Analysis
-
max time kernel
178s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
09-02-2022 03:36
Static task
static1
Behavioral task
behavioral1
Sample
a77873bfea27896f94731478d64541a3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a77873bfea27896f94731478d64541a3.exe
Resource
win10v2004-en-20220112
General
-
Target
a77873bfea27896f94731478d64541a3.exe
-
Size
873KB
-
MD5
a77873bfea27896f94731478d64541a3
-
SHA1
9d9596b12d51e06dd1c509c3df0cb7432fb60156
-
SHA256
0c70ff796c9a6c8e20437dcd29e1be3951ac7dae8bc0e75bbbae5b710c6be70e
-
SHA512
34c94a9e432bb0d4e2154ca80d2a42bb47e4a3ff29a5ecb9d24eb4db235a3dfb7e6c532edb05bcb4a1e299c4b040e39d2c0eeeac8593e7b0babcdaf834e49a0e
Malware Config
Signatures
-
DcRat 11 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
a77873bfea27896f94731478d64541a3.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\"" a77873bfea27896f94731478d64541a3.exe 3200 schtasks.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\MoUsoCoreWorker.exe a77873bfea27896f94731478d64541a3.exe 3252 schtasks.exe 2692 schtasks.exe 3276 schtasks.exe 916 schtasks.exe 776 schtasks.exe 3300 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\MoUsoCoreWorker.exe\"" a77873bfea27896f94731478d64541a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PerfLogs\\fontdrvhost.exe\"" a77873bfea27896f94731478d64541a3.exe -
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3276 3652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 3652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 3652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 3652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 3652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 3652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 3652 schtasks.exe -
Executes dropped EXE 1 IoCs
Processes:
MoUsoCoreWorker.exepid process 1580 MoUsoCoreWorker.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a77873bfea27896f94731478d64541a3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation a77873bfea27896f94731478d64541a3.exe -
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
a77873bfea27896f94731478d64541a3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\mspatcha\\sihost.exe\"" a77873bfea27896f94731478d64541a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\MoUsoCoreWorker.exe\"" a77873bfea27896f94731478d64541a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\"" a77873bfea27896f94731478d64541a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PerfLogs\\fontdrvhost.exe\"" a77873bfea27896f94731478d64541a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\mfcore\\RuntimeBroker.exe\"" a77873bfea27896f94731478d64541a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\MSPhotography\\lsass.exe\"" a77873bfea27896f94731478d64541a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Windows\\System32\\BthpanContextHandler\\MoUsoCoreWorker.exe\"" a77873bfea27896f94731478d64541a3.exe -
Drops file in System32 directory 8 IoCs
Processes:
a77873bfea27896f94731478d64541a3.exedescription ioc process File created C:\Windows\System32\MSPhotography\lsass.exe a77873bfea27896f94731478d64541a3.exe File created C:\Windows\System32\MSPhotography\6203df4a6bafc7 a77873bfea27896f94731478d64541a3.exe File created C:\Windows\System32\BthpanContextHandler\MoUsoCoreWorker.exe a77873bfea27896f94731478d64541a3.exe File created C:\Windows\System32\BthpanContextHandler\1f93f77a7f4778 a77873bfea27896f94731478d64541a3.exe File created C:\Windows\System32\mspatcha\sihost.exe a77873bfea27896f94731478d64541a3.exe File created C:\Windows\System32\mspatcha\66fc9ff0ee96c2 a77873bfea27896f94731478d64541a3.exe File created C:\Windows\System32\mfcore\RuntimeBroker.exe a77873bfea27896f94731478d64541a3.exe File created C:\Windows\System32\mfcore\9e8d7a4ca61bd9 a77873bfea27896f94731478d64541a3.exe -
Drops file in Program Files directory 3 IoCs
Processes:
a77873bfea27896f94731478d64541a3.exedescription ioc process File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\MoUsoCoreWorker.exe a77873bfea27896f94731478d64541a3.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\MoUsoCoreWorker.exe a77873bfea27896f94731478d64541a3.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\1f93f77a7f4778 a77873bfea27896f94731478d64541a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3276 schtasks.exe 916 schtasks.exe 3200 schtasks.exe 776 schtasks.exe 3252 schtasks.exe 3300 schtasks.exe 2692 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
a77873bfea27896f94731478d64541a3.exeMoUsoCoreWorker.exepid process 984 a77873bfea27896f94731478d64541a3.exe 984 a77873bfea27896f94731478d64541a3.exe 984 a77873bfea27896f94731478d64541a3.exe 984 a77873bfea27896f94731478d64541a3.exe 984 a77873bfea27896f94731478d64541a3.exe 984 a77873bfea27896f94731478d64541a3.exe 984 a77873bfea27896f94731478d64541a3.exe 1580 MoUsoCoreWorker.exe 1580 MoUsoCoreWorker.exe 1580 MoUsoCoreWorker.exe 1580 MoUsoCoreWorker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a77873bfea27896f94731478d64541a3.exeMoUsoCoreWorker.exedescription pid process Token: SeDebugPrivilege 984 a77873bfea27896f94731478d64541a3.exe Token: SeDebugPrivilege 1580 MoUsoCoreWorker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
a77873bfea27896f94731478d64541a3.exedescription pid process target process PID 984 wrote to memory of 1580 984 a77873bfea27896f94731478d64541a3.exe MoUsoCoreWorker.exe PID 984 wrote to memory of 1580 984 a77873bfea27896f94731478d64541a3.exe MoUsoCoreWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"1⤵
- DcRat
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\MoUsoCoreWorker.exe"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\MoUsoCoreWorker.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PerfLogs\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\mfcore\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\MSPhotography\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\System32\BthpanContextHandler\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\mspatcha\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\MoUsoCoreWorker.exeMD5
a77873bfea27896f94731478d64541a3
SHA19d9596b12d51e06dd1c509c3df0cb7432fb60156
SHA2560c70ff796c9a6c8e20437dcd29e1be3951ac7dae8bc0e75bbbae5b710c6be70e
SHA51234c94a9e432bb0d4e2154ca80d2a42bb47e4a3ff29a5ecb9d24eb4db235a3dfb7e6c532edb05bcb4a1e299c4b040e39d2c0eeeac8593e7b0babcdaf834e49a0e
-
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\MoUsoCoreWorker.exeMD5
a77873bfea27896f94731478d64541a3
SHA19d9596b12d51e06dd1c509c3df0cb7432fb60156
SHA2560c70ff796c9a6c8e20437dcd29e1be3951ac7dae8bc0e75bbbae5b710c6be70e
SHA51234c94a9e432bb0d4e2154ca80d2a42bb47e4a3ff29a5ecb9d24eb4db235a3dfb7e6c532edb05bcb4a1e299c4b040e39d2c0eeeac8593e7b0babcdaf834e49a0e
-
memory/984-130-0x00007FFB34D53000-0x00007FFB34D55000-memory.dmpFilesize
8KB
-
memory/984-131-0x00000000003A0000-0x0000000000482000-memory.dmpFilesize
904KB
-
memory/984-132-0x0000000002440000-0x0000000002442000-memory.dmpFilesize
8KB
-
memory/1580-135-0x00007FFB34D53000-0x00007FFB34D55000-memory.dmpFilesize
8KB
-
memory/1580-136-0x000000001D090000-0x000000001D092000-memory.dmpFilesize
8KB