Overview

overview

10

Static

static

10

HEUR-Backd...30.exe

windows7-x64

10

HEUR-Backd...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2022 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Backdoor.MSIL.LightStone.gen-e76feaaf3b02c4306a6e107b3ee8239feb6ef9fdd0c34a83d4a309d960288930.exe

  • Size

    784KB

  • MD5

    07db192d82c606c182770ff5f9b1d600

  • SHA1

    69d9cbb97206de1eccc22e3b26eb3e33e6c170c4

  • SHA256

    e76feaaf3b02c4306a6e107b3ee8239feb6ef9fdd0c34a83d4a309d960288930

  • SHA512

    2cdca5458d86fb3690d20e5f995ed6c508ad3d8237325e2baa504f8f27dd83333a443f537b9797d57741c0b29b590770add23057ef300e4570c24e04650f0d27

  • SSDEEP

    12288:eqnO8YpD1oOJp+Ce1PSiG2jfIBoI5DyDwYMDxFesH0ioBw7oKk2:e+ORToOWSi5gBoS4wYUJ0eo2

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.LightStone.gen-e76feaaf3b02c4306a6e107b3ee8239feb6ef9fdd0c34a83d4a309d960288930.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.LightStone.gen-e76feaaf3b02c4306a6e107b3ee8239feb6ef9fdd0c34a83d4a309d960288930.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2036
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unCQjhoToQ.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:860
        • C:\PerfLogs\Admin\Idle.exe
          "C:\PerfLogs\Admin\Idle.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\asferror\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\PerfLogs\Admin\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\fontext\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\C_864\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\iscsicpl\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1036

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PerfLogs\Admin\Idle.exe
      Filesize

      784KB

      MD5

      a791def3b02684523ca23a9c0fef5d71

      SHA1

      bcaf5424318558165cea74a448cb1514e65846a4

      SHA256

      6718b87a9a7127040d448b444b0157d35f315f07ffa9389df7926d89a1b8d3b4

      SHA512

      3a7021bb51262b32d4759f20c2b7e73beb73671ddd7adcf553745f5a11fc79ac78eec275b305957cfc792a4f3af618cfe016bdf7fa6b96cbc780810f7551505a

      Download Submit

    • C:\PerfLogs\Admin\Idle.exe
      Filesize

      784KB

      MD5

      a791def3b02684523ca23a9c0fef5d71

      SHA1

      bcaf5424318558165cea74a448cb1514e65846a4

      SHA256

      6718b87a9a7127040d448b444b0157d35f315f07ffa9389df7926d89a1b8d3b4

      SHA512

      3a7021bb51262b32d4759f20c2b7e73beb73671ddd7adcf553745f5a11fc79ac78eec275b305957cfc792a4f3af618cfe016bdf7fa6b96cbc780810f7551505a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\unCQjhoToQ.bat
      Filesize

      190B

      MD5

      49606e149ea27a692af73e77bb471d96

      SHA1

      066503904503c03567a3fb0176d43013ce30f580

      SHA256

      7c7d154ffa0613f8a045a40a006bc91af74eedd82d6862d2f89e6f25a9613fd8

      SHA512

      3743fe21a1d02a46add2cc32ff754f04d82d61143ac295a56e68f938d93bb4cf897cadccbce5e09efac4f71dc870e4253d2418fb45d916f8f02c35c0e0c9bbee

      Download Submit

    • memory/684-86-0x0000000000D16000-0x0000000000D35000-memory.dmp

      Filesize

      124KB

      Download

    • memory/684-85-0x0000000000D16000-0x0000000000D35000-memory.dmp

      Filesize

      124KB

      Download

    • memory/684-84-0x0000000001340000-0x000000000140A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/2036-62-0x00000000002F0000-0x00000000002F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-74-0x00000000004B0000-0x00000000004B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-65-0x00000000004A0000-0x00000000004A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-66-0x00000000004D0000-0x00000000004D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-67-0x00000000002A0000-0x00000000002A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-68-0x0000000000670000-0x0000000000678000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-69-0x0000000000680000-0x0000000000688000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-70-0x0000000000690000-0x0000000000698000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-71-0x00000000006B0000-0x00000000006B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-72-0x00000000006C0000-0x00000000006C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-73-0x0000000000A30000-0x0000000000A3C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2036-64-0x0000000000480000-0x0000000000488000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-75-0x000000001B046000-0x000000001B065000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2036-76-0x000000001B046000-0x000000001B065000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2036-63-0x0000000000490000-0x0000000000498000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-54-0x0000000000E70000-0x0000000000F3A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/2036-61-0x00000000002E0000-0x00000000002EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2036-80-0x000000001B046000-0x000000001B065000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2036-60-0x00000000002C0000-0x00000000002CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2036-59-0x0000000000290000-0x000000000029C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2036-58-0x0000000000270000-0x0000000000278000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-57-0x0000000000260000-0x0000000000270000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2036-56-0x0000000000280000-0x0000000000288000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2036-55-0x0000000000150000-0x0000000000158000-memory.dmp

      Filesize

      32KB

      Download