Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
31-01-2025 02:52
General
-
Target
HORNETrat_launcher.exe
-
Size
2.9MB
-
MD5
f07b8eea2d8c8ee368b680254ad0fee5
-
SHA1
1c75b5bcabedf0e31c76df0ff6ee23ab389bae3b
-
SHA256
34947ad997759cb6aaf571df44c0996dae57e04cf4510ef4136b8b7ca16eea4e
-
SHA512
9c01412cb8aa51419f74f8b614f88383f41ce2e2698b373b7d59519d23b875e0660b6fe4a947afa0b79878223afacb8cb8b8a3164b0a44d20f8f58521ff9d21e
-
SSDEEP
49152:BB3kRVwF/UHWZU5qfD330oa5EL0h81IC4XA4QKa1lWpdh:L0ReSS05G281ICX4QKa1lWpdh
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HORNETrat_launcher.exe"C:\Users\Admin\AppData\Local\Temp\HORNETrat_launcher.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\mshyperblock\7CVEgcv.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\mshyperblock\S9mCKi92BftZwElqhr8FGhYT1zV90zFd1F.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\mshyperblock\hyperInto.exe"C:\mshyperblock/hyperInto.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X3Cei7xi0V.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe"C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AzylF6O5Hz.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe"C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O4lRoaYFUn.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe"C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe"C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QZnykySc6r.bat"13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\hyperInto.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperInto" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\hyperInto.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\hyperInto.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD56acb86ef372b38c1ef80588ff4aae4c6
SHA1e1d6e6199c85e63fe47748cb8e013e91d85db24c
SHA25685efbcb7a1383497f0e3b00902c66c352cc9069561bd8c0fb824626534079e89
SHA5125ac48e272d4bc3e79631cc977907a4b8af7d23ed6cf4cfa29165423c70e9b9f5cca9057acb00b95a67c3ba74ff9d4dfb6e1204e6f6984e1a0fff27708c8c9c22
-
Filesize
232B
MD5d3dd9bb4a85a1d2fd00bb6c8615fd6f2
SHA18314ee5497c44c9b87ebdab65811c2000b6a0041
SHA256df794f3f1896bc82a4cf68c220ee386b1e15251b9ea748f583dccd1f58c4952d
SHA512e1dfef583357a2bafc838895458bef8b713791529ecc96c0346ddf6c446ca11b0866ba6dbacc5e80b4731ebb71f3f42bde0864f30b54d248a43ceea86815f1a6
-
Filesize
232B
MD5715c317a427f37cd29aa8b938807e0cb
SHA1828e949846046e2956be66a8727da5b8c06c6611
SHA256099d935dbcc36c1233df9e6614e24341e9fdb70165fb280d500394a3f06a45c0
SHA51209c854bbd46642a228f936afeaa116e2f9235691f32ee269ef5912cfd36f9448c449eb9b798b15e34db8e6aaa32260df319457c3746effcacd0387c8e26c885b
-
Filesize
184B
MD53f7fa6475932a8f69393513245adce0e
SHA1e35766bdd12dc40025f5cc2a2caf273bd80c27fb
SHA256b64db0343474c1e45840af998a4a1c582d96ae0b735bf5b4d52cb82098fa6ea1
SHA51216f3123321cc89212e7d58abea3d1aa4eded0448fc3f87e719d0aad87a414792757ca3b1f2878ee9aeacab0b1e835ca379f053c1f83b07298ef4e09c0694b916
-
Filesize
184B
MD5caeb270f25d420329242989789af8747
SHA1d3c3eb3d1e71a2d0f28cfaaf229628e91d2b17cb
SHA256b0e2a5da37b72ec29fedd6480457ca4f62080d31b9bab447e7855ee3e56e5b6d
SHA51277694caa6499e903397da35a26a4ecce0f3deff55c1556e101017ca953ec2114aad442345035af159825916d1009e958487d5d6cf14f5d6f564cc2b2c2c41a19
-
Filesize
225B
MD5b7a9d7bc751980e5d28b50643805b2b0
SHA1dd4e0de7003f4dfc9a4cc52bfbf542e335a700f3
SHA256417517292e016853942d2072a55cb914a1e9c552af7d4fce9e9497d32d42ae2f
SHA512965e0ecc6c2535d46c7cc27ca7917f5ff20e07b881bf4ab15f26fd25807ad756fed4eca03f8315b68d1e72db1b97f9344ce111955b4c7368f40c5d2f8afec8a0
-
Filesize
71B
MD5769d41729d7dc06c2302102db2bf90bf
SHA1156cdeacce22a5969515bc4d61f47a908da78f1e
SHA25638f5e3ea511d8cfe28b6d163d844a8cd7c1428ba2f0017793fba1fbae559d54e
SHA512f33d0e2ca822168915a2ac6f8ab8bc4774d8733f92d8937b96c9b3e39ece245f003183c53d55c6a51b6c9b1241d252bd303af7381516ae1cd23641fda45de5c7
-
Filesize
2.6MB
MD55bdfa3d66339a5624d36ee2038584cfc
SHA1a55b70c8e118a0aa3d3d06281ce5809db2933a7a
SHA256a1cdf05403d641c6717c540e76ee1cff8b3d3723df3574413dbdd7e18d1393fa
SHA512de156c9044d48657056d087252f46ed3c36f1ce676b1e0a2b3946dc29fa6e5347685bff1b4ad83ecb5b194bd3eb2e3976cbd7028d34390590393bbb5373b84c2
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
56KB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
360KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
2.6MB