Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 14:21
Behavioral task
behavioral1
Sample
ba5dc0fc7d1677527cf809bfca28e2b6.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ba5dc0fc7d1677527cf809bfca28e2b6.exe
Resource
win10-en-20210920
General
-
Target
ba5dc0fc7d1677527cf809bfca28e2b6.exe
-
Size
1.1MB
-
MD5
ba5dc0fc7d1677527cf809bfca28e2b6
-
SHA1
df8452d50e4fa2171379bfd499132a08dd725368
-
SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
-
SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 2636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 2636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 2636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 2636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2636 schtasks.exe -
Processes:
resource yara_rule C:\Windows\System32\themeui\dllhost.exe dcrat C:\Windows\System32\themeui\dllhost.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 1444 dllhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\winhlp32\\explorer.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\wininit.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\resources\\ShellExperienceHost.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\fsutilext\\winlogon.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\Wldap32\\winlogon.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\taskkill\\RuntimeBroker.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Pictures\\Camera Roll\\spoolsv.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\System32\\UevTemplateBaselineGenerator\\audiodg.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\themeui\\dllhost.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Drops file in System32 directory 10 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process File created C:\Windows\System32\UevTemplateBaselineGenerator\audiodg.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\fsutilext\winlogon.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\fsutilext\cc11b995f2a76da408ea6a601e682e64743153ad ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\Wldap32\winlogon.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\Wldap32\cc11b995f2a76da408ea6a601e682e64743153ad ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\taskkill\RuntimeBroker.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\taskkill\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\UevTemplateBaselineGenerator\42af1c969fbb7b2ae36b0e06bea61fc9a154b4af ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\themeui\dllhost.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\themeui\5940a34987c99120d96dace90a3f93f329dcad63 ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\ja-JP\wininit.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\560854153607923c4c5f107085a7db67be01f252 ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Drops file in Windows directory 4 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\f8c8f1285d826bc63910aaf97db97186ba642b4f ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\winhlp32\explorer.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\winhlp32\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3648 schtasks.exe 4076 schtasks.exe 3508 schtasks.exe 2252 schtasks.exe 3592 schtasks.exe 868 schtasks.exe 2720 schtasks.exe 1348 schtasks.exe 1912 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedllhost.exepid process 2116 ba5dc0fc7d1677527cf809bfca28e2b6.exe 2116 ba5dc0fc7d1677527cf809bfca28e2b6.exe 2116 ba5dc0fc7d1677527cf809bfca28e2b6.exe 1444 dllhost.exe 1444 dllhost.exe 1444 dllhost.exe 1444 dllhost.exe 1444 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 1444 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedllhost.exedescription pid process Token: SeDebugPrivilege 2116 ba5dc0fc7d1677527cf809bfca28e2b6.exe Token: SeDebugPrivilege 1444 dllhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.execmd.exedescription pid process target process PID 2116 wrote to memory of 1052 2116 ba5dc0fc7d1677527cf809bfca28e2b6.exe cmd.exe PID 2116 wrote to memory of 1052 2116 ba5dc0fc7d1677527cf809bfca28e2b6.exe cmd.exe PID 1052 wrote to memory of 3140 1052 cmd.exe chcp.com PID 1052 wrote to memory of 3140 1052 cmd.exe chcp.com PID 1052 wrote to memory of 2228 1052 cmd.exe w32tm.exe PID 1052 wrote to memory of 2228 1052 cmd.exe w32tm.exe PID 1052 wrote to memory of 1444 1052 cmd.exe dllhost.exe PID 1052 wrote to memory of 1444 1052 cmd.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NeLwPw5PoC.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Windows\System32\themeui\dllhost.exe"C:\Windows\System32\themeui\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\winhlp32\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\UevTemplateBaselineGenerator\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\themeui\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\fsutilext\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\Wldap32\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\taskkill\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NeLwPw5PoC.batMD5
c565f88a40c0c61483364d423391e88a
SHA14453ed5f5db129a6638c69b8cdbfcf9af5526776
SHA256309989d4af3201f41a0e3af1811a6971a1dbd52f96cf6a5d4e4461e59fc1db65
SHA5123a258d235ca92b45030f9a6c44cf13a70a8b5014c8f0bc62052a6427d4b11cd5954aaeb6e73107e556f6be08f9a8582ec339e167572f70e0a1fe2885cd15eb61
-
C:\Windows\System32\themeui\dllhost.exeMD5
ba5dc0fc7d1677527cf809bfca28e2b6
SHA1df8452d50e4fa2171379bfd499132a08dd725368
SHA256b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
-
C:\Windows\System32\themeui\dllhost.exeMD5
ba5dc0fc7d1677527cf809bfca28e2b6
SHA1df8452d50e4fa2171379bfd499132a08dd725368
SHA256b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
-
memory/1052-118-0x0000000000000000-mapping.dmp
-
memory/1444-122-0x0000000000000000-mapping.dmp
-
memory/1444-127-0x0000000000DE0000-0x0000000000DE2000-memory.dmpFilesize
8KB
-
memory/2116-115-0x0000000000CF0000-0x0000000000CF1000-memory.dmpFilesize
4KB
-
memory/2116-117-0x000000001BB10000-0x000000001BB12000-memory.dmpFilesize
8KB
-
memory/2228-121-0x0000000000000000-mapping.dmp
-
memory/3140-120-0x0000000000000000-mapping.dmp