Analysis
-
max time kernel
123s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 14:21
Behavioral task
behavioral1
Sample
ba5dc0fc7d1677527cf809bfca28e2b6.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ba5dc0fc7d1677527cf809bfca28e2b6.exe
Resource
win10-en-20210920
General
-
Target
ba5dc0fc7d1677527cf809bfca28e2b6.exe
-
Size
1.1MB
-
MD5
ba5dc0fc7d1677527cf809bfca28e2b6
-
SHA1
df8452d50e4fa2171379bfd499132a08dd725368
-
SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
-
SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 1816 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 524 1816 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 472 1816 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 1816 schtasks.exe -
Processes:
resource yara_rule C:\Windows\System32\wlansec\dwm.exe dcrat C:\Windows\System32\wlansec\dwm.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
dwm.exepid process 516 dwm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba5dc0fc7d1677527cf809bfca28e2b6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft .NET Framework 4.7.2 Setup_20210920_131035753\\ba5dc0fc7d1677527cf809bfca28e2b6.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\security\\database\\winlogon.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\wlansec\\dwm.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\wscinterop\\wininit.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Drops file in System32 directory 5 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process File created C:\Windows\System32\wlansec\dwm.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File opened for modification C:\Windows\System32\wlansec\dwm.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\wlansec\6cb0b6c459d5d3455a3da700e713f2e2529862ff ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\wscinterop\wininit.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\wscinterop\560854153607923c4c5f107085a7db67be01f252 ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Drops file in Windows directory 2 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process File created C:\Windows\security\database\winlogon.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\security\database\cc11b995f2a76da408ea6a601e682e64743153ad ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1592 schtasks.exe 760 schtasks.exe 524 schtasks.exe 472 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedwm.exepid process 1368 ba5dc0fc7d1677527cf809bfca28e2b6.exe 516 dwm.exe 516 dwm.exe 516 dwm.exe 516 dwm.exe 516 dwm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dwm.exepid process 516 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedwm.exedescription pid process Token: SeDebugPrivilege 1368 ba5dc0fc7d1677527cf809bfca28e2b6.exe Token: SeDebugPrivilege 516 dwm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.execmd.exedescription pid process target process PID 1368 wrote to memory of 608 1368 ba5dc0fc7d1677527cf809bfca28e2b6.exe cmd.exe PID 1368 wrote to memory of 608 1368 ba5dc0fc7d1677527cf809bfca28e2b6.exe cmd.exe PID 1368 wrote to memory of 608 1368 ba5dc0fc7d1677527cf809bfca28e2b6.exe cmd.exe PID 608 wrote to memory of 1420 608 cmd.exe chcp.com PID 608 wrote to memory of 1420 608 cmd.exe chcp.com PID 608 wrote to memory of 1420 608 cmd.exe chcp.com PID 608 wrote to memory of 1168 608 cmd.exe w32tm.exe PID 608 wrote to memory of 1168 608 cmd.exe w32tm.exe PID 608 wrote to memory of 1168 608 cmd.exe w32tm.exe PID 608 wrote to memory of 516 608 cmd.exe dwm.exe PID 608 wrote to memory of 516 608 cmd.exe dwm.exe PID 608 wrote to memory of 516 608 cmd.exe dwm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FkCsdQ3XkE.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Windows\System32\wlansec\dwm.exe"C:\Windows\System32\wlansec\dwm.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\wlansec\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\wscinterop\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ba5dc0fc7d1677527cf809bfca28e2b6" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20210920_131035753\ba5dc0fc7d1677527cf809bfca28e2b6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\security\database\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FkCsdQ3XkE.batMD5
d090e0112b4f82dd11302da5bf8cf386
SHA1db2cb40b7438fd7287516c0772c00d91d47f1c45
SHA256b3c919a97a5092d3eab36cb605f127e2e40fc2c6730828586250a9a696bcfe04
SHA51275fac78146a388a71ffd9e69a3d1e49deca9c6948feb0c2b0be6cb2fa001df7d76910144d23d0652c3ef982dab0a97cfb4285b6665a082b07e21df62d45665ee
-
C:\Windows\System32\wlansec\dwm.exeMD5
ba5dc0fc7d1677527cf809bfca28e2b6
SHA1df8452d50e4fa2171379bfd499132a08dd725368
SHA256b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
-
C:\Windows\System32\wlansec\dwm.exeMD5
ba5dc0fc7d1677527cf809bfca28e2b6
SHA1df8452d50e4fa2171379bfd499132a08dd725368
SHA256b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
-
memory/516-62-0x0000000000000000-mapping.dmp
-
memory/516-64-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/516-66-0x000000001B0F0000-0x000000001B0F2000-memory.dmpFilesize
8KB
-
memory/608-57-0x0000000000000000-mapping.dmp
-
memory/1168-60-0x0000000000000000-mapping.dmp
-
memory/1368-54-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1368-56-0x000000001AE20000-0x000000001AE22000-memory.dmpFilesize
8KB
-
memory/1420-59-0x0000000000000000-mapping.dmp