Overview

overview

10

Static

static

ﱞﱞﱞï...ﱞﱞ

windows10_x64

10

ﱞﱞﱞï...ฺฺ

windows10_x64

10

Resubmissions

21-04-2021 18:06

210421-67ta5keqaa 10

21-04-2021 18:02

210421-f5gwj58ryj 10

Analysis

  • max time kernel
    58s
  • max time network
    60s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    21-04-2021 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dashdV.exe

  • Size

    17.1MB

  • MD5

    765f570a565d578f2ace3ccb41cef038

  • SHA1

    89b44e3aa8f3c93f80ae29f7a36a9486b080229d

  • SHA256

    0d7c515d3483b45d5725717070e8497435c39b3450af59194b2a32a33c2867e8

  • SHA512

    941862a1d09e70725f9826b05dc8a8c7442add91229f39ac7ea9d4e6b8d0f751d749ac6b6ac2202290122945e14bab06516680a7007598af7cca62ac1b465898

Score
10/10
dcratinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DCrat 2 IoCs

    DarkCrystalrat.

    rat
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
    persistence
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 18 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dashdV.exe
    "C:\Users\Admin\AppData\Local\Temp\dashdV.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\ProgramData\aye.exe
      "C:\ProgramData\aye.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\D2RrWRv0Po.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3292
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\kk946QGUYfip6zCEWvxdUIQltPP.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3972
          • C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe
            "C:\Windows\system32\netDhcpDriverruntimeCommon.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\luainstall\SppExtComObj.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:3764
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:3176
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:3612
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\SettingsHandlers_Devices\RuntimeBroker.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:3312
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "netDhcpDriverruntimeCommon" /sc ONLOGON /tr "'C:\Documents and Settings\netDhcpDriverruntimeCommon.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:2264
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest\ShellExperienceHost.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:2080
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "netDhcpDriverruntimeCommon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\netDhcpDriverruntimeCommon.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:2200
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows-NFC-SEManagement\pris\SearchUI.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:1492
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\ShellExperienceHost.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:3292
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Public\QAE1MLiqRm.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:204
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:3516
                • C:\Windows\system32\PING.EXE
                  ping -n 5 localhost
                  7⤵
                  • Runs ping.exe
                  PID:3300
                • C:\ProgramData\SoftwareDistribution\ShellExperienceHost.exe
                  "C:\ProgramData\SoftwareDistribution\ShellExperienceHost.exe"
                  7⤵
                  • Drops file in Drivers directory
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3560

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\SoftwareDistribution\ShellExperienceHost.exe
      MD5

      6e6663ec26bed1a1b0e513aafddff490

      SHA1

      96b6a2c50e4662058799efee8278e1b2252f525b

      SHA256

      a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571

      SHA512

      dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af

      Download Submit
    • C:\ProgramData\SoftwareDistribution\ShellExperienceHost.exe
      MD5

      6e6663ec26bed1a1b0e513aafddff490

      SHA1

      96b6a2c50e4662058799efee8278e1b2252f525b

      SHA256

      a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571

      SHA512

      dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af

      Download Submit
    • C:\ProgramData\aye.exe
      MD5

      fed9979b059967674138a00a535310e9

      SHA1

      de3001de07bb5f6a19649540512b9d29acb8a7d9

      SHA256

      4a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366

      SHA512

      e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d

      Download Submit
    • C:\ProgramData\aye.exe
      MD5

      fed9979b059967674138a00a535310e9

      SHA1

      de3001de07bb5f6a19649540512b9d29acb8a7d9

      SHA256

      4a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366

      SHA512

      e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d

      Download Submit
    • C:\Users\Public\QAE1MLiqRm.bat
      MD5

      86be04671ced919a7dae4ec6db1d0bc6

      SHA1

      5d73b0a3efb83c96e6e46fae850c31ced0909b95

      SHA256

      9075ee9a1bbf93f5113a0dce66eab5005bf30d6aeb004471bf6719ff74beeaae

      SHA512

      910e1e2380c046275667f0ebbc40f751fbf903adfc50d85e34de4ca3ca3f690fb62b1a8c0af48cd6b47450bd7d266e3e35432197292d4b4e74c09d7ce8e382d3

      Download Submit
    • C:\Windows\SysWOW64\D2RrWRv0Po.vbe
      MD5

      b57cdbe6bff09c4719cfeeeb11736d47

      SHA1

      040ace85289b8b111e3e44e979a73277bd8284b6

      SHA256

      0d76dd655a3bf305df6382093705ca9a0ec946651fd593c14ce81b0b286c6a5b

      SHA512

      55fc21fcd6c0572c595271fc2a15d7b9eeab6dfd0ad055a498acfeba05a09e0ebc32fe674f985c101c62f6419c2404f314acc8ec5a8744b67971daaaca2b4451

      Download Submit
    • C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat
      MD5

      b95e24d87d79c2b36fc0f8ef4434cfb7

      SHA1

      0e2a2c904e15f7f2e68a89f238d262b1d0b0f2e5

      SHA256

      8fef5c403a59ab01e615e97319fe70c8a3e0234272334cb2d63ffd9f784ee726

      SHA512

      e4cb26aed7aaf65cce7b4ed72c1f2edcf30bd46868d302836b55e976a3762cf6e30f5bf539b1b9b44f300e400fca68f79b6893ab936b8f49921823927c41f46b

      Download Submit
    • C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe
      MD5

      6e6663ec26bed1a1b0e513aafddff490

      SHA1

      96b6a2c50e4662058799efee8278e1b2252f525b

      SHA256

      a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571

      SHA512

      dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af

      Download Submit
    • C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe
      MD5

      6e6663ec26bed1a1b0e513aafddff490

      SHA1

      96b6a2c50e4662058799efee8278e1b2252f525b

      SHA256

      a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571

      SHA512

      dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af

      Download Submit
    • memory/204-146-0x0000000000000000-mapping.dmp
      Download
    • memory/1144-121-0x0000000000000000-mapping.dmp
      Download
    • memory/1492-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1828-120-0x0000000004C90000-0x000000000518E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1828-119-0x0000000004C90000-0x000000000518E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1828-118-0x0000000004D60000-0x0000000004D61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1828-128-0x0000000004C90000-0x000000000518E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1828-114-0x0000000000400000-0x0000000000401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1828-117-0x0000000004D70000-0x0000000004D71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1828-116-0x0000000005190000-0x0000000005191000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2080-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2200-143-0x0000000000000000-mapping.dmp
      Download
    • memory/2264-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2708-136-0x00000187A8F20000-0x00000187A8F22000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2708-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2708-134-0x000001878E710000-0x000001878E711000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3176-138-0x0000000000000000-mapping.dmp
      Download
    • memory/3292-126-0x0000000000000000-mapping.dmp
      Download
    • memory/3292-145-0x0000000000000000-mapping.dmp
      Download
    • memory/3300-149-0x0000000000000000-mapping.dmp
      Download
    • memory/3312-140-0x0000000000000000-mapping.dmp
      Download
    • memory/3516-148-0x0000000000000000-mapping.dmp
      Download
    • memory/3560-163-0x00000205F2AB4000-0x00000205F2AB6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3560-159-0x00000205F2920000-0x00000205F2922000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3560-150-0x0000000000000000-mapping.dmp
      Download
    • memory/3560-167-0x00000205F2AB8000-0x00000205F2ABA000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3560-155-0x00000205F2AB0000-0x00000205F2AB2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3560-156-0x00000205F2220000-0x00000205F2226000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3560-157-0x00000205F2960000-0x00000205F2961000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-158-0x00000205F29D0000-0x00000205F29D7000-memory.dmp
      Filesize

      28KB

      Download
    • memory/3560-160-0x00000205F2930000-0x00000205F2932000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3560-166-0x00000205F2AB6000-0x00000205F2AB8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3560-162-0x00000205F2AB2000-0x00000205F2AB4000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3560-165-0x00000205F2980000-0x00000205F2981000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-161-0x00000205F2940000-0x00000205F2942000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3560-164-0x00000205F2950000-0x00000205F2952000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3612-139-0x0000000000000000-mapping.dmp
      Download
    • memory/3764-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3972-130-0x0000000000000000-mapping.dmp
      Download