Analysis
-
max time kernel
130s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:48
Static task
static1
Behavioral task
behavioral1
Sample
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
Resource
win10v2004-20220414-en
General
-
Target
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
-
Size
2.2MB
-
MD5
7666f4f50e25b9c8af50a605b2292170
-
SHA1
adef3e910f165eb6071767c7b40fd7cf22452cbd
-
SHA256
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941
-
SHA512
6b433ffa42d30003fda168a4754dc4aabeef8309a308625816909d52587148650acb05b5ad73251113d4539f09aa2d015213623ace63aa020cd2841d93ebb988
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
suricata: ET MALWARE DCRat Initial CnC Activity
suricata: ET MALWARE DCRat Initial CnC Activity
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
intosaves.exepid process 820 intosaves.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 472 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
intosaves.exepid process 820 intosaves.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
intosaves.exedescription pid process Token: SeDebugPrivilege 820 intosaves.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exeWScript.execmd.exedescription pid process target process PID 1868 wrote to memory of 828 1868 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe WScript.exe PID 1868 wrote to memory of 828 1868 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe WScript.exe PID 1868 wrote to memory of 828 1868 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe WScript.exe PID 1868 wrote to memory of 828 1868 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe WScript.exe PID 828 wrote to memory of 472 828 WScript.exe cmd.exe PID 828 wrote to memory of 472 828 WScript.exe cmd.exe PID 828 wrote to memory of 472 828 WScript.exe cmd.exe PID 828 wrote to memory of 472 828 WScript.exe cmd.exe PID 472 wrote to memory of 820 472 cmd.exe intosaves.exe PID 472 wrote to memory of 820 472 cmd.exe intosaves.exe PID 472 wrote to memory of 820 472 cmd.exe intosaves.exe PID 472 wrote to memory of 820 472 cmd.exe intosaves.exe PID 472 wrote to memory of 1596 472 cmd.exe reg.exe PID 472 wrote to memory of 1596 472 cmd.exe reg.exe PID 472 wrote to memory of 1596 472 cmd.exe reg.exe PID 472 wrote to memory of 1596 472 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe"C:\Users\Admin\AppData\Local\Temp\7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dllmonitor\SbKTlw6muT4F2chJx8w3W6yERRzEz7.bat" "3⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe"C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\SbKTlw6muT4F2chJx8w3W6yERRzEz7.batFilesize
842B
MD5e4d4b17e3621218be34b7117f74ac948
SHA10c5b51c38c39fc565fec9877078ca95648aedef1
SHA2569cfd87cfce8da1e7f75b4147add05e5e41e0aab96fae685a0cff07abc0a4742d
SHA5126f60a51fb9d471330c5f937053bb50db49590e7f7aca97dfee785bd5fff737ece08723740ceb103ebb4eeba246eeec78a40900b74ff9f1a7978337094de724a1
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.lnkFilesize
1KB
MD5fd4fef8e6a2aab668b95f28aae7b6a36
SHA1a2b52ddc1cb22f3609a781621336df788ffad73b
SHA256bd1c7dbecf7f0255bb3f54acc34c86e74bd78120d0148a48a44804e862f490a7
SHA5123d0f6f4cacd81d79f798a6ea12cdcabef290c4a1fa02ea6d7a8cad0baaf25c8d51452b63a1257dd29d8dcfe467144f5648a5837cb80a7f9564043b09bdef96e7
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.vbeFilesize
380B
MD55e414ecd3f6fb5aff033c2ebdbf760cf
SHA1916bc9a94a7955e68c75961d43f62626d1babbe7
SHA25640dcb2f375c5670213a1889913979165a3bd75db6c1552b6b029feb8c0036e34
SHA5122b3f37abe6c5280143731e36a732feac7b2d566e7405ca8a2a1bdcd988698fd384aeffc0f2ff92b7c3e58cc294ecabddfb8bfab45b76c652b1e75012f690ec35
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exeFilesize
2.2MB
MD5409efdc11afb323a6e0225b66c4a0f93
SHA10fbe66e14b3921bc5d9263ff05c3f14610895856
SHA2566fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db
SHA512e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exeFilesize
2.2MB
MD5409efdc11afb323a6e0225b66c4a0f93
SHA10fbe66e14b3921bc5d9263ff05c3f14610895856
SHA2566fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db
SHA512e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\vmcheck32.dllFilesize
512B
MD5f081890855292272e24956525ee2dc68
SHA1dcc25c30ad10f3e6b7aee39c2818f117387bf74f
SHA2567c4c7518abe7b0c594823d0c23e364f224143f2f4e9592b60324a57be6763de9
SHA512ca8e9a1c30ec9954351930fe562a2e4ca89a9b423eca5704312dc5dd8db4d4787f22aaf83f983787cfaac2ab6313ac9a4de5809b3eab80f2b3d2082d71683971
-
\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exeFilesize
2.2MB
MD5409efdc11afb323a6e0225b66c4a0f93
SHA10fbe66e14b3921bc5d9263ff05c3f14610895856
SHA2566fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db
SHA512e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66
-
memory/472-59-0x0000000000000000-mapping.dmp
-
memory/820-62-0x0000000000000000-mapping.dmp
-
memory/820-65-0x0000000000CA0000-0x0000000000ED4000-memory.dmpFilesize
2.2MB
-
memory/820-66-0x000000001B600000-0x000000001B952000-memory.dmpFilesize
3.3MB
-
memory/820-67-0x0000000000250000-0x00000000002A4000-memory.dmpFilesize
336KB
-
memory/820-68-0x000000001AE50000-0x000000001AECC000-memory.dmpFilesize
496KB
-
memory/820-69-0x000000001B0B0000-0x000000001B140000-memory.dmpFilesize
576KB
-
memory/820-70-0x0000000000950000-0x0000000000966000-memory.dmpFilesize
88KB
-
memory/828-55-0x0000000000000000-mapping.dmp
-
memory/1596-72-0x0000000000000000-mapping.dmp
-
memory/1868-54-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB