Analysis
-
max time kernel
158s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:48
Static task
static1
Behavioral task
behavioral1
Sample
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
Resource
win10v2004-20220414-en
General
-
Target
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
-
Size
2.2MB
-
MD5
7666f4f50e25b9c8af50a605b2292170
-
SHA1
adef3e910f165eb6071767c7b40fd7cf22452cbd
-
SHA256
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941
-
SHA512
6b433ffa42d30003fda168a4754dc4aabeef8309a308625816909d52587148650acb05b5ad73251113d4539f09aa2d015213623ace63aa020cd2841d93ebb988
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
suricata: ET MALWARE DCRat Initial CnC Activity
suricata: ET MALWARE DCRat Initial CnC Activity
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
intosaves.exepid process 4344 intosaves.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4208 4344 WerFault.exe intosaves.exe -
Modifies registry class 1 IoCs
Processes:
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
intosaves.exepid process 4344 intosaves.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
intosaves.exedescription pid process Token: SeDebugPrivilege 4344 intosaves.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exeWScript.execmd.exedescription pid process target process PID 1660 wrote to memory of 3256 1660 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe WScript.exe PID 1660 wrote to memory of 3256 1660 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe WScript.exe PID 1660 wrote to memory of 3256 1660 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe WScript.exe PID 3256 wrote to memory of 2704 3256 WScript.exe cmd.exe PID 3256 wrote to memory of 2704 3256 WScript.exe cmd.exe PID 3256 wrote to memory of 2704 3256 WScript.exe cmd.exe PID 2704 wrote to memory of 4344 2704 cmd.exe intosaves.exe PID 2704 wrote to memory of 4344 2704 cmd.exe intosaves.exe PID 2704 wrote to memory of 612 2704 cmd.exe reg.exe PID 2704 wrote to memory of 612 2704 cmd.exe reg.exe PID 2704 wrote to memory of 612 2704 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe"C:\Users\Admin\AppData\Local\Temp\7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dllmonitor\SbKTlw6muT4F2chJx8w3W6yERRzEz7.bat" "3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe"C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4344 -s 16085⤵
- Program crash
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 4344 -ip 43441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\SbKTlw6muT4F2chJx8w3W6yERRzEz7.batFilesize
842B
MD5e4d4b17e3621218be34b7117f74ac948
SHA10c5b51c38c39fc565fec9877078ca95648aedef1
SHA2569cfd87cfce8da1e7f75b4147add05e5e41e0aab96fae685a0cff07abc0a4742d
SHA5126f60a51fb9d471330c5f937053bb50db49590e7f7aca97dfee785bd5fff737ece08723740ceb103ebb4eeba246eeec78a40900b74ff9f1a7978337094de724a1
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.lnkFilesize
1KB
MD5bbd0c424031b28684049cf8de579bd2c
SHA194c8a9e70ee2504b8e2abe04fe2cbeaefb821577
SHA256c29975fd7653b65a656fc93d6ae211f44d7aa7adf22c972d2cdc8748ba9a55d4
SHA51299dccf0d39a332e6f4fd509205c610601b54ced8c024a477c9336f0050e7d7af40d0d65fd27f57e18904e5287089a177e41c954543ed872be534bc2c6da38341
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.vbeFilesize
380B
MD55e414ecd3f6fb5aff033c2ebdbf760cf
SHA1916bc9a94a7955e68c75961d43f62626d1babbe7
SHA25640dcb2f375c5670213a1889913979165a3bd75db6c1552b6b029feb8c0036e34
SHA5122b3f37abe6c5280143731e36a732feac7b2d566e7405ca8a2a1bdcd988698fd384aeffc0f2ff92b7c3e58cc294ecabddfb8bfab45b76c652b1e75012f690ec35
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exeFilesize
2.2MB
MD5409efdc11afb323a6e0225b66c4a0f93
SHA10fbe66e14b3921bc5d9263ff05c3f14610895856
SHA2566fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db
SHA512e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exeFilesize
2.2MB
MD5409efdc11afb323a6e0225b66c4a0f93
SHA10fbe66e14b3921bc5d9263ff05c3f14610895856
SHA2566fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db
SHA512e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66
-
C:\Users\Admin\AppData\Local\Temp\dllmonitor\vmcheck32.dllFilesize
512B
MD5f081890855292272e24956525ee2dc68
SHA1dcc25c30ad10f3e6b7aee39c2818f117387bf74f
SHA2567c4c7518abe7b0c594823d0c23e364f224143f2f4e9592b60324a57be6763de9
SHA512ca8e9a1c30ec9954351930fe562a2e4ca89a9b423eca5704312dc5dd8db4d4787f22aaf83f983787cfaac2ab6313ac9a4de5809b3eab80f2b3d2082d71683971
-
memory/612-141-0x0000000000000000-mapping.dmp
-
memory/2704-133-0x0000000000000000-mapping.dmp
-
memory/3256-130-0x0000000000000000-mapping.dmp
-
memory/4344-135-0x0000000000000000-mapping.dmp
-
memory/4344-138-0x00000201188D0000-0x0000020118B04000-memory.dmpFilesize
2.2MB
-
memory/4344-139-0x00007FF8A1EB0000-0x00007FF8A2971000-memory.dmpFilesize
10.8MB