Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-02-2021 02:53
Static task
static1
Behavioral task
behavioral1
Sample
4yQyNsXLvwdE7h0o12Rg.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4yQyNsXLvwdE7h0o12Rg.exe
Resource
win10v20201028
General
-
Target
4yQyNsXLvwdE7h0o12Rg.exe
-
Size
684KB
-
MD5
5786034e260eabfd710772bcfa97bc95
-
SHA1
a5699e485d73471ecc45da327976aa6d2d2ac2cc
-
SHA256
1840872e8117b0efa252bc324ae2944d5c5b9242c928e3a568ccde06354eec35
-
SHA512
a4ce8ffb2e3d4d3104900ba68184d92cfe94f0e7cf4ee8834eec7838769e7e0775b964c09010b9f047c70012adb1850cefcb385c7a7f7c7ad735e7fa82c0f070
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
resource yara_rule behavioral2/files/0x000100000001ab7c-15.dat dcrat behavioral2/files/0x000100000001ab7c-16.dat dcrat behavioral2/files/0x000100000001ab82-25.dat dcrat behavioral2/files/0x000100000001ab82-26.dat dcrat -
Executes dropped EXE 3 IoCs
pid Process 3412 TvyV4sMJtQ2q43rckgWS.exe 1324 reviewcommon.exe 212 smss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" reviewcommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\"" reviewcommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\"" reviewcommon.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ipinfo.io 14 ipinfo.io -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Speech\Common\en-US\lsass.exe reviewcommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3024 schtasks.exe 976 schtasks.exe 3724 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings 4yQyNsXLvwdE7h0o12Rg.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings TvyV4sMJtQ2q43rckgWS.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1324 reviewcommon.exe 212 smss.exe 212 smss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 212 smss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1324 reviewcommon.exe Token: SeDebugPrivilege 212 smss.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 812 wrote to memory of 3196 812 4yQyNsXLvwdE7h0o12Rg.exe 75 PID 812 wrote to memory of 3196 812 4yQyNsXLvwdE7h0o12Rg.exe 75 PID 812 wrote to memory of 3196 812 4yQyNsXLvwdE7h0o12Rg.exe 75 PID 3196 wrote to memory of 2924 3196 WScript.exe 76 PID 3196 wrote to memory of 2924 3196 WScript.exe 76 PID 3196 wrote to memory of 2924 3196 WScript.exe 76 PID 2924 wrote to memory of 3412 2924 cmd.exe 78 PID 2924 wrote to memory of 3412 2924 cmd.exe 78 PID 2924 wrote to memory of 3412 2924 cmd.exe 78 PID 3412 wrote to memory of 2392 3412 TvyV4sMJtQ2q43rckgWS.exe 79 PID 3412 wrote to memory of 2392 3412 TvyV4sMJtQ2q43rckgWS.exe 79 PID 3412 wrote to memory of 2392 3412 TvyV4sMJtQ2q43rckgWS.exe 79 PID 2392 wrote to memory of 2716 2392 WScript.exe 80 PID 2392 wrote to memory of 2716 2392 WScript.exe 80 PID 2392 wrote to memory of 2716 2392 WScript.exe 80 PID 2716 wrote to memory of 1324 2716 cmd.exe 82 PID 2716 wrote to memory of 1324 2716 cmd.exe 82 PID 1324 wrote to memory of 976 1324 reviewcommon.exe 86 PID 1324 wrote to memory of 976 1324 reviewcommon.exe 86 PID 1324 wrote to memory of 3724 1324 reviewcommon.exe 88 PID 1324 wrote to memory of 3724 1324 reviewcommon.exe 88 PID 1324 wrote to memory of 3024 1324 reviewcommon.exe 90 PID 1324 wrote to memory of 3024 1324 reviewcommon.exe 90 PID 1324 wrote to memory of 212 1324 reviewcommon.exe 92 PID 1324 wrote to memory of 212 1324 reviewcommon.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\4yQyNsXLvwdE7h0o12Rg.exe"C:\Users\Admin\AppData\Local\Temp\4yQyNsXLvwdE7h0o12Rg.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\dlldhcp\pb9Gu3tG7NmOc5Gajm8xMQsWHj1XvE.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\dlldhcp\Ovv4WrUEEOrKRGuaUIBYpelkPalQwD.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exeTvyV4sMJtQ2q43rckgWS.exe -p55ff48c21c9494a5d9e8edfacff40e98a5e08b854⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\dlldhcp\06OXEbc57sIIel2pT7VSFVSjXXmfRt.vbe"5⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\dlldhcp\M2pBQ8CVzpBi7EtxSagzVS7Rsq03Qh.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\dlldhcp\reviewcommon.exe"C:\dlldhcp\reviewcommon.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:976
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:3724
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:3024
-
-
C:\PerfLogs\smss.exe"C:\PerfLogs\smss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:212
-
-
-
-
-
-
-