Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-02-2021 02:53

General

  • Target

    4yQyNsXLvwdE7h0o12Rg.exe

  • Size

    684KB

  • MD5

    5786034e260eabfd710772bcfa97bc95

  • SHA1

    a5699e485d73471ecc45da327976aa6d2d2ac2cc

  • SHA256

    1840872e8117b0efa252bc324ae2944d5c5b9242c928e3a568ccde06354eec35

  • SHA512

    a4ce8ffb2e3d4d3104900ba68184d92cfe94f0e7cf4ee8834eec7838769e7e0775b964c09010b9f047c70012adb1850cefcb385c7a7f7c7ad735e7fa82c0f070

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DC Rat Payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4yQyNsXLvwdE7h0o12Rg.exe
    "C:\Users\Admin\AppData\Local\Temp\4yQyNsXLvwdE7h0o12Rg.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\dlldhcp\pb9Gu3tG7NmOc5Gajm8xMQsWHj1XvE.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\dlldhcp\Ovv4WrUEEOrKRGuaUIBYpelkPalQwD.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe
          TvyV4sMJtQ2q43rckgWS.exe -p55ff48c21c9494a5d9e8edfacff40e98a5e08b85
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3412
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\dlldhcp\06OXEbc57sIIel2pT7VSFVSjXXmfRt.vbe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2392
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\dlldhcp\M2pBQ8CVzpBi7EtxSagzVS7Rsq03Qh.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2716
              • C:\dlldhcp\reviewcommon.exe
                "C:\dlldhcp\reviewcommon.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1324
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:976
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:3724
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:3024
                • C:\PerfLogs\smss.exe
                  "C:\PerfLogs\smss.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:212

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PerfLogs\smss.exe
    MD5

    129acac9f415647ea9aa17b970f25391

    SHA1

    9576592f52c4ddf4a3922077832ad9c2f70e86de

    SHA256

    71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

    SHA512

    7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

  • C:\PerfLogs\smss.exe
    MD5

    129acac9f415647ea9aa17b970f25391

    SHA1

    9576592f52c4ddf4a3922077832ad9c2f70e86de

    SHA256

    71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

    SHA512

    7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

  • C:\dlldhcp\06OXEbc57sIIel2pT7VSFVSjXXmfRt.vbe
    MD5

    210951648be0af442e992c0c244881d2

    SHA1

    5a1f973643464b8c25ea0baacf24c1be63a0fc35

    SHA256

    84c461efb89569ac83256e91419a7e433cf3dd114d7bbcdca3d043c5e3a3a6df

    SHA512

    591792d2b0a9e8483071c35956b2189ebfb11f754f9f917a8a9626a11d176ef12880f84741a1a81c094ad2202f1187d917832266ebb474910f9d76a153b28807

  • C:\dlldhcp\M2pBQ8CVzpBi7EtxSagzVS7Rsq03Qh.bat
    MD5

    5895d60ccfece992e7ba54e9c612c6b7

    SHA1

    4ad6068c24eea84ecf8096c5710d1c7823e97d7c

    SHA256

    8274d8a146527cd6887201bcf8b0444abf859e5a53485c2325e07f064ed09562

    SHA512

    894fa23cd7bb76bc0e54493d5f5f24cc88d9002e41901e68da2c211b628897aa0242bc17995f264518ce4140925163879265160b921d7b445a815c85625d6b91

  • C:\dlldhcp\Ovv4WrUEEOrKRGuaUIBYpelkPalQwD.bat
    MD5

    47bd37706cba75d92e38e8a92c3f677c

    SHA1

    c4dc06ca75cfce3672294c0fb658637679b890af

    SHA256

    204e3297bbd72d9c4c21e0aa94c563f0ae310f7116fd0dfc5095c0acea994f2f

    SHA512

    a14079075318a6695677da9e4a670fb9a982673a27be346a9453551861e68259216fb96d1295e3be61d977ee3868e7b23669ad5a90488e2c9f00503ecdda9a70

  • C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe
    MD5

    e957674018efb1b736acbffb8ed03960

    SHA1

    2dd39dbed238087764f4fc716f93d289dfe6d140

    SHA256

    b7b622503d442c422d585761daf056f2becd9d5e73f4c1b83635e4b4643bbfba

    SHA512

    591ab7a2aafecb89622510044062091f98cac906d29870196ad3941dce4dacae1f281f0033aa98dfc96dcbc4d923539e43d5c3476d2dfacdb597b61591dcbf6e

  • C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe
    MD5

    e957674018efb1b736acbffb8ed03960

    SHA1

    2dd39dbed238087764f4fc716f93d289dfe6d140

    SHA256

    b7b622503d442c422d585761daf056f2becd9d5e73f4c1b83635e4b4643bbfba

    SHA512

    591ab7a2aafecb89622510044062091f98cac906d29870196ad3941dce4dacae1f281f0033aa98dfc96dcbc4d923539e43d5c3476d2dfacdb597b61591dcbf6e

  • C:\dlldhcp\pb9Gu3tG7NmOc5Gajm8xMQsWHj1XvE.vbe
    MD5

    99eb5a92e1d4538b512963280319e437

    SHA1

    76bc222143c744c72e93993336824b176c6274e5

    SHA256

    0284b07335fb6b1bd283621dfaa3438d59627bf21ece7126f94ae900cdf1cc6b

    SHA512

    5ca744d59de1aa91fbbfd3282f35bbe08517ca53b9004a3f5383886af8dfcb819a416bd1d607ae53252b3674ebd23ad49e5f45f5944510d732834fd90adf243d

  • C:\dlldhcp\reviewcommon.exe
    MD5

    129acac9f415647ea9aa17b970f25391

    SHA1

    9576592f52c4ddf4a3922077832ad9c2f70e86de

    SHA256

    71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

    SHA512

    7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

  • C:\dlldhcp\reviewcommon.exe
    MD5

    129acac9f415647ea9aa17b970f25391

    SHA1

    9576592f52c4ddf4a3922077832ad9c2f70e86de

    SHA256

    71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

    SHA512

    7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

  • memory/212-24-0x0000000000000000-mapping.dmp
  • memory/212-32-0x0000015C31E03000-0x0000015C31E04000-memory.dmp
    Filesize

    4KB

  • memory/212-31-0x0000015C171E0000-0x0000015C171E1000-memory.dmp
    Filesize

    4KB

  • memory/212-30-0x0000015C31E02000-0x0000015C31E03000-memory.dmp
    Filesize

    4KB

  • memory/212-27-0x00007FFB84BD0000-0x00007FFB855BC000-memory.dmp
    Filesize

    9.9MB

  • memory/976-21-0x0000000000000000-mapping.dmp
  • memory/1324-20-0x0000029B738F0000-0x0000029B738F2000-memory.dmp
    Filesize

    8KB

  • memory/1324-18-0x0000029B71AF0000-0x0000029B71AF1000-memory.dmp
    Filesize

    4KB

  • memory/1324-17-0x00007FFB84BD0000-0x00007FFB855BC000-memory.dmp
    Filesize

    9.9MB

  • memory/1324-14-0x0000000000000000-mapping.dmp
  • memory/2392-10-0x0000000000000000-mapping.dmp
  • memory/2716-13-0x0000000000000000-mapping.dmp
  • memory/2924-6-0x0000000000000000-mapping.dmp
  • memory/3024-23-0x0000000000000000-mapping.dmp
  • memory/3196-3-0x0000000000000000-mapping.dmp
  • memory/3412-7-0x0000000000000000-mapping.dmp
  • memory/3724-22-0x0000000000000000-mapping.dmp