Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
13-05-2022 21:31
Static task
static1
Behavioral task
behavioral1
Sample
245ed2db66c841556f3d7b52ab251030.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
245ed2db66c841556f3d7b52ab251030.exe
Resource
win10v2004-20220414-en
General
-
Target
245ed2db66c841556f3d7b52ab251030.exe
-
Size
1.2MB
-
MD5
245ed2db66c841556f3d7b52ab251030
-
SHA1
8f12f472db36bf57ac7f2a02f21549d1559c672c
-
SHA256
f698f53c372a26a4ab1ecd516064546fcd24da106293786c04e638de3582b2cd
-
SHA512
6d5cdac70c9f090d472d4baa378c87d0bc7b582606f2767938b011401bfa6822cd7159c62ff58369c2d2c017654624a49134687879229f42673e4a785f47a0d6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
Processes:
resource yara_rule C:\chainreview\.exe dcrat C:\chainreview\.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
.exepid process 1788 .exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
245ed2db66c841556f3d7b52ab251030.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 245ed2db66c841556f3d7b52ab251030.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
245ed2db66c841556f3d7b52ab251030.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings 245ed2db66c841556f3d7b52ab251030.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
.exepid process 1788 .exe 1788 .exe 1788 .exe 1788 .exe 1788 .exe 1788 .exe 1788 .exe 1788 .exe 1788 .exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
.exepid process 1788 .exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
.exedescription pid process Token: SeDebugPrivilege 1788 .exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
245ed2db66c841556f3d7b52ab251030.exeWScript.execmd.exedescription pid process target process PID 1708 wrote to memory of 1572 1708 245ed2db66c841556f3d7b52ab251030.exe WScript.exe PID 1708 wrote to memory of 1572 1708 245ed2db66c841556f3d7b52ab251030.exe WScript.exe PID 1708 wrote to memory of 1572 1708 245ed2db66c841556f3d7b52ab251030.exe WScript.exe PID 1572 wrote to memory of 2488 1572 WScript.exe cmd.exe PID 1572 wrote to memory of 2488 1572 WScript.exe cmd.exe PID 1572 wrote to memory of 2488 1572 WScript.exe cmd.exe PID 2488 wrote to memory of 1788 2488 cmd.exe .exe PID 2488 wrote to memory of 1788 2488 cmd.exe .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\245ed2db66c841556f3d7b52ab251030.exe"C:\Users\Admin\AppData\Local\Temp\245ed2db66c841556f3d7b52ab251030.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\chainreview\TMWNv3mE2TIbawdkFU0NZqVs.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\chainreview\hVeVLdt7YgrTd9f5EBWZj5Lf.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\chainreview\.exe"C:\chainreview\.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
828KB
MD5c95eaf6c0946234a5ae4d8cc18fabb01
SHA119d9507d5c6bc789f9ff0c27a6da4c7d415d3157
SHA256f088eb6b6fc42f625c0d93872779819cddf1dea74eb8e87ad6c607912075c4c7
SHA5128216ed40179963cd7ff766f4d62fdf525f1c89ed0e944f73f3dbf603ff929c734b79bc6f730979191b5d92e229ef15e9ab6e6b24ef4ad3b1ad86f57ca91388f0
-
Filesize
828KB
MD5c95eaf6c0946234a5ae4d8cc18fabb01
SHA119d9507d5c6bc789f9ff0c27a6da4c7d415d3157
SHA256f088eb6b6fc42f625c0d93872779819cddf1dea74eb8e87ad6c607912075c4c7
SHA5128216ed40179963cd7ff766f4d62fdf525f1c89ed0e944f73f3dbf603ff929c734b79bc6f730979191b5d92e229ef15e9ab6e6b24ef4ad3b1ad86f57ca91388f0
-
Filesize
212B
MD5c754e26593c070e05dbb6ca50b277202
SHA155c260c08200e12bd2cff1cd1367a86aa75b70a4
SHA2567ec888e0d565acff5594b6fad96e6c39e35fba928837ec2ca7c31669ef09dade
SHA5124c87df6a307222d90794425c314bf66d78cdef84a7f9ba54c47dc19eb59ee89fde53b5d9d9908fb4e9b26b58eb8b1cb2c2d5a5b37aa04f851bf1116297d8952d
-
Filesize
21B
MD54b2d709c097bcecdacf548330a0f2704
SHA1d2adee306617f4846b31727e1c03289d425fa8bb
SHA256b4c73df97e2777d089313540a743479457b2098566588ce2ba541bb48c4a3c4b
SHA5123043fc7b83d03788f5af852009571fe617e568514e3fcbd1f400e0f354fb0697257e540a708d049b7ab8e970588ec5d01d3e4a7fc444cd7eddaeddcc9e68c331