Analysis
-
max time kernel
292s -
max time network
293s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:06
General
-
Target
dashdV.exe
-
Size
17.1MB
-
MD5
765f570a565d578f2ace3ccb41cef038
-
SHA1
89b44e3aa8f3c93f80ae29f7a36a9486b080229d
-
SHA256
0d7c515d3483b45d5725717070e8497435c39b3450af59194b2a32a33c2867e8
-
SHA512
941862a1d09e70725f9826b05dc8a8c7442add91229f39ac7ea9d4e6b8d0f751d749ac6b6ac2202290122945e14bab06516680a7007598af7cca62ac1b465898
Malware Config
Signatures
-
DCrat 2 IoCs
DarkCrystalrat.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 16 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 11 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dashdV.exe"C:\Users\Admin\AppData\Local\Temp\dashdV.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\aye.exe"C:\ProgramData\aye.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\D2RrWRv0Po.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\kk946QGUYfip6zCEWvxdUIQltPP.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe"C:\Windows\system32\netDhcpDriverruntimeCommon.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\ProgramData\Documents\OfficeClickToRun.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Boot\qps-ploc\wininit.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\WmiPrvSE.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WmiApSrv\WmiPrvSE.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\TaskApis\dwm.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\CFskEsiPSt.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost7⤵
- Runs ping.exe
-
C:\Windows\System32\TaskApis\dwm.exe"C:\Windows\System32\TaskApis\dwm.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\Users\Public\CFskEsiPSt.batMD5
197bea0ff97bc646cabc24cc77b8749e
SHA10ec5fa9710c6569c64001055932b4a3ffde7da4d
SHA256bfdab8e05e0e890c02ee13d08f8df154b16c1bbce4cbedb7548cf76ba44a84e5
SHA5127783fa1f661ac89c21e95d26484b1f0777c6bcc4348d0f298e45ced2a2facca2dae679787aa70f006a6fee4e1e215a53d275c8beb58377375508c66152612bdd
-
C:\Windows\SysWOW64\D2RrWRv0Po.vbeMD5
b57cdbe6bff09c4719cfeeeb11736d47
SHA1040ace85289b8b111e3e44e979a73277bd8284b6
SHA2560d76dd655a3bf305df6382093705ca9a0ec946651fd593c14ce81b0b286c6a5b
SHA51255fc21fcd6c0572c595271fc2a15d7b9eeab6dfd0ad055a498acfeba05a09e0ebc32fe674f985c101c62f6419c2404f314acc8ec5a8744b67971daaaca2b4451
-
C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.batMD5
b95e24d87d79c2b36fc0f8ef4434cfb7
SHA10e2a2c904e15f7f2e68a89f238d262b1d0b0f2e5
SHA2568fef5c403a59ab01e615e97319fe70c8a3e0234272334cb2d63ffd9f784ee726
SHA512e4cb26aed7aaf65cce7b4ed72c1f2edcf30bd46868d302836b55e976a3762cf6e30f5bf539b1b9b44f300e400fca68f79b6893ab936b8f49921823927c41f46b
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\System32\TaskApis\dwm.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\System32\TaskApis\dwm.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
memory/624-128-0x0000000005210000-0x00000000052A2000-memory.dmpFilesize
584KB
-
memory/624-118-0x0000000005210000-0x00000000052A2000-memory.dmpFilesize
584KB
-
memory/624-114-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/624-116-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/624-117-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/624-120-0x0000000005210000-0x00000000052A2000-memory.dmpFilesize
584KB
-
memory/624-119-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/636-130-0x0000000000000000-mapping.dmp
-
memory/676-137-0x0000000000000000-mapping.dmp
-
memory/788-139-0x0000000000000000-mapping.dmp
-
memory/1124-147-0x0000000000000000-mapping.dmp
-
memory/1148-148-0x0000000000000000-mapping.dmp
-
memory/1308-121-0x0000000000000000-mapping.dmp
-
memory/1496-142-0x0000000000000000-mapping.dmp
-
memory/1504-126-0x0000000000000000-mapping.dmp
-
memory/1628-143-0x0000000000000000-mapping.dmp
-
memory/2120-145-0x0000000000000000-mapping.dmp
-
memory/2312-131-0x0000000000000000-mapping.dmp
-
memory/2312-134-0x0000022FB5330000-0x0000022FB5331000-memory.dmpFilesize
4KB
-
memory/2312-136-0x0000022FCF9C0000-0x0000022FCF9C2000-memory.dmpFilesize
8KB
-
memory/2408-138-0x0000000000000000-mapping.dmp
-
memory/3396-144-0x0000000000000000-mapping.dmp
-
memory/3600-141-0x0000000000000000-mapping.dmp
-
memory/3836-140-0x0000000000000000-mapping.dmp
-
memory/3840-157-0x0000016C3D960000-0x0000016C3D967000-memory.dmpFilesize
28KB
-
memory/3840-160-0x0000016C3BEF0000-0x0000016C3BEF2000-memory.dmpFilesize
8KB
-
memory/3840-155-0x0000016C3BEE0000-0x0000016C3BEE6000-memory.dmpFilesize
24KB
-
memory/3840-156-0x0000016C3C060000-0x0000016C3C061000-memory.dmpFilesize
4KB
-
memory/3840-149-0x0000000000000000-mapping.dmp
-
memory/3840-158-0x0000016C3D970000-0x0000016C3D972000-memory.dmpFilesize
8KB
-
memory/3840-159-0x0000016C3D950000-0x0000016C3D952000-memory.dmpFilesize
8KB
-
memory/3840-154-0x0000016C3BE70000-0x0000016C3BE72000-memory.dmpFilesize
8KB
-
memory/3840-161-0x0000016C3C040000-0x0000016C3C042000-memory.dmpFilesize
8KB
-
memory/3840-162-0x0000016C3BF10000-0x0000016C3BF11000-memory.dmpFilesize
4KB
-
memory/3840-163-0x0000016C3BE72000-0x0000016C3BE74000-memory.dmpFilesize
8KB
-
memory/3840-164-0x0000016C3BE78000-0x0000016C3BE7A000-memory.dmpFilesize
8KB
-
memory/3840-165-0x0000016C3BE74000-0x0000016C3BE76000-memory.dmpFilesize
8KB
-
memory/3840-166-0x0000016C3BE76000-0x0000016C3BE78000-memory.dmpFilesize
8KB