Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2023 17:10
Behavioral task
behavioral1
Sample
Icloader.exe
Resource
win10v2004-20221111-en
General
-
Target
Icloader.exe
-
Size
7.9MB
-
MD5
ce12fa0411314efb0e9e9d3c6fb943f4
-
SHA1
1f14997e49595ffe8148f1ad0884d2428444e193
-
SHA256
1a93fd3d8f49308c93bd0890353d36bc720a93dc617d9d7c0e713d39bb12e753
-
SHA512
4cb44891e8c4dff32b8516a36200773225c999822b18e2b118da24e7dd1dd9164b83089b68ee55adcafe9fc1df46422576fc0b4fd073e194ccba95f8d92ed4c7
-
SSDEEP
196608:YO2gG67ej056dQmRrdA6lakaqdVTmRPjKyDd:3g+kdQOlawdIR71d
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 4108 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 4108 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 4108 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 4108 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 4108 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 4108 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 4108 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 4108 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 4108 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\INST.exe dcrat C:\Users\Admin\AppData\Local\Temp\INST.exe dcrat C:\Comproviderdriver\hyperportsession.exe dcrat C:\Comproviderdriver\hyperportsession.exe dcrat behavioral1/memory/3428-152-0x0000000000550000-0x00000000007A2000-memory.dmp dcrat C:\Users\Admin\Music\WaaSMedicAgent.exe dcrat C:\Users\Admin\Music\WaaSMedicAgent.exe dcrat -
Executes dropped EXE 3 IoCs
Processes:
INST.exehyperportsession.exeWaaSMedicAgent.exepid process 2688 INST.exe 3428 hyperportsession.exe 844 WaaSMedicAgent.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hyperportsession.exeINST.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation hyperportsession.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation INST.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
Processes:
Icloader.exepid process 1420 Icloader.exe 1420 Icloader.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4992 schtasks.exe 4540 schtasks.exe 2912 schtasks.exe 3472 schtasks.exe 1228 schtasks.exe 2848 schtasks.exe 3688 schtasks.exe 3756 schtasks.exe 4660 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
INST.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings INST.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
hyperportsession.exeWaaSMedicAgent.exepid process 3428 hyperportsession.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe 844 WaaSMedicAgent.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WaaSMedicAgent.exepid process 844 WaaSMedicAgent.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hyperportsession.exeWaaSMedicAgent.exedescription pid process Token: SeDebugPrivilege 3428 hyperportsession.exe Token: SeDebugPrivilege 844 WaaSMedicAgent.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Icloader.exeIcloader.execmd.exeINST.exeWScript.execmd.exehyperportsession.exedescription pid process target process PID 4552 wrote to memory of 1420 4552 Icloader.exe Icloader.exe PID 4552 wrote to memory of 1420 4552 Icloader.exe Icloader.exe PID 1420 wrote to memory of 4248 1420 Icloader.exe cmd.exe PID 1420 wrote to memory of 4248 1420 Icloader.exe cmd.exe PID 1420 wrote to memory of 4520 1420 Icloader.exe cmd.exe PID 1420 wrote to memory of 4520 1420 Icloader.exe cmd.exe PID 4520 wrote to memory of 2688 4520 cmd.exe INST.exe PID 4520 wrote to memory of 2688 4520 cmd.exe INST.exe PID 4520 wrote to memory of 2688 4520 cmd.exe INST.exe PID 2688 wrote to memory of 792 2688 INST.exe WScript.exe PID 2688 wrote to memory of 792 2688 INST.exe WScript.exe PID 2688 wrote to memory of 792 2688 INST.exe WScript.exe PID 2688 wrote to memory of 1672 2688 INST.exe WScript.exe PID 2688 wrote to memory of 1672 2688 INST.exe WScript.exe PID 2688 wrote to memory of 1672 2688 INST.exe WScript.exe PID 792 wrote to memory of 1204 792 WScript.exe cmd.exe PID 792 wrote to memory of 1204 792 WScript.exe cmd.exe PID 792 wrote to memory of 1204 792 WScript.exe cmd.exe PID 1204 wrote to memory of 3428 1204 cmd.exe hyperportsession.exe PID 1204 wrote to memory of 3428 1204 cmd.exe hyperportsession.exe PID 3428 wrote to memory of 844 3428 hyperportsession.exe WaaSMedicAgent.exe PID 3428 wrote to memory of 844 3428 hyperportsession.exe WaaSMedicAgent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Icloader.exe"C:\Users\Admin\AppData\Local\Temp\Icloader.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Icloader.exe"C:\Users\Admin\AppData\Local\Temp\Icloader.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c echo %temp%3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INST.exeC:\Users\Admin\AppData\Local\Temp\INST.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Comproviderdriver\AQTx4XyFVLzflDDrifZPwFGdIcSe.vbe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Comproviderdriver\kWY7NjZwZ1iBKBun9q6.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Comproviderdriver\hyperportsession.exe"C:\Comproviderdriver\hyperportsession.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Music\WaaSMedicAgent.exe"C:\Users\Admin\Music\WaaSMedicAgent.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Comproviderdriver\file.vbs"5⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\odt\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Admin\Music\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Comproviderdriver\AQTx4XyFVLzflDDrifZPwFGdIcSe.vbeFilesize
213B
MD59113279e9c8b6335ec9e3e1e311ef188
SHA137a4e9ab4bf02a2a65d48918f16f2b494ff5f446
SHA256829fb3f8655a6ae7791d83e099d9892359924b841d47f0930c7cd92e1d65129e
SHA5121f846e02362b8fcd4b3c91c745bbe7d08f5e171664d0c96f70800e3a689553c580aaf9845b3e18d4320277b6777964701b82b1664319d9f49f7174e7d39f0389
-
C:\Comproviderdriver\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Comproviderdriver\hyperportsession.exeFilesize
2.3MB
MD587f1ada78f54205efdbd5d57bc0a0a08
SHA110d0478598d4c327ace6dc12e8590ea0e40ab53a
SHA256373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a
SHA512bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f
-
C:\Comproviderdriver\hyperportsession.exeFilesize
2.3MB
MD587f1ada78f54205efdbd5d57bc0a0a08
SHA110d0478598d4c327ace6dc12e8590ea0e40ab53a
SHA256373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a
SHA512bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f
-
C:\Comproviderdriver\kWY7NjZwZ1iBKBun9q6.batFilesize
43B
MD5f9b0386eda9b5c1cecad9c265da5b3b7
SHA1f69cc98e2d196c0f5e2de7a7c75324852bf472fb
SHA256e59356966e672a4f59cadb7924e07b50346d517101523d7076a03d8c908cc1e1
SHA512d042e61171f1a5ed353332cdcf018000b9ce61403439282fff5bd029e65dca888bd4374b9986bd13d92a7c1766399d88e2be80ced8b7a8baf797461e65b7346b
-
C:\Users\Admin\AppData\Local\Temp\INST.exeFilesize
2.6MB
MD51ce7698d0f91c39eac6b579e139ae9c4
SHA1c42979cf7ec941f0ef1a1cccbabb50b6445d2dc4
SHA25631920a462e8b7c2e6e8e045cd1f867ad2df5939e6edf9bf6a19e376fad43e0cc
SHA512e6084b09191d2eaaab77fa2ed86ee37384f7fc15da60a76f15e4e2ed1dcf9035be996f32cafd799d24c9c25ac25c284a27044791370a72b9d6ea0cea312c2c9b
-
C:\Users\Admin\AppData\Local\Temp\INST.exeFilesize
2.6MB
MD51ce7698d0f91c39eac6b579e139ae9c4
SHA1c42979cf7ec941f0ef1a1cccbabb50b6445d2dc4
SHA25631920a462e8b7c2e6e8e045cd1f867ad2df5939e6edf9bf6a19e376fad43e0cc
SHA512e6084b09191d2eaaab77fa2ed86ee37384f7fc15da60a76f15e4e2ed1dcf9035be996f32cafd799d24c9c25ac25c284a27044791370a72b9d6ea0cea312c2c9b
-
C:\Users\Admin\AppData\Local\Temp\_MEI45522\VCRUNTIME140.dllFilesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI45522\VCRUNTIME140.dllFilesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI45522\base_library.zipFilesize
1.0MB
MD5b344c8ac7c6cb7ce58c5a4ec6c760b96
SHA116cb3b9f8fcc90364155f081fb51a74bdf16dce9
SHA25677c53672ee2afece093ded8b42d316fe443626451448ef603744ca9c7e0cfdb3
SHA5122976d162b0719c2a1bebf4bc14f6595c291e117f3a2956b69e53996f4a0f4de14a1ea9ec50122a30e95e953ba320a1ac4bf73a5d5980fa7d61bfd92c9af62b86
-
C:\Users\Admin\AppData\Local\Temp\_MEI45522\python310.dllFilesize
4.3MB
MD5342ba224fe440b585db4e9d2fc9f86cd
SHA1bfa3d380231166f7c2603ca89a984a5cad9752ab
SHA256cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432
SHA512daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1
-
C:\Users\Admin\AppData\Local\Temp\_MEI45522\python310.dllFilesize
4.3MB
MD5342ba224fe440b585db4e9d2fc9f86cd
SHA1bfa3d380231166f7c2603ca89a984a5cad9752ab
SHA256cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432
SHA512daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1
-
C:\Users\Admin\Music\WaaSMedicAgent.exeFilesize
2.3MB
MD587f1ada78f54205efdbd5d57bc0a0a08
SHA110d0478598d4c327ace6dc12e8590ea0e40ab53a
SHA256373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a
SHA512bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f
-
C:\Users\Admin\Music\WaaSMedicAgent.exeFilesize
2.3MB
MD587f1ada78f54205efdbd5d57bc0a0a08
SHA110d0478598d4c327ace6dc12e8590ea0e40ab53a
SHA256373c56df3619866d4ae6f64febad8f6d48cca434030d1db20e96cccaf22f113a
SHA512bdf2dd01667e2c6ed5afed7971145aa8c9a06ab39fc31cbf8dcf0918b0392d50b9029f0c98af12676ef112f223224876506f035a527c36379322f7e955b87c3f
-
memory/792-143-0x0000000000000000-mapping.dmp
-
memory/844-156-0x0000000000000000-mapping.dmp
-
memory/844-160-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmpFilesize
10.8MB
-
memory/844-161-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmpFilesize
10.8MB
-
memory/1204-148-0x0000000000000000-mapping.dmp
-
memory/1420-132-0x0000000000000000-mapping.dmp
-
memory/1672-144-0x0000000000000000-mapping.dmp
-
memory/2688-140-0x0000000000000000-mapping.dmp
-
memory/3428-153-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmpFilesize
10.8MB
-
memory/3428-155-0x000000001CC00000-0x000000001D128000-memory.dmpFilesize
5.2MB
-
memory/3428-154-0x000000001B2C0000-0x000000001B310000-memory.dmpFilesize
320KB
-
memory/3428-152-0x0000000000550000-0x00000000007A2000-memory.dmpFilesize
2.3MB
-
memory/3428-149-0x0000000000000000-mapping.dmp
-
memory/3428-159-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmpFilesize
10.8MB
-
memory/4248-138-0x0000000000000000-mapping.dmp
-
memory/4520-139-0x0000000000000000-mapping.dmp