Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 01:58
Behavioral task
behavioral1
Sample
f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe
Resource
win10v2004-20240508-en
General
-
Target
f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe
-
Size
1.1MB
-
MD5
829cab70d17eaedeabe77c32154d11f2
-
SHA1
196c898abee483229f61342ac1f8248677f833da
-
SHA256
f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97
-
SHA512
9d7ce634639d86cf020d1ce1a85e7c7d113feed2d0fc98f1f5ebb233ba77129e133b92636864bdbf105ec5599143f84835219203173bcf63ce047a7d40a7f4c3
-
SSDEEP
24576:Y2G/nvxW3W4kqExbb2uM2bowf751JKeqkTsRPns:YbA34qQUwf75bz
Malware Config
Signatures
-
DcRat 12 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2548 schtasks.exe 2888 schtasks.exe 1652 schtasks.exe 2504 schtasks.exe 1624 schtasks.exe 2544 schtasks.exe 2820 schtasks.exe 2884 schtasks.exe 1528 schtasks.exe 2628 schtasks.exe 2540 schtasks.exe 2800 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
componentfontnet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\"" componentfontnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dwm.exe\"" componentfontnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dwm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\cmd.exe\"" componentfontnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dwm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\cmd.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\"" componentfontnet.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2528 schtasks.exe -
Processes:
resource yara_rule \intobroker\componentfontnet.exe dcrat behavioral1/memory/2644-13-0x0000000000DD0000-0x0000000000EA6000-memory.dmp dcrat behavioral1/memory/356-28-0x00000000009B0000-0x0000000000A86000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
componentfontnet.exedwm.exepid process 2644 componentfontnet.exe 356 dwm.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2744 cmd.exe 2744 cmd.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
componentfontnet.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\"" componentfontnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\"" componentfontnet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\"" componentfontnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\"" componentfontnet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Prefetch\\ReadyBoot\\dwm.exe\"" componentfontnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Prefetch\\ReadyBoot\\dwm.exe\"" componentfontnet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\cmd.exe\"" componentfontnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\cmd.exe\"" componentfontnet.exe -
Drops file in Program Files directory 2 IoCs
Processes:
componentfontnet.exedescription ioc process File created C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe componentfontnet.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\6ccacd8608530f componentfontnet.exe -
Drops file in Windows directory 2 IoCs
Processes:
componentfontnet.exedescription ioc process File created C:\Windows\Prefetch\ReadyBoot\dwm.exe componentfontnet.exe File created C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3 componentfontnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2628 schtasks.exe 2548 schtasks.exe 2540 schtasks.exe 2544 schtasks.exe 2800 schtasks.exe 2884 schtasks.exe 1652 schtasks.exe 2504 schtasks.exe 1624 schtasks.exe 2820 schtasks.exe 2888 schtasks.exe 1528 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
componentfontnet.exedwm.exepid process 2644 componentfontnet.exe 2644 componentfontnet.exe 2644 componentfontnet.exe 356 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
componentfontnet.exedwm.exedescription pid process Token: SeDebugPrivilege 2644 componentfontnet.exe Token: SeDebugPrivilege 356 dwm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exeWScript.execmd.execomponentfontnet.exedescription pid process target process PID 1724 wrote to memory of 2432 1724 f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe WScript.exe PID 1724 wrote to memory of 2432 1724 f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe WScript.exe PID 1724 wrote to memory of 2432 1724 f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe WScript.exe PID 1724 wrote to memory of 2432 1724 f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe WScript.exe PID 2432 wrote to memory of 2744 2432 WScript.exe cmd.exe PID 2432 wrote to memory of 2744 2432 WScript.exe cmd.exe PID 2432 wrote to memory of 2744 2432 WScript.exe cmd.exe PID 2432 wrote to memory of 2744 2432 WScript.exe cmd.exe PID 2744 wrote to memory of 2644 2744 cmd.exe componentfontnet.exe PID 2744 wrote to memory of 2644 2744 cmd.exe componentfontnet.exe PID 2744 wrote to memory of 2644 2744 cmd.exe componentfontnet.exe PID 2744 wrote to memory of 2644 2744 cmd.exe componentfontnet.exe PID 2644 wrote to memory of 356 2644 componentfontnet.exe dwm.exe PID 2644 wrote to memory of 356 2644 componentfontnet.exe dwm.exe PID 2644 wrote to memory of 356 2644 componentfontnet.exe dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe"C:\Users\Admin\AppData\Local\Temp\f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intobroker\osry78APVO.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\intobroker\tDTHMvsh0leL386.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\intobroker\componentfontnet.exe"C:\intobroker\componentfontnet.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Prefetch\ReadyBoot\dwm.exe"C:\Windows\Prefetch\ReadyBoot\dwm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\intobroker\osry78APVO.vbeFilesize
203B
MD5d9575ef3d39fa2d3f7cddfa06e37aed9
SHA196f3d4b152dd2b5367a6c6199c7c0cb8a7e55e48
SHA2567620872ff0baa9a5acccdf52eda7568ac9e26968922835abab01703e25c6f8b5
SHA5125f0bae0a68887a17b0d5cbac991a0657b83dc3e9bdfa0bfd62805d0cbaf4bad1d2354d63549743e46e11d6449f2a6d6bf7a1892ba5efa744abe7e1027234e742
-
C:\intobroker\tDTHMvsh0leL386.batFilesize
36B
MD5eebb77f627130b420bf208f1efe0b460
SHA160fc9a9abee4f092453513424d3ad026d047b5fd
SHA2568a5e709a08538e22d8491eaaf5aaf53b1468229a5721c072ea08c9467e0c3ef5
SHA512030ddab47f04ddcfb8f1ec412621d0e31821f82fd38dde3fae07e63234613d14276bc2d378f20d9499fd1b9098cb042f5fefe7b49cb2aad5ef44635736e8b7ed
-
\intobroker\componentfontnet.exeFilesize
829KB
MD50496185a6219652c72da3dc493b35853
SHA19060775977b6a917f8d513521ad1a327342d0eab
SHA25632e448e205263af7253fdb66af9e2349e18a6054c9a1d27e8c5264840ba1559e
SHA5128a36acae4bf2e966ef2913d24b2be6ed8c4d167868e98b94fdebc4892895a61f0c43a682a829a9f615a03aec953bca3f2cf1915b1368fa2cf1fd9be91f2da84f
-
memory/356-28-0x00000000009B0000-0x0000000000A86000-memory.dmpFilesize
856KB
-
memory/2644-13-0x0000000000DD0000-0x0000000000EA6000-memory.dmpFilesize
856KB