Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
377s -
max time network
458s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 10:08
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral8
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
SecurityTaskManager_Setup.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
amtemu.v0.9.2.win-painter_edited.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
default.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral28
Sample
good.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
infected dot net installer.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
oof.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
ou55sg33s_1.exe
Resource
win10v20201028
General
-
Target
ForceOp 2.8.7 - By RaiSence.exe
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Suspicious use of NtCreateProcessExOtherParentProcess ⋅ 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3636 created 1888 3636 WerFault.exe wscript.exe -
Executes dropped EXE ⋅ 2 IoCs
Processes:
wincommon.exewscript.exepid process 3772 wincommon.exe 1888 wscript.exe -
Drops file in Program Files directory ⋅ 4 IoCs
Processes:
wincommon.exedescription ioc process File created C:\Program Files\Microsoft Office 15\ClientX64\svchost.exe wincommon.exe File created C:\Program Files\Microsoft Office 15\ClientX64\f4d236fdec2fd03914189c3b26e5cb0dfea9d761 wincommon.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe wincommon.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a wincommon.exe -
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash ⋅ 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3636 1888 WerFault.exe wscript.exe -
Creates scheduled task(s) ⋅ 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
TTPs:
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3612 schtasks.exe 2136 schtasks.exe 1136 schtasks.exe 3648 schtasks.exe 2084 schtasks.exe 1508 schtasks.exe -
Modifies registry class ⋅ 1 IoCs
Processes:
ForceOp 2.8.7 - By RaiSence.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings ForceOp 2.8.7 - By RaiSence.exe -
Suspicious behavior: EnumeratesProcesses ⋅ 16 IoCs
Processes:
wincommon.exewscript.exeWerFault.exepid process 3772 wincommon.exe 1888 wscript.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe -
Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
Processes:
wincommon.exewscript.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3772 wincommon.exe Token: SeDebugPrivilege 1888 wscript.exe Token: SeDebugPrivilege 3636 WerFault.exe -
Suspicious use of WriteProcessMemory ⋅ 25 IoCs
Processes:
ForceOp 2.8.7 - By RaiSence.exeWScript.execmd.exewincommon.exedescription pid process target process PID 3276 wrote to memory of 2540 3276 ForceOp 2.8.7 - By RaiSence.exe WScript.exe PID 3276 wrote to memory of 2540 3276 ForceOp 2.8.7 - By RaiSence.exe WScript.exe PID 3276 wrote to memory of 2540 3276 ForceOp 2.8.7 - By RaiSence.exe WScript.exe PID 3276 wrote to memory of 3412 3276 ForceOp 2.8.7 - By RaiSence.exe WScript.exe PID 3276 wrote to memory of 3412 3276 ForceOp 2.8.7 - By RaiSence.exe WScript.exe PID 3276 wrote to memory of 3412 3276 ForceOp 2.8.7 - By RaiSence.exe WScript.exe PID 2540 wrote to memory of 1148 2540 WScript.exe cmd.exe PID 2540 wrote to memory of 1148 2540 WScript.exe cmd.exe PID 2540 wrote to memory of 1148 2540 WScript.exe cmd.exe PID 1148 wrote to memory of 3772 1148 cmd.exe wincommon.exe PID 1148 wrote to memory of 3772 1148 cmd.exe wincommon.exe PID 3772 wrote to memory of 3612 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 3612 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 2136 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 2136 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 1136 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 1136 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 3648 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 3648 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 2084 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 2084 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 1508 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 1508 3772 wincommon.exe schtasks.exe PID 3772 wrote to memory of 1888 3772 wincommon.exe wscript.exe PID 3772 wrote to memory of 1888 3772 wincommon.exe wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exePID:3276"C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe"Modifies registry classSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exePID:2540"C:\Windows\System32\WScript.exe" "C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exePID:1148C:\Windows\system32\cmd.exe /c ""C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.bat" "Suspicious use of WriteProcessMemory
-
C:\intofont\wincommon.exePID:3772"C:\intofont\wincommon.exe"Executes dropped EXEDrops file in Program Files directorySuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exePID:3612"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\odt\svchost.exe'" /rl HIGHEST /fCreates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exePID:2136"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /fCreates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exePID:1136"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\intofont\svchost.exe'" /rl HIGHEST /fCreates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exePID:3648"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\svchost.exe'" /rl HIGHEST /fCreates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exePID:2084"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /fCreates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exePID:1508"schtasks" /create /tn "wscript" /sc ONLOGON /tr "'C:\PerfLogs\wscript.exe'" /rl HIGHEST /fCreates scheduled task(s)
-
C:\PerfLogs\wscript.exePID:1888"C:\PerfLogs\wscript.exe"Executes dropped EXESuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exePID:3636C:\Windows\system32\WerFault.exe -u -p 1888 -s 1796Suspicious use of NtCreateProcessExOtherParentProcessProgram crashSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exePID:3412"C:\Windows\System32\WScript.exe" "C:\intofont\msg.vbs"
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\PerfLogs\wscript.exeMD5
9134637118b2a4485fb46d439133749b
SHA125b60dba36e432f53f68603797d50b9c6cc127ce
SHA2565dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc
SHA512a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601
-
C:\PerfLogs\wscript.exeMD5
9134637118b2a4485fb46d439133749b
SHA125b60dba36e432f53f68603797d50b9c6cc127ce
SHA2565dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc
SHA512a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601
-
C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbeMD5
35f693ab095c33d4c62230d69ff6b43f
SHA119e8b126076b5e5d8e8b97f3757ad99357915bf4
SHA2561a3b550ae14c360fd9600e52924706a356290939317f3a32b35bfa97b5dbc163
SHA5121e2599c7b10a1fc5c004d7d68c487028d5d2d6a1102af0150ea0c15663819dac42e3a55a769cc532cf45f9f037cece3fcdc2820f2bfbe8439fd0a3d5a16bb4df
-
C:\intofont\MOSMD5
cb456215c3333db0551bd0788bc258c7
SHA1a0b861f6121344b631992c8252fa8748835e4df6
SHA2567e7b3a01539b5dd82108fe0dc455a76294708bb782f8f7590b06f0975fdf93c1
SHA512796ccc0f1fc4a990fe3c50f54a2d009e6ddb8e4e062ac1839a2c2c1e6f120311dad66fa86211137cb38cce27a99614085702d5fe9b6f3effc5dd1db0ad879448
-
C:\intofont\msg.vbsMD5
01c71ea2d98437129936261c48403132
SHA1dc689fb68a3e7e09a334e7a37c0d10d0641af1a6
SHA2560401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061
SHA512a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9
-
C:\intofont\wincommon.exeMD5
9134637118b2a4485fb46d439133749b
SHA125b60dba36e432f53f68603797d50b9c6cc127ce
SHA2565dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc
SHA512a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601
-
C:\intofont\wincommon.exeMD5
9134637118b2a4485fb46d439133749b
SHA125b60dba36e432f53f68603797d50b9c6cc127ce
SHA2565dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc
SHA512a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601
-
C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.batMD5
9fe442702fb57ffec2b831c3949a74e0
SHA1e285d89241ef0aeeeb50f65e09a741baf399cb1f
SHA256d50176a5de27bc9b4c52ebb4e30ec4cbf1e6a79eda4d83a013b220f489a5bcb9
SHA512548a8df7f0d9278f84eca35bf40638a4572cb625050f7a0684ee14b2117df8307101d8f9383c3fcab23fcf656c21f69db3f4509a037307ed6658ff4c063b4eab
-
memory/1136-28-0x0000000000000000-mapping.dmp
-
memory/1148-18-0x0000000000000000-mapping.dmp
-
memory/1508-31-0x0000000000000000-mapping.dmp
-
memory/1888-47-0x0000000000000000-mapping.dmp
-
memory/1888-42-0x0000000000000000-mapping.dmp
-
memory/1888-54-0x0000000000000000-mapping.dmp
-
memory/1888-53-0x0000000000000000-mapping.dmp
-
memory/1888-52-0x0000000000000000-mapping.dmp
-
memory/1888-51-0x0000000000000000-mapping.dmp
-
memory/1888-50-0x0000000000000000-mapping.dmp
-
memory/1888-49-0x0000000000000000-mapping.dmp
-
memory/1888-32-0x0000000000000000-mapping.dmp
-
memory/1888-46-0x0000000000000000-mapping.dmp
-
memory/1888-48-0x0000000000000000-mapping.dmp
-
memory/1888-35-0x00007FFED8500000-0x00007FFED8EEC000-memory.dmp
-
memory/1888-43-0x0000000000000000-mapping.dmp
-
memory/1888-41-0x0000000000000000-mapping.dmp
-
memory/1888-40-0x0000000000000000-mapping.dmp
-
memory/1888-45-0x0000000000000000-mapping.dmp
-
memory/1888-44-0x0000000000000000-mapping.dmp
-
memory/2084-30-0x0000000000000000-mapping.dmp
-
memory/2136-27-0x0000000000000000-mapping.dmp
-
memory/2540-0-0x0000000000000000-mapping.dmp
-
memory/3412-14-0x0000000000000000-mapping.dmp
-
memory/3612-26-0x0000000000000000-mapping.dmp
-
memory/3636-39-0x0000017402A40000-0x0000017402A41000-memory.dmp
-
memory/3636-55-0x0000017403C40000-0x0000017403C41000-memory.dmp
-
memory/3648-29-0x0000000000000000-mapping.dmp
-
memory/3772-25-0x000000001B9E0000-0x000000001B9E1000-memory.dmp
-
memory/3772-19-0x0000000000000000-mapping.dmp
-
memory/3772-22-0x00007FFED8500000-0x00007FFED8EEC000-memory.dmp
-
memory/3772-23-0x0000000000C90000-0x0000000000C91000-memory.dmp