Analysis
-
max time kernel
116s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-06-2021 21:27
Static task
static1
Behavioral task
behavioral1
Sample
048AC151CE97E95A980399E849DAAE95.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
048AC151CE97E95A980399E849DAAE95.exe
Resource
win10v20210410
General
-
Target
048AC151CE97E95A980399E849DAAE95.exe
-
Size
428KB
-
MD5
048ac151ce97e95a980399e849daae95
-
SHA1
3a89733c03e49f7504f6731ee9f626dad52fb369
-
SHA256
f896c6618235d320b62e6662673830cbd21d7be057b356eef83aac8f21684b6f
-
SHA512
2532c573dc938ff3401c15bd916312228a09a33a09b92723dcc979c499dbe9078812cc3a73428cc3dc9dd98edf8a0f61a15e3a399acd516a2fda02d4a95dd394
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
resource yara_rule behavioral2/files/0x000100000001ab57-122.dat dcrat behavioral2/files/0x000100000001ab57-123.dat dcrat -
Executes dropped EXE 1 IoCs
pid Process 3380 dwm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ipinfo.io 12 ipinfo.io -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\System32\DataUsageHandlers\6cb0b6c459d5d3455a3da700e713f2e2529862ff 048AC151CE97E95A980399E849DAAE95.exe File created C:\Windows\System32\KeywordDetectorMsftSidAdapter\winlogon.exe 048AC151CE97E95A980399E849DAAE95.exe File created C:\Windows\System32\KeywordDetectorMsftSidAdapter\cc11b995f2a76da408ea6a601e682e64743153ad 048AC151CE97E95A980399E849DAAE95.exe File created C:\Windows\System32\DataUsageHandlers\dwm.exe 048AC151CE97E95A980399E849DAAE95.exe File opened for modification C:\Windows\System32\DataUsageHandlers\dwm.exe 048AC151CE97E95A980399E849DAAE95.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2724 schtasks.exe 188 schtasks.exe 2496 schtasks.exe 1512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3744 048AC151CE97E95A980399E849DAAE95.exe 3380 dwm.exe 3380 dwm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3380 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3744 048AC151CE97E95A980399E849DAAE95.exe Token: SeDebugPrivilege 3380 dwm.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3744 wrote to memory of 188 3744 048AC151CE97E95A980399E849DAAE95.exe 78 PID 3744 wrote to memory of 188 3744 048AC151CE97E95A980399E849DAAE95.exe 78 PID 3744 wrote to memory of 2496 3744 048AC151CE97E95A980399E849DAAE95.exe 80 PID 3744 wrote to memory of 2496 3744 048AC151CE97E95A980399E849DAAE95.exe 80 PID 3744 wrote to memory of 1512 3744 048AC151CE97E95A980399E849DAAE95.exe 82 PID 3744 wrote to memory of 1512 3744 048AC151CE97E95A980399E849DAAE95.exe 82 PID 3744 wrote to memory of 2724 3744 048AC151CE97E95A980399E849DAAE95.exe 84 PID 3744 wrote to memory of 2724 3744 048AC151CE97E95A980399E849DAAE95.exe 84 PID 3744 wrote to memory of 3380 3744 048AC151CE97E95A980399E849DAAE95.exe 86 PID 3744 wrote to memory of 3380 3744 048AC151CE97E95A980399E849DAAE95.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\048AC151CE97E95A980399E849DAAE95.exe"C:\Users\Admin\AppData\Local\Temp\048AC151CE97E95A980399E849DAAE95.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\DataUsageHandlers\dwm.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:188
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2496
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\KeywordDetectorMsftSidAdapter\winlogon.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1512
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PerfLogs\fontdrvhost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2724
-
-
C:\Windows\System32\DataUsageHandlers\dwm.exe"C:\Windows\System32\DataUsageHandlers\dwm.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3380
-