Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-02-2021 02:53

General

  • Target

    4yQyNsXLvwdE7h0o12Rg.exe

  • Size

    684KB

  • MD5

    5786034e260eabfd710772bcfa97bc95

  • SHA1

    a5699e485d73471ecc45da327976aa6d2d2ac2cc

  • SHA256

    1840872e8117b0efa252bc324ae2944d5c5b9242c928e3a568ccde06354eec35

  • SHA512

    a4ce8ffb2e3d4d3104900ba68184d92cfe94f0e7cf4ee8834eec7838769e7e0775b964c09010b9f047c70012adb1850cefcb385c7a7f7c7ad735e7fa82c0f070

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DC Rat Payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4yQyNsXLvwdE7h0o12Rg.exe
    "C:\Users\Admin\AppData\Local\Temp\4yQyNsXLvwdE7h0o12Rg.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\dlldhcp\pb9Gu3tG7NmOc5Gajm8xMQsWHj1XvE.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\dlldhcp\Ovv4WrUEEOrKRGuaUIBYpelkPalQwD.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe
          TvyV4sMJtQ2q43rckgWS.exe -p55ff48c21c9494a5d9e8edfacff40e98a5e08b85
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3412
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\dlldhcp\06OXEbc57sIIel2pT7VSFVSjXXmfRt.vbe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2392
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\dlldhcp\M2pBQ8CVzpBi7EtxSagzVS7Rsq03Qh.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2716
              • C:\dlldhcp\reviewcommon.exe
                "C:\dlldhcp\reviewcommon.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1324
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:976
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:3724
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:3024
                • C:\PerfLogs\smss.exe
                  "C:\PerfLogs\smss.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:212

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/212-32-0x0000015C31E03000-0x0000015C31E04000-memory.dmp

    Filesize

    4KB

  • memory/212-31-0x0000015C171E0000-0x0000015C171E1000-memory.dmp

    Filesize

    4KB

  • memory/212-30-0x0000015C31E02000-0x0000015C31E03000-memory.dmp

    Filesize

    4KB

  • memory/212-27-0x00007FFB84BD0000-0x00007FFB855BC000-memory.dmp

    Filesize

    9.9MB

  • memory/1324-20-0x0000029B738F0000-0x0000029B738F2000-memory.dmp

    Filesize

    8KB

  • memory/1324-18-0x0000029B71AF0000-0x0000029B71AF1000-memory.dmp

    Filesize

    4KB

  • memory/1324-17-0x00007FFB84BD0000-0x00007FFB855BC000-memory.dmp

    Filesize

    9.9MB