Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:19
Static task
static1
Behavioral task
behavioral1
Sample
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe
Resource
win10v2004-20220414-en
General
-
Target
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe
-
Size
2.1MB
-
MD5
cd41c9fd80fc79506911ae3a97676eb6
-
SHA1
8a53a31dabf4c6bc373d6d83b75723e1eae1a384
-
SHA256
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598
-
SHA512
6d1657a837906d61d1a48fea8b1397bdbf638954981b4f519a4ba62ef27ba974467d886832d4b56ff09029193553bb21cc48af37c3111391734c0030e5cb443a
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
suricata: ET MALWARE DCRat Initial CnC Activity
suricata: ET MALWARE DCRat Initial CnC Activity
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
fontwin.exepid process 3424 fontwin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3956 3424 WerFault.exe fontwin.exe -
Modifies registry class 1 IoCs
Processes:
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings 5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fontwin.exepid process 3424 fontwin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fontwin.exedescription pid process Token: SeDebugPrivilege 3424 fontwin.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exeWScript.execmd.exedescription pid process target process PID 1996 wrote to memory of 444 1996 5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe WScript.exe PID 1996 wrote to memory of 444 1996 5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe WScript.exe PID 1996 wrote to memory of 444 1996 5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe WScript.exe PID 444 wrote to memory of 2580 444 WScript.exe cmd.exe PID 444 wrote to memory of 2580 444 WScript.exe cmd.exe PID 444 wrote to memory of 2580 444 WScript.exe cmd.exe PID 2580 wrote to memory of 3424 2580 cmd.exe fontwin.exe PID 2580 wrote to memory of 3424 2580 cmd.exe fontwin.exe PID 2580 wrote to memory of 3524 2580 cmd.exe reg.exe PID 2580 wrote to memory of 3524 2580 cmd.exe reg.exe PID 2580 wrote to memory of 3524 2580 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe"C:\Users\Admin\AppData\Local\Temp\5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontsvc\System.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fontsvc\fImP8pZE2f1erUZpTAHRXHRmAfXtCE.bat" "3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\fontsvc\fontwin.exe"C:\fontsvc\fontwin.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3424 -s 16045⤵
- Program crash
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 3424 -ip 34241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\fontsvc\System.lnkFilesize
337B
MD57a3332f58f216e5af60285829fed062e
SHA16c44878aaf762640d5734b17511bd863cc77489a
SHA256cbc53cd132e90ce7e1723394a3784b0e4796f6294ad57ef801467cd73b009d77
SHA5125152543f5747446bdff9a1c51a2f5ca5d30cb0817eae918eaa01c2393aef93a43f8fad08766873c978a64c396a764a297057ed91116b018881e03331704b01f1
-
C:\fontsvc\System.vbeFilesize
366B
MD508d1b73b3ebafa4fdc59aad6855288c2
SHA174e059014c139a5071b7c51c0c2795dd891b674c
SHA256367e82e5ad4d288f6b41076bed049f5ccb9f7279d439f19610a1fedc1268d252
SHA512e7a81648ab124d747b2a8333dfd9cbbf987fce4cc4744c9fda66a376d72211e983a22267d07f16a1cc3bf964a8e22254c8fcac8f8bacae17e628f96d3a6cbbcc
-
C:\fontsvc\fImP8pZE2f1erUZpTAHRXHRmAfXtCE.batFilesize
833B
MD57f2fe99aa89ebaa4f4c0f008e7820434
SHA1996fd0408f67ce90f39db8da574c19f8a7dbf894
SHA2566e7fa0e1d108798d9a914e790cc0ffddefeff5d5161d1aab3da9b250eccf5121
SHA512ff71f66583de98dae1593cf584d0e9d459894c7709279d554cc65a105996b14d065f038f2b9211dda2883e938640101b5b8b5886e95f4b47a9b4b86ce47b74e9
-
C:\fontsvc\fontwin.exeFilesize
2.2MB
MD5409efdc11afb323a6e0225b66c4a0f93
SHA10fbe66e14b3921bc5d9263ff05c3f14610895856
SHA2566fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db
SHA512e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66
-
C:\fontsvc\fontwin.exeFilesize
2.2MB
MD5409efdc11afb323a6e0225b66c4a0f93
SHA10fbe66e14b3921bc5d9263ff05c3f14610895856
SHA2566fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db
SHA512e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66
-
C:\fontsvc\vmcheck32.dllFilesize
596B
MD5cc7bbc6a1d386fe2023c805e00865e8c
SHA1906de1c94454d226a96fea1b2651884ba4dd0ee3
SHA25619fb7a8d91f33b384891b965f94a119325c71c06336ededb042bf82088917232
SHA512acb5d30e730fe227c047d0f86e7c7445c3f540c5f768c0736bb846952719086a23acf91aa6ce9aabd82a907a6ce2ecb8accf6210befe46fac3ec4ab8fc4700d1
-
memory/444-130-0x0000000000000000-mapping.dmp
-
memory/2580-133-0x0000000000000000-mapping.dmp
-
memory/3424-135-0x0000000000000000-mapping.dmp
-
memory/3424-138-0x00000203E8170000-0x00000203E83A4000-memory.dmpFilesize
2.2MB
-
memory/3424-139-0x00007FFE19650000-0x00007FFE1A111000-memory.dmpFilesize
10.8MB
-
memory/3524-141-0x0000000000000000-mapping.dmp