Analysis
-
max time kernel
47s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 07:53
Behavioral task
behavioral1
Sample
ffbce36aa9defedbf576ed02e636287f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ffbce36aa9defedbf576ed02e636287f.exe
Resource
win10v2004-20220901-en
General
-
Target
ffbce36aa9defedbf576ed02e636287f.exe
-
Size
1.5MB
-
MD5
ffbce36aa9defedbf576ed02e636287f
-
SHA1
f252d41488346a09408d14adeda8f8d7be569948
-
SHA256
07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5
-
SHA512
7e0febf2872ce264a65d9168228753a375c1187aaf5f102406647ac8306c2d769c7d586c479c97e1252702a51b65ba12f83eb7bac5ff24b00e09a8fdc8b6ed60
-
SSDEEP
24576:i2G/nvxW3WwJo0hip/LEXrvlZJMWyRqsBuNXaSLdYqqmZ/BYZGQEUx:ibA3G0Mp/LEXrfJMWyRD8ly4GZ3x
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule \HyperserverhostperfDhcp\BlockBroker.exe dcrat C:\HyperserverhostperfDhcp\BlockBroker.exe dcrat \HyperserverhostperfDhcp\BlockBroker.exe dcrat C:\HyperserverhostperfDhcp\BlockBroker.exe dcrat behavioral1/memory/684-65-0x0000000001130000-0x0000000001210000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
BlockBroker.exepid process 684 BlockBroker.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 756 cmd.exe 756 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BlockBroker.exedescription pid process Token: SeDebugPrivilege 684 BlockBroker.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ffbce36aa9defedbf576ed02e636287f.exeWScript.execmd.exedescription pid process target process PID 1416 wrote to memory of 1780 1416 ffbce36aa9defedbf576ed02e636287f.exe WScript.exe PID 1416 wrote to memory of 1780 1416 ffbce36aa9defedbf576ed02e636287f.exe WScript.exe PID 1416 wrote to memory of 1780 1416 ffbce36aa9defedbf576ed02e636287f.exe WScript.exe PID 1416 wrote to memory of 1780 1416 ffbce36aa9defedbf576ed02e636287f.exe WScript.exe PID 1780 wrote to memory of 756 1780 WScript.exe cmd.exe PID 1780 wrote to memory of 756 1780 WScript.exe cmd.exe PID 1780 wrote to memory of 756 1780 WScript.exe cmd.exe PID 1780 wrote to memory of 756 1780 WScript.exe cmd.exe PID 756 wrote to memory of 684 756 cmd.exe BlockBroker.exe PID 756 wrote to memory of 684 756 cmd.exe BlockBroker.exe PID 756 wrote to memory of 684 756 cmd.exe BlockBroker.exe PID 756 wrote to memory of 684 756 cmd.exe BlockBroker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffbce36aa9defedbf576ed02e636287f.exe"C:\Users\Admin\AppData\Local\Temp\ffbce36aa9defedbf576ed02e636287f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperserverhostperfDhcp\dw74dL0p6Y0PumPR.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\HyperserverhostperfDhcp\bbEkNdpvd0CDbVWG5LhtvVOaJzs.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\HyperserverhostperfDhcp\BlockBroker.exe"C:\HyperserverhostperfDhcp\BlockBroker.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\HyperserverhostperfDhcp\BlockBroker.exeFilesize
870KB
MD594390ab4d2b45d3bdcf0dbb83930e5f2
SHA17efa1a0975743083a6817048bc37ef54a9db0886
SHA256422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192
SHA5124ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325
-
C:\HyperserverhostperfDhcp\BlockBroker.exeFilesize
870KB
MD594390ab4d2b45d3bdcf0dbb83930e5f2
SHA17efa1a0975743083a6817048bc37ef54a9db0886
SHA256422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192
SHA5124ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325
-
C:\HyperserverhostperfDhcp\bbEkNdpvd0CDbVWG5LhtvVOaJzs.batFilesize
44B
MD5d5b649a9a78d515978e9440aa8df39c7
SHA181d1e4b5b1da4362cd54e3146686a807b441913c
SHA256a2a0212a037816b3bfe177c75218b72927c303f22ca4a32eec30769c3a420ed7
SHA512b8d32053a3da692a308127aec1f982ed2f8935081d8678841109f7f4fa270af10b96ab9f3e2ddba063271e3be427435821dbbf58bc35f99a8aa3670b05336437
-
C:\HyperserverhostperfDhcp\dw74dL0p6Y0PumPR.vbeFilesize
227B
MD58f5f4cd2817523d66c78b5a381f639b5
SHA1713fd28837fcf8175bc60be63450ba458b7721d9
SHA2569ead6aa5bea9c1450de016d068e27c5c2f072c8e823db96deebb84e197d1138a
SHA5124a28d5c39da19f7135ccb1793fc591c4a34c5a73bab764926f3487795aac0f6a3dabc73d91b753d9e070b43bbc14555b685a56b9bf4271df0fc44f155ab99c6c
-
\HyperserverhostperfDhcp\BlockBroker.exeFilesize
870KB
MD594390ab4d2b45d3bdcf0dbb83930e5f2
SHA17efa1a0975743083a6817048bc37ef54a9db0886
SHA256422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192
SHA5124ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325
-
\HyperserverhostperfDhcp\BlockBroker.exeFilesize
870KB
MD594390ab4d2b45d3bdcf0dbb83930e5f2
SHA17efa1a0975743083a6817048bc37ef54a9db0886
SHA256422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192
SHA5124ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325
-
memory/684-63-0x0000000000000000-mapping.dmp
-
memory/684-65-0x0000000001130000-0x0000000001210000-memory.dmpFilesize
896KB
-
memory/684-66-0x00000000002C0000-0x00000000002CE000-memory.dmpFilesize
56KB
-
memory/756-59-0x0000000000000000-mapping.dmp
-
memory/1416-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmpFilesize
8KB
-
memory/1780-55-0x0000000000000000-mapping.dmp