Analysis
-
max time kernel
289s -
max time network
290s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:02
Static task
static1
Behavioral task
behavioral1
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
dashdV.exe
Resource
win10v20210410
General
-
Target
dashdV.exe
-
Size
17.1MB
-
MD5
765f570a565d578f2ace3ccb41cef038
-
SHA1
89b44e3aa8f3c93f80ae29f7a36a9486b080229d
-
SHA256
0d7c515d3483b45d5725717070e8497435c39b3450af59194b2a32a33c2867e8
-
SHA512
941862a1d09e70725f9826b05dc8a8c7442add91229f39ac7ea9d4e6b8d0f751d749ac6b6ac2202290122945e14bab06516680a7007598af7cca62ac1b465898
Malware Config
Signatures
-
Processes:
resource yara_rule C:\ProgramData\aye.exe Dark_crystal_rat C:\ProgramData\aye.exe Dark_crystal_rat -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Cortana.Core\\SearchUI.exe\", \"C:\\Program Files\\VideoLAN\\winlogon.exe\", \"C:\\odt\\sihost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Cortana.Core\\SearchUI.exe\", \"C:\\Program Files\\VideoLAN\\winlogon.exe\", \"C:\\odt\\sihost.exe\", \"C:\\PerfLogs\\conhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Cortana.Core\\SearchUI.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Cortana.Core\\SearchUI.exe\", \"C:\\Program Files\\VideoLAN\\winlogon.exe\"" netDhcpDriverruntimeCommon.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 3 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.execonhost.exepid process 364 aye.exe 1128 netDhcpDriverruntimeCommon.exe 2220 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Cortana.Core\\SearchUI.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\VideoLAN\\winlogon.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\VideoLAN\\winlogon.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\odt\\sihost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\odt\\sihost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\PerfLogs\\conhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\PerfLogs\\conhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Cortana.Core\\SearchUI.exe\"" netDhcpDriverruntimeCommon.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 ip-api.com 29 ipinfo.io -
Drops file in System32 directory 7 IoCs
Processes:
aye.exedescription ioc process File opened for modification C:\Windows\SysWOW64\D2RrWRv0Po.vbe aye.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259281421 aye.exe File created C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat aye.exe File opened for modification C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat aye.exe File created C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe aye.exe File opened for modification C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe aye.exe File created C:\Windows\SysWOW64\D2RrWRv0Po.vbe aye.exe -
Drops file in Program Files directory 2 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process File created C:\Program Files\VideoLAN\winlogon.exe netDhcpDriverruntimeCommon.exe File created C:\Program Files\VideoLAN\cc11b995f2a76da408ea6a601e682e64743153ad netDhcpDriverruntimeCommon.exe -
Drops file in Windows directory 3 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process File created C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core\SearchUI.exe netDhcpDriverruntimeCommon.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core\SearchUI.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core\dab4d89cac03ec27dbe47b361df763dc3f848f6c netDhcpDriverruntimeCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1092 schtasks.exe 3992 schtasks.exe 3856 schtasks.exe 364 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings aye.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings netDhcpDriverruntimeCommon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
netDhcpDriverruntimeCommon.execonhost.exepid process 1128 netDhcpDriverruntimeCommon.exe 2220 conhost.exe 2220 conhost.exe 2220 conhost.exe 2220 conhost.exe 2220 conhost.exe 2220 conhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
dashdV.exenetDhcpDriverruntimeCommon.execonhost.exedescription pid process Token: SeDebugPrivilege 1808 dashdV.exe Token: SeDebugPrivilege 1128 netDhcpDriverruntimeCommon.exe Token: SeDebugPrivilege 2220 conhost.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
dashdV.exeaye.exeWScript.execmd.exenetDhcpDriverruntimeCommon.execmd.exedescription pid process target process PID 1808 wrote to memory of 364 1808 dashdV.exe aye.exe PID 1808 wrote to memory of 364 1808 dashdV.exe aye.exe PID 1808 wrote to memory of 364 1808 dashdV.exe aye.exe PID 364 wrote to memory of 1740 364 aye.exe WScript.exe PID 364 wrote to memory of 1740 364 aye.exe WScript.exe PID 364 wrote to memory of 1740 364 aye.exe WScript.exe PID 1740 wrote to memory of 4088 1740 WScript.exe cmd.exe PID 1740 wrote to memory of 4088 1740 WScript.exe cmd.exe PID 1740 wrote to memory of 4088 1740 WScript.exe cmd.exe PID 4088 wrote to memory of 1128 4088 cmd.exe netDhcpDriverruntimeCommon.exe PID 4088 wrote to memory of 1128 4088 cmd.exe netDhcpDriverruntimeCommon.exe PID 1128 wrote to memory of 1092 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 1092 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 1092 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 3992 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 3992 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 3992 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 3856 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 3856 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 3856 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 364 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 364 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 364 1128 netDhcpDriverruntimeCommon.exe schtasks.exe PID 1128 wrote to memory of 2800 1128 netDhcpDriverruntimeCommon.exe cmd.exe PID 1128 wrote to memory of 2800 1128 netDhcpDriverruntimeCommon.exe cmd.exe PID 2800 wrote to memory of 1544 2800 cmd.exe chcp.com PID 2800 wrote to memory of 1544 2800 cmd.exe chcp.com PID 2800 wrote to memory of 2288 2800 cmd.exe PING.EXE PID 2800 wrote to memory of 2288 2800 cmd.exe PING.EXE PID 2800 wrote to memory of 2220 2800 cmd.exe conhost.exe PID 2800 wrote to memory of 2220 2800 cmd.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dashdV.exe"C:\Users\Admin\AppData\Local\Temp\dashdV.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\aye.exe"C:\ProgramData\aye.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\D2RrWRv0Po.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\kk946QGUYfip6zCEWvxdUIQltPP.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe"C:\Windows\system32\netDhcpDriverruntimeCommon.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core\SearchUI.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\winlogon.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\PerfLogs\conhost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\heeRvRSQe3.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost7⤵
- Runs ping.exe
-
C:\PerfLogs\conhost.exe"C:\PerfLogs\conhost.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\conhost.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\PerfLogs\conhost.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\Users\Public\heeRvRSQe3.batMD5
22e4e04d60522b7eae89a40f854162b5
SHA11ccf4c6db32489ccbb4ffde9a8b384526e85ef01
SHA256916c7380ee2f9dbe7d2d6db1815545253465da4c93ff71489945aaf9b99f498e
SHA512c3d1c336447ca0afcb154cee71995d3bec097ee7cfd7cceef2b7781349ecc601b0a027a2c72167bdcfa4da69d6c3f2085b5e1f9d2635ee74635aa879e656b005
-
C:\Windows\SysWOW64\D2RrWRv0Po.vbeMD5
b57cdbe6bff09c4719cfeeeb11736d47
SHA1040ace85289b8b111e3e44e979a73277bd8284b6
SHA2560d76dd655a3bf305df6382093705ca9a0ec946651fd593c14ce81b0b286c6a5b
SHA51255fc21fcd6c0572c595271fc2a15d7b9eeab6dfd0ad055a498acfeba05a09e0ebc32fe674f985c101c62f6419c2404f314acc8ec5a8744b67971daaaca2b4451
-
C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.batMD5
b95e24d87d79c2b36fc0f8ef4434cfb7
SHA10e2a2c904e15f7f2e68a89f238d262b1d0b0f2e5
SHA2568fef5c403a59ab01e615e97319fe70c8a3e0234272334cb2d63ffd9f784ee726
SHA512e4cb26aed7aaf65cce7b4ed72c1f2edcf30bd46868d302836b55e976a3762cf6e30f5bf539b1b9b44f300e400fca68f79b6893ab936b8f49921823927c41f46b
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
memory/364-121-0x0000000000000000-mapping.dmp
-
memory/364-140-0x0000000000000000-mapping.dmp
-
memory/1092-137-0x0000000000000000-mapping.dmp
-
memory/1128-134-0x00000241F70E0000-0x00000241F70E1000-memory.dmpFilesize
4KB
-
memory/1128-131-0x0000000000000000-mapping.dmp
-
memory/1128-136-0x00000241F7510000-0x00000241F7512000-memory.dmpFilesize
8KB
-
memory/1544-143-0x0000000000000000-mapping.dmp
-
memory/1740-126-0x0000000000000000-mapping.dmp
-
memory/1808-114-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/1808-118-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/1808-119-0x0000000005270000-0x000000000576E000-memory.dmpFilesize
5.0MB
-
memory/1808-117-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/1808-116-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/1808-120-0x0000000005270000-0x000000000576E000-memory.dmpFilesize
5.0MB
-
memory/1808-128-0x0000000005270000-0x000000000576E000-memory.dmpFilesize
5.0MB
-
memory/2220-150-0x000002512DEB0000-0x000002512DEB2000-memory.dmpFilesize
8KB
-
memory/2220-157-0x0000025146780000-0x0000025146782000-memory.dmpFilesize
8KB
-
memory/2220-160-0x000002512DEB4000-0x000002512DEB6000-memory.dmpFilesize
8KB
-
memory/2220-145-0x0000000000000000-mapping.dmp
-
memory/2220-161-0x000002512DEB6000-0x000002512DEB8000-memory.dmpFilesize
8KB
-
memory/2220-162-0x000002512DEB8000-0x000002512DEBA000-memory.dmpFilesize
8KB
-
memory/2220-159-0x000002512DEB2000-0x000002512DEB4000-memory.dmpFilesize
8KB
-
memory/2220-151-0x0000025146710000-0x0000025146716000-memory.dmpFilesize
24KB
-
memory/2220-153-0x0000025146720000-0x0000025146727000-memory.dmpFilesize
28KB
-
memory/2220-152-0x0000025146750000-0x0000025146751000-memory.dmpFilesize
4KB
-
memory/2220-155-0x00000251466F0000-0x00000251466F2000-memory.dmpFilesize
8KB
-
memory/2220-154-0x0000025146730000-0x0000025146732000-memory.dmpFilesize
8KB
-
memory/2220-156-0x0000025146740000-0x0000025146742000-memory.dmpFilesize
8KB
-
memory/2220-158-0x00000251467D0000-0x00000251467D1000-memory.dmpFilesize
4KB
-
memory/2288-144-0x0000000000000000-mapping.dmp
-
memory/2800-141-0x0000000000000000-mapping.dmp
-
memory/3856-139-0x0000000000000000-mapping.dmp
-
memory/3992-138-0x0000000000000000-mapping.dmp
-
memory/4088-130-0x0000000000000000-mapping.dmp