Analysis
-
max time kernel
100s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 07:53
Behavioral task
behavioral1
Sample
ffbce36aa9defedbf576ed02e636287f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ffbce36aa9defedbf576ed02e636287f.exe
Resource
win10v2004-20220901-en
General
-
Target
ffbce36aa9defedbf576ed02e636287f.exe
-
Size
1.5MB
-
MD5
ffbce36aa9defedbf576ed02e636287f
-
SHA1
f252d41488346a09408d14adeda8f8d7be569948
-
SHA256
07661dc549a97e60a80ae0690e206295fc7e52bfeda7da1b4df688690b6b4ea5
-
SHA512
7e0febf2872ce264a65d9168228753a375c1187aaf5f102406647ac8306c2d769c7d586c479c97e1252702a51b65ba12f83eb7bac5ff24b00e09a8fdc8b6ed60
-
SSDEEP
24576:i2G/nvxW3WwJo0hip/LEXrvlZJMWyRqsBuNXaSLdYqqmZ/BYZGQEUx:ibA3G0Mp/LEXrfJMWyRD8ly4GZ3x
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\HyperserverhostperfDhcp\BlockBroker.exe dcrat C:\HyperserverhostperfDhcp\BlockBroker.exe dcrat behavioral2/memory/1124-139-0x0000000000580000-0x0000000000660000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
BlockBroker.exepid process 1124 BlockBroker.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ffbce36aa9defedbf576ed02e636287f.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ffbce36aa9defedbf576ed02e636287f.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
ffbce36aa9defedbf576ed02e636287f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings ffbce36aa9defedbf576ed02e636287f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BlockBroker.exedescription pid process Token: SeDebugPrivilege 1124 BlockBroker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ffbce36aa9defedbf576ed02e636287f.exeWScript.execmd.exedescription pid process target process PID 3944 wrote to memory of 2720 3944 ffbce36aa9defedbf576ed02e636287f.exe WScript.exe PID 3944 wrote to memory of 2720 3944 ffbce36aa9defedbf576ed02e636287f.exe WScript.exe PID 3944 wrote to memory of 2720 3944 ffbce36aa9defedbf576ed02e636287f.exe WScript.exe PID 2720 wrote to memory of 1632 2720 WScript.exe cmd.exe PID 2720 wrote to memory of 1632 2720 WScript.exe cmd.exe PID 2720 wrote to memory of 1632 2720 WScript.exe cmd.exe PID 1632 wrote to memory of 1124 1632 cmd.exe BlockBroker.exe PID 1632 wrote to memory of 1124 1632 cmd.exe BlockBroker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffbce36aa9defedbf576ed02e636287f.exe"C:\Users\Admin\AppData\Local\Temp\ffbce36aa9defedbf576ed02e636287f.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperserverhostperfDhcp\dw74dL0p6Y0PumPR.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\HyperserverhostperfDhcp\bbEkNdpvd0CDbVWG5LhtvVOaJzs.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\HyperserverhostperfDhcp\BlockBroker.exe"C:\HyperserverhostperfDhcp\BlockBroker.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\HyperserverhostperfDhcp\BlockBroker.exeFilesize
870KB
MD594390ab4d2b45d3bdcf0dbb83930e5f2
SHA17efa1a0975743083a6817048bc37ef54a9db0886
SHA256422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192
SHA5124ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325
-
C:\HyperserverhostperfDhcp\BlockBroker.exeFilesize
870KB
MD594390ab4d2b45d3bdcf0dbb83930e5f2
SHA17efa1a0975743083a6817048bc37ef54a9db0886
SHA256422803ba6c319d3ef896cb86ab4c86dbe32d199007eb4f2f95c1103bfbeed192
SHA5124ead00a90a4c8017a8435109fa8fdb31efebc704da0e29279584a76fb623ecbd74f99b5190d00aef8e913400688c4eb321c7f4bc998c9de42a9afd1032e6e325
-
C:\HyperserverhostperfDhcp\bbEkNdpvd0CDbVWG5LhtvVOaJzs.batFilesize
44B
MD5d5b649a9a78d515978e9440aa8df39c7
SHA181d1e4b5b1da4362cd54e3146686a807b441913c
SHA256a2a0212a037816b3bfe177c75218b72927c303f22ca4a32eec30769c3a420ed7
SHA512b8d32053a3da692a308127aec1f982ed2f8935081d8678841109f7f4fa270af10b96ab9f3e2ddba063271e3be427435821dbbf58bc35f99a8aa3670b05336437
-
C:\HyperserverhostperfDhcp\dw74dL0p6Y0PumPR.vbeFilesize
227B
MD58f5f4cd2817523d66c78b5a381f639b5
SHA1713fd28837fcf8175bc60be63450ba458b7721d9
SHA2569ead6aa5bea9c1450de016d068e27c5c2f072c8e823db96deebb84e197d1138a
SHA5124a28d5c39da19f7135ccb1793fc591c4a34c5a73bab764926f3487795aac0f6a3dabc73d91b753d9e070b43bbc14555b685a56b9bf4271df0fc44f155ab99c6c
-
memory/1124-136-0x0000000000000000-mapping.dmp
-
memory/1124-139-0x0000000000580000-0x0000000000660000-memory.dmpFilesize
896KB
-
memory/1124-140-0x00007FFAB5F30000-0x00007FFAB69F1000-memory.dmpFilesize
10.8MB
-
memory/1124-141-0x00007FFAB5F30000-0x00007FFAB69F1000-memory.dmpFilesize
10.8MB
-
memory/1632-135-0x0000000000000000-mapping.dmp
-
memory/2720-132-0x0000000000000000-mapping.dmp