Analysis
-
max time kernel
144s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 18:26
Behavioral task
behavioral1
Sample
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
-
Size
1.1MB
-
MD5
56180487c674bc5e9ae5346a8fa72b4a
-
SHA1
86058ef7aecd0a9d3bc5f97809e1e0844ab68109
-
SHA256
39a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8
-
SHA512
27a051a7a6072e8556c6771648ebb16dffe2116c14e30c50ace66f3370b56904f35f96f8e18a628e16c35b3049f8f420523f90e0f46fa5f167211569280250c5
-
SSDEEP
12288:7ooQ4tQRgvTUxOjOK2C6vo7FFPfvgPVQy3TiNUOckHd4qn4:7out+gvTUwjOK2C4oLPformNUOtH2+4
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral2/memory/3468-132-0x0000000000870000-0x0000000000986000-memory.dmp dcrat C:\Windows\System32\EapTeapExt\dllhost.exe dcrat C:\Windows\System32\EapTeapExt\dllhost.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 236 dllhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe -
Drops file in System32 directory 12 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exedescription ioc process File created C:\Windows\System32\D3D12\dllhost.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\D3D12\5940a34987c99120d96dace90a3f93f329dcad63 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\kbdlisub\cc11b995f2a76da408ea6a601e682e64743153ad HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\Windows.UI.Logon\RuntimeBroker.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\DDORes\spoolsv.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\EapTeapExt\dllhost.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\msg711\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\kbdlisub\winlogon.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\Windows.UI.Logon\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\DDORes\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\EapTeapExt\5940a34987c99120d96dace90a3f93f329dcad63 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\System32\msg711\sihost.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe -
Drops file in Program Files directory 3 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exedescription ioc process File created C:\Program Files\ModifiableWindowsApps\dllhost.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Program Files\Windows NT\Accessories\en-US\55b276f4edf653fe07efe8f1ecc32d3d195abd16 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe -
Drops file in Windows directory 2 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exedescription ioc process File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653fe07efe8f1ecc32d3d195abd16 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3212 schtasks.exe 4960 schtasks.exe 1744 schtasks.exe 4092 schtasks.exe 1116 schtasks.exe 4912 schtasks.exe 3484 schtasks.exe 1328 schtasks.exe 3764 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exedllhost.exepid process 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe 236 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exedllhost.exedescription pid process Token: SeDebugPrivilege 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe Token: SeDebugPrivilege 236 dllhost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.execmd.exedescription pid process target process PID 3468 wrote to memory of 4092 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 4092 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 3212 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 3212 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 3764 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 3764 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 1116 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 1116 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 4960 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 4960 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 4912 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 4912 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 1744 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 1744 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 3484 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 3484 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 1328 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 1328 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe schtasks.exe PID 3468 wrote to memory of 5020 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe cmd.exe PID 3468 wrote to memory of 5020 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe cmd.exe PID 5020 wrote to memory of 4732 5020 cmd.exe chcp.com PID 5020 wrote to memory of 4732 5020 cmd.exe chcp.com PID 5020 wrote to memory of 3172 5020 cmd.exe PING.EXE PID 5020 wrote to memory of 3172 5020 cmd.exe PING.EXE PID 5020 wrote to memory of 236 5020 cmd.exe dllhost.exe PID 5020 wrote to memory of 236 5020 cmd.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Documents and Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\EapTeapExt\dllhost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\msg711\sihost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\D3D12\dllhost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\kbdlisub\winlogon.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.UI.Logon\RuntimeBroker.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\DDORes\spoolsv.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAxBcO0nJT.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
-
C:\Windows\System32\EapTeapExt\dllhost.exe"C:\Windows\System32\EapTeapExt\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zAxBcO0nJT.batFilesize
208B
MD55574d6b25c94f486c6c78f10a4d69216
SHA1ef9bf19d721441aea262631fb26037ab9e47bc52
SHA2568f73873b1b1748b649655b5619eaa5e8911a0c48e276fe5d29898ba97dbc5596
SHA51294f34728ae3f5915f9cfe70403481bc572dee858efe78819195ff9361b9427e0af364c080ef6ae64818c26febf7abf04659efc18b7ce14faf621dc94c80e6f5f
-
C:\Windows\System32\EapTeapExt\dllhost.exeFilesize
1.1MB
MD556180487c674bc5e9ae5346a8fa72b4a
SHA186058ef7aecd0a9d3bc5f97809e1e0844ab68109
SHA25639a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8
SHA51227a051a7a6072e8556c6771648ebb16dffe2116c14e30c50ace66f3370b56904f35f96f8e18a628e16c35b3049f8f420523f90e0f46fa5f167211569280250c5
-
C:\Windows\System32\EapTeapExt\dllhost.exeFilesize
1.1MB
MD556180487c674bc5e9ae5346a8fa72b4a
SHA186058ef7aecd0a9d3bc5f97809e1e0844ab68109
SHA25639a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8
SHA51227a051a7a6072e8556c6771648ebb16dffe2116c14e30c50ace66f3370b56904f35f96f8e18a628e16c35b3049f8f420523f90e0f46fa5f167211569280250c5
-
memory/236-152-0x00007FFA02680000-0x00007FFA03141000-memory.dmpFilesize
10.8MB
-
memory/236-151-0x00007FFA02680000-0x00007FFA03141000-memory.dmpFilesize
10.8MB
-
memory/236-148-0x0000000000000000-mapping.dmp
-
memory/1116-137-0x0000000000000000-mapping.dmp
-
memory/1328-142-0x0000000000000000-mapping.dmp
-
memory/1744-140-0x0000000000000000-mapping.dmp
-
memory/3172-147-0x0000000000000000-mapping.dmp
-
memory/3212-135-0x0000000000000000-mapping.dmp
-
memory/3468-132-0x0000000000870000-0x0000000000986000-memory.dmpFilesize
1.1MB
-
memory/3468-133-0x00007FFA02680000-0x00007FFA03141000-memory.dmpFilesize
10.8MB
-
memory/3468-146-0x00007FFA02680000-0x00007FFA03141000-memory.dmpFilesize
10.8MB
-
memory/3484-141-0x0000000000000000-mapping.dmp
-
memory/3764-136-0x0000000000000000-mapping.dmp
-
memory/4092-134-0x0000000000000000-mapping.dmp
-
memory/4732-145-0x0000000000000000-mapping.dmp
-
memory/4912-139-0x0000000000000000-mapping.dmp
-
memory/4960-138-0x0000000000000000-mapping.dmp
-
memory/5020-143-0x0000000000000000-mapping.dmp