de66d094251633d6cf0a79c4c00e4b43c48108b3
-
Filesize
174B
MD52c6bba89544152a53472b489949d600a
SHA15561799f08b886ffd84bba30affbfe9531c20694
SHA256971f0250b7a40aab5ec05f9e50bd6404ce29ed7cead2c2e03d43197b7c828c64
SHA512d132df7b2e938b983040ecf5a8985c4f165337becc0795099f57ae0cc647ecf5a2a764920d32264ee2c650f9602793c4f4b7480077be23e2cbcc144631e540a0
-
Filesize
222B
MD5f0008179c46ba80bbb7642fe6b8b3144
SHA1c90b87da6585ac1b8b88918bde5e1b625f81ac80
SHA256119469496f70b86200775c160f74a48b7327b78a6ef0dc14235a689a3fdb9b21
SHA5127c1ba22ff681f26bf3cd244b530511b9dc8a74682b567d84fdd497903d13ddd7b7b2312e0f1861269827d25e57cba6c8ca7cc67bfb8f5df0c310644af9c1557e
-
Filesize
222B
MD52b24a4776ff6e620292faf21db7d7779
SHA17066700c7dd3d88cb4c2b41efbacdf557da73d8a
SHA256dca448e0034f05232cb1a4e8c68b6a4a0f7c1fd12b6eeede708d4ffbf1dcdb2d
SHA5129f3199e58b5a2311b88f32926fe398b0c0bad6f05a6101124dda7f7cf6744eb0b52dd5a72e679d81fcba9caa8cf7b58b1a1f14434816dc3b0c6b9211abc361ef
-
Filesize
222B
MD5e48788fbf1e2ce7b1a38774b63f49877
SHA12474ab67dc7ebbe62e7e40d3ef4b52b7761b5e19
SHA256a44c1915c62128cba327d436113a37b137d274b42c4a98ba81bc3fcb1013db1e
SHA51265533911fbb1848cc56aa9bf07585e74c4de5baf0d771305aece2f9fb2af6060fd3d7f37bbba77f06856172fd541183af3cce20bbbee1556cc8bc941fde37f38
-
Filesize
174B
MD59f573fc9c9bacef181860db36b036072
SHA18cd1feca863d671efb244504814bfa08e679d094
SHA256f826a7ffd058ffcd4ecff1b289c7fbb2bbfc17e25120560b248c7526050e5f9e
SHA51242caaebfb8ee54e701a86a5c69f73b6de98af40490060154a3732b1fd6626654f63fab04b447e3f6c1a881f39ca4a566bc0190be6af146e937d4e4955c8c80f1
-
Filesize
225B
MD5b7a9d7bc751980e5d28b50643805b2b0
SHA1dd4e0de7003f4dfc9a4cc52bfbf542e335a700f3
SHA256417517292e016853942d2072a55cb914a1e9c552af7d4fce9e9497d32d42ae2f
SHA512965e0ecc6c2535d46c7cc27ca7917f5ff20e07b881bf4ab15f26fd25807ad756fed4eca03f8315b68d1e72db1b97f9344ce111955b4c7368f40c5d2f8afec8a0
-
Filesize
71B
MD5769d41729d7dc06c2302102db2bf90bf
SHA1156cdeacce22a5969515bc4d61f47a908da78f1e
SHA25638f5e3ea511d8cfe28b6d163d844a8cd7c1428ba2f0017793fba1fbae559d54e
SHA512f33d0e2ca822168915a2ac6f8ab8bc4774d8733f92d8937b96c9b3e39ece245f003183c53d55c6a51b6c9b1241d252bd303af7381516ae1cd23641fda45de5c7
-
Filesize
2.6MB
MD55bdfa3d66339a5624d36ee2038584cfc
SHA1a55b70c8e118a0aa3d3d06281ce5809db2933a7a
SHA256a1cdf05403d641c6717c540e76ee1cff8b3d3723df3574413dbdd7e18d1393fa
SHA512de156c9044d48657056d087252f46ed3c36f1ce676b1e0a2b3946dc29fa6e5347685bff1b4ad83ecb5b194bd3eb2e3976cbd7028d34390590393bbb5373b84c2
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
56KB
-
Filesize
88KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
360KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
312KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
2.6MB
-
Filesize
312KB
-
Filesize
312KB