Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
03-08-2022 08:21
General
-
Target
96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe
-
Size
2.0MB
-
MD5
4f64c5ba875a44be67619fa8342bc777
-
SHA1
c192a53b53940892febe4bdba9adf9c940988d0f
-
SHA256
96ddb4fa1a296cccac8a22faa8773f1343e2ced466b478980d64f1af493c103a
-
SHA512
433086c6e4a26d8b7e58f67176ebb4ff9655fff67d07899911e3e5d49100a2e02d1d41907e0f1bdd2f627bc198a88fe907419755941d3cb31957ca155298daa1
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 20 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe"C:\Users\Admin\AppData\Local\Temp\96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\componentweb\KzCiAFWiG.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\componentweb\lTeat4KS.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe"C:\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\ServiceProfiles\NetworkService\smss.exe"C:\Windows\ServiceProfiles\NetworkService\smss.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23da7669-43b6-45b0-ad56-b61baa604c4e.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c70af26f-68cb-4f26-9693-892db141a2e2.vbs"6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\componentweb\file.vbs"2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgesessionb" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\bridgesession.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgesession" /sc ONLOGON /tr "'C:\Users\Default User\bridgesession.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgesessionb" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\bridgesession.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\NetworkService\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\NetworkService\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\odt\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\My Videos\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Documents\My Videos\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\odt\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\23da7669-43b6-45b0-ad56-b61baa604c4e.vbsFilesize
726B
MD5a96bd9eabe6944c17dcf84ef5129e14a
SHA1fbbb67514175b158ea118ae3685ef15766ef7427
SHA256463813d2cf831c339d6162ac91df61ad5308f345c34701a783093a00c93ff806
SHA5121621b44dae704f7266731de0c92a3665dd54e7e70ccec9b65a6f0b502f22c65fe6fb6fff42ff7a7eedad3796843bb24d7aef1716b5ace27b78bb634a8aeb270f
-
C:\Users\Admin\AppData\Local\Temp\c70af26f-68cb-4f26-9693-892db141a2e2.vbsFilesize
502B
MD529a7168cc2000159abb5f98e9341812d
SHA139739cc7f40431add7118c9bc34f6cebe424bcff
SHA256985c1d6f95b966dd4a2f93b96cccf8a808e421656c4f5adba9f959beff0b680b
SHA512787930684c0ac4aeb9bc4fc7bda893712d823da9ac3d20ff368b0131e24e458232236caeadee204e53b4310caacccdb99c8031d819b5fcf61611a5609c13256c
-
C:\Users\Admin\AppData\Roaming\componentweb\KzCiAFWiG.vbeFilesize
205B
MD597477f4fd52d9b2ffb51319a264de713
SHA164eca106fa0f8923dfc304e78fe32dd1cbdd393b
SHA256dbea180023ec71eaa16ed1faa254b26688625ba4d48eb93343fb8dab5a7bf185
SHA512c02d978cf103d812e95a6038d8c3bd0b3bfb07aa29f2405ca88052d28ee3d69bb85e522b156e47fb124a5f9ff7a29fe1b86405231a9c87f88b3ca80fc702429e
-
C:\Users\Admin\AppData\Roaming\componentweb\bridgesession.exeFilesize
1.7MB
MD54f080110c40748cabc62f247b3104cca
SHA1e28c68aa6e57975a28945ed21bb6bd623379b2a0
SHA256ec741c36f90173822380788d1ea972c37162c51e24235eec9dc87ce2ae033f9d
SHA512d1388af36633ecb6a0a0f4e17b9efe68acb965dd448da0810528311f564385c2258e602864cd005161464dbd2fd8e43bf1a018fa941e20bf5c167648eba50143
-
C:\Users\Admin\AppData\Roaming\componentweb\bridgesession.exeFilesize
1.7MB
MD54f080110c40748cabc62f247b3104cca
SHA1e28c68aa6e57975a28945ed21bb6bd623379b2a0
SHA256ec741c36f90173822380788d1ea972c37162c51e24235eec9dc87ce2ae033f9d
SHA512d1388af36633ecb6a0a0f4e17b9efe68acb965dd448da0810528311f564385c2258e602864cd005161464dbd2fd8e43bf1a018fa941e20bf5c167648eba50143
-
C:\Users\Admin\AppData\Roaming\componentweb\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Users\Admin\AppData\Roaming\componentweb\lTeat4KS.batFilesize
154B
MD5e06419a009888884daaca1708dc8f782
SHA18d1ceb2ce38fd84fdd998f129de0494303a42609
SHA256a98e96aaf61ff999b1ea39ae83f1f160a8f0af067247f9e6c0790afcc705585a
SHA5122b69ac436ddc4eaba2ae53d1713361c2b52c29e991e1a47996a249a66fb56dcab560db79b7722c96f676f6b7a46db85026d2a754f6bad7990e5c4d8ed21ca6f6
-
C:\Windows\ServiceProfiles\NetworkService\smss.exeFilesize
1.7MB
MD54f080110c40748cabc62f247b3104cca
SHA1e28c68aa6e57975a28945ed21bb6bd623379b2a0
SHA256ec741c36f90173822380788d1ea972c37162c51e24235eec9dc87ce2ae033f9d
SHA512d1388af36633ecb6a0a0f4e17b9efe68acb965dd448da0810528311f564385c2258e602864cd005161464dbd2fd8e43bf1a018fa941e20bf5c167648eba50143
-
C:\Windows\ServiceProfiles\NetworkService\smss.exeFilesize
1.7MB
MD54f080110c40748cabc62f247b3104cca
SHA1e28c68aa6e57975a28945ed21bb6bd623379b2a0
SHA256ec741c36f90173822380788d1ea972c37162c51e24235eec9dc87ce2ae033f9d
SHA512d1388af36633ecb6a0a0f4e17b9efe68acb965dd448da0810528311f564385c2258e602864cd005161464dbd2fd8e43bf1a018fa941e20bf5c167648eba50143
-
memory/384-147-0x0000000000000000-mapping.dmp
-
memory/1160-153-0x00007FFE79C70000-0x00007FFE7A731000-memory.dmpFilesize
10.8MB
-
memory/1160-148-0x00007FFE79C70000-0x00007FFE7A731000-memory.dmpFilesize
10.8MB
-
memory/1160-143-0x0000000000000000-mapping.dmp
-
memory/1848-135-0x0000000000000000-mapping.dmp
-
memory/2200-132-0x0000000000000000-mapping.dmp
-
memory/3788-149-0x0000000000000000-mapping.dmp
-
memory/4192-130-0x0000000000000000-mapping.dmp
-
memory/4416-150-0x0000000000000000-mapping.dmp
-
memory/4680-136-0x0000000000000000-mapping.dmp
-
memory/4680-146-0x00007FFE79C70000-0x00007FFE7A731000-memory.dmpFilesize
10.8MB
-
memory/4680-142-0x000000001CFA0000-0x000000001D4C8000-memory.dmpFilesize
5.2MB
-
memory/4680-141-0x000000001B650000-0x000000001B6A0000-memory.dmpFilesize
320KB
-
memory/4680-140-0x00007FFE79C70000-0x00007FFE7A731000-memory.dmpFilesize
10.8MB
-
memory/4680-139-0x00000000009C0000-0x0000000000B6E000-memory.dmpFilesize
1.7MB