Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 05:55
Behavioral task
behavioral1
Sample
07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exe
Resource
win10v2004-20220812-en
General
-
Target
07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exe
-
Size
1.5MB
-
MD5
ffbce36aa9defedbf576ed02e636287f
-
SHA1
f252d41488346a09408d14adeda8f8d7be569948
-
SHA256
07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5
-
SHA512
7e0febf2872ce264a65d9168228753a375c1187aaf5f102406647ac8306c2d769c7d586c479c97e1252702a51b65ba12f83eb7bac5ff24b00e09a8fdc8b6ed60
-
SSDEEP
24576:i2G/nvxW3WwJo0hip/LEXrvlZJMWyRqsBuNXaSLdYqqmZ/BYZGQEUx:ibA3G0Mp/LEXrfJMWyRD8ly4GZ3x
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\HyperserverhostperfDhcp\BlockBroker.exe dcrat C:\HyperserverhostperfDhcp\BlockBroker.exe dcrat behavioral1/memory/4344-139-0x0000000000F80000-0x0000000001060000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
BlockBroker.exepid process 4344 BlockBroker.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BlockBroker.exedescription pid process Token: SeDebugPrivilege 4344 BlockBroker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exeWScript.execmd.exedescription pid process target process PID 4848 wrote to memory of 1476 4848 07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exe WScript.exe PID 4848 wrote to memory of 1476 4848 07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exe WScript.exe PID 4848 wrote to memory of 1476 4848 07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exe WScript.exe PID 1476 wrote to memory of 396 1476 WScript.exe cmd.exe PID 1476 wrote to memory of 396 1476 WScript.exe cmd.exe PID 1476 wrote to memory of 396 1476 WScript.exe cmd.exe PID 396 wrote to memory of 4344 396 cmd.exe BlockBroker.exe PID 396 wrote to memory of 4344 396 cmd.exe BlockBroker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exe"C:\Users\Admin\AppData\Local\Temp\07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperserverhostperfDhcp\dw74dL0p6Y0PumPR.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\HyperserverhostperfDhcp\bbEkNdpvd0CDbVWG5LhtvVOaJzs.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\HyperserverhostperfDhcp\BlockBroker.exe"C:\HyperserverhostperfDhcp\BlockBroker.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\HyperserverhostperfDhcp\BlockBroker.exeFilesize
870KB
MD594390ab4d2b45d3bdcf0dbb83930e5f2
SHA17efa1a0975743083a6817048bc37ef54a9db0886
SHA256422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192
SHA5124ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325
-
C:\HyperserverhostperfDhcp\BlockBroker.exeFilesize
870KB
MD594390ab4d2b45d3bdcf0dbb83930e5f2
SHA17efa1a0975743083a6817048bc37ef54a9db0886
SHA256422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192
SHA5124ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325
-
C:\HyperserverhostperfDhcp\bbEkNdpvd0CDbVWG5LhtvVOaJzs.batFilesize
44B
MD5d5b649a9a78d515978e9440aa8df39c7
SHA181d1e4b5b1da4362cd54e3146686a807b441913c
SHA256a2a0212a037816b3bfe177c75218b72927c303f22ca4a32eec30769c3a420ed7
SHA512b8d32053a3da692a308127aec1f982ed2f8935081d8678841109f7f4fa270af10b96ab9f3e2ddba063271e3be427435821dbbf58bc35f99a8aa3670b05336437
-
C:\HyperserverhostperfDhcp\dw74dL0p6Y0PumPR.vbeFilesize
227B
MD58f5f4cd2817523d66c78b5a381f639b5
SHA1713fd28837fcf8175bc60be63450ba458b7721d9
SHA2569ead6aa5bea9c1450de016d068e27c5c2f072c8e823db96deebb84e197d1138a
SHA5124a28d5c39da19f7135ccb1793fc591c4a34c5a73bab764926f3487795aac0f6a3dabc73d91b753d9e070b43bbc14555b685a56b9bf4271df0fc44f155ab99c6c
-
memory/396-135-0x0000000000000000-mapping.dmp
-
memory/1476-132-0x0000000000000000-mapping.dmp
-
memory/4344-136-0x0000000000000000-mapping.dmp
-
memory/4344-139-0x0000000000F80000-0x0000000001060000-memory.dmpFilesize
896KB
-
memory/4344-140-0x00007FFC86320000-0x00007FFC86DE1000-memory.dmpFilesize
10.8MB
-
memory/4344-141-0x00007FFC86320000-0x00007FFC86DE1000-memory.dmpFilesize
10.8MB