Analysis
-
max time kernel
37s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:19
Static task
static1
Behavioral task
behavioral1
Sample
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe
Resource
win10v2004-20220414-en
General
-
Target
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe
-
Size
2.1MB
-
MD5
cd41c9fd80fc79506911ae3a97676eb6
-
SHA1
8a53a31dabf4c6bc373d6d83b75723e1eae1a384
-
SHA256
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598
-
SHA512
6d1657a837906d61d1a48fea8b1397bdbf638954981b4f519a4ba62ef27ba974467d886832d4b56ff09029193553bb21cc48af37c3111391734c0030e5cb443a
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
suricata: ET MALWARE DCRat Initial CnC Activity
suricata: ET MALWARE DCRat Initial CnC Activity
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
fontwin.exepid process 592 fontwin.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1400 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fontwin.exepid process 592 fontwin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fontwin.exedescription pid process Token: SeDebugPrivilege 592 fontwin.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exeWScript.execmd.exedescription pid process target process PID 1620 wrote to memory of 980 1620 5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe WScript.exe PID 1620 wrote to memory of 980 1620 5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe WScript.exe PID 1620 wrote to memory of 980 1620 5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe WScript.exe PID 1620 wrote to memory of 980 1620 5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe WScript.exe PID 980 wrote to memory of 1400 980 WScript.exe cmd.exe PID 980 wrote to memory of 1400 980 WScript.exe cmd.exe PID 980 wrote to memory of 1400 980 WScript.exe cmd.exe PID 980 wrote to memory of 1400 980 WScript.exe cmd.exe PID 1400 wrote to memory of 592 1400 cmd.exe fontwin.exe PID 1400 wrote to memory of 592 1400 cmd.exe fontwin.exe PID 1400 wrote to memory of 592 1400 cmd.exe fontwin.exe PID 1400 wrote to memory of 592 1400 cmd.exe fontwin.exe PID 1400 wrote to memory of 1900 1400 cmd.exe reg.exe PID 1400 wrote to memory of 1900 1400 cmd.exe reg.exe PID 1400 wrote to memory of 1900 1400 cmd.exe reg.exe PID 1400 wrote to memory of 1900 1400 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe"C:\Users\Admin\AppData\Local\Temp\5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontsvc\System.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\fontsvc\fImP8pZE2f1erUZpTAHRXHRmAfXtCE.bat" "3⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\fontsvc\fontwin.exe"C:\fontsvc\fontwin.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\fontsvc\System.lnkFilesize
369B
MD57fab07ce9c3a32f71732c3da94fd1678
SHA16b739bcc81717df1a430308cd41ddfb004d0e297
SHA2561f12c98c6f711db8dcd14c18b89b84457cee87475c55c37d4ffbc0ba8050116c
SHA51240a57e0f19e9c2f8be0885c2fd092afc5563adf58ecb29105481d34f591509e8e8c40b1fc6d9e2c083807b70f1827e55123a2066a44a5b434509fdecd415f0e2
-
C:\fontsvc\System.vbeFilesize
366B
MD508d1b73b3ebafa4fdc59aad6855288c2
SHA174e059014c139a5071b7c51c0c2795dd891b674c
SHA256367e82e5ad4d288f6b41076bed049f5ccb9f7279d439f19610a1fedc1268d252
SHA512e7a81648ab124d747b2a8333dfd9cbbf987fce4cc4744c9fda66a376d72211e983a22267d07f16a1cc3bf964a8e22254c8fcac8f8bacae17e628f96d3a6cbbcc
-
C:\fontsvc\fImP8pZE2f1erUZpTAHRXHRmAfXtCE.batFilesize
833B
MD57f2fe99aa89ebaa4f4c0f008e7820434
SHA1996fd0408f67ce90f39db8da574c19f8a7dbf894
SHA2566e7fa0e1d108798d9a914e790cc0ffddefeff5d5161d1aab3da9b250eccf5121
SHA512ff71f66583de98dae1593cf584d0e9d459894c7709279d554cc65a105996b14d065f038f2b9211dda2883e938640101b5b8b5886e95f4b47a9b4b86ce47b74e9
-
C:\fontsvc\fontwin.exeFilesize
2.2MB
MD5409efdc11afb323a6e0225b66c4a0f93
SHA10fbe66e14b3921bc5d9263ff05c3f14610895856
SHA2566fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db
SHA512e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66
-
C:\fontsvc\fontwin.exeFilesize
2.2MB
MD5409efdc11afb323a6e0225b66c4a0f93
SHA10fbe66e14b3921bc5d9263ff05c3f14610895856
SHA2566fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db
SHA512e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66
-
C:\fontsvc\vmcheck32.dllFilesize
596B
MD5cc7bbc6a1d386fe2023c805e00865e8c
SHA1906de1c94454d226a96fea1b2651884ba4dd0ee3
SHA25619fb7a8d91f33b384891b965f94a119325c71c06336ededb042bf82088917232
SHA512acb5d30e730fe227c047d0f86e7c7445c3f540c5f768c0736bb846952719086a23acf91aa6ce9aabd82a907a6ce2ecb8accf6210befe46fac3ec4ab8fc4700d1
-
\fontsvc\fontwin.exeFilesize
2.2MB
MD5409efdc11afb323a6e0225b66c4a0f93
SHA10fbe66e14b3921bc5d9263ff05c3f14610895856
SHA2566fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db
SHA512e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66
-
memory/592-67-0x00000000002C0000-0x0000000000314000-memory.dmpFilesize
336KB
-
memory/592-62-0x0000000000000000-mapping.dmp
-
memory/592-65-0x0000000001080000-0x00000000012B4000-memory.dmpFilesize
2.2MB
-
memory/592-66-0x000000001B8C0000-0x000000001BC12000-memory.dmpFilesize
3.3MB
-
memory/592-68-0x000000001AA40000-0x000000001AABC000-memory.dmpFilesize
496KB
-
memory/592-69-0x000000001AB60000-0x000000001ABF0000-memory.dmpFilesize
576KB
-
memory/592-70-0x00000000007B0000-0x00000000007C6000-memory.dmpFilesize
88KB
-
memory/980-55-0x0000000000000000-mapping.dmp
-
memory/1400-59-0x0000000000000000-mapping.dmp
-
memory/1620-54-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1900-72-0x0000000000000000-mapping.dmp