Analysis
-
max time kernel
38s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-01-2023 16:49
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
c2d98ce6d441b79d1ec3d50376b46b9a
-
SHA1
0854d68bf709c0a423e47c63eb0b6e9726c9c08f
-
SHA256
00c5b3c574053a1faa9d26f44a73b9db72178de14e95e46893a879229597b325
-
SHA512
459b5c85d4a29bd37b7e7697054cd0045df6a2eb6b8976ac5cce8e3a89eb93ca20e65636611534a383eae7e42c7117756665179780f0e85fb14d513d10dde13f
-
SSDEEP
49152:wkQTAUs8KECSOKf6n3C1s13gvSorrzsAf9yWU5:waCBOfICQvDrEAfwWU5
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral1/memory/1160-56-0x00000000056C0000-0x00000000058D4000-memory.dmp dcrat \Windows\Temp\1.exe dcrat C:\Windows\Temp\1.exe dcrat C:\Windows\Temp\1.exe dcrat C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe dcrat \Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe dcrat C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe dcrat \Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe dcrat behavioral1/memory/468-73-0x0000000001380000-0x0000000001544000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
1.exeagentServer.exepid process 1316 1.exe 468 agentServer.exe -
Loads dropped DLL 3 IoCs
Processes:
file.execmd.exepid process 1160 file.exe 1732 cmd.exe 1732 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exeagentServer.exedescription pid process Token: SeDebugPrivilege 1160 file.exe Token: SeDebugPrivilege 468 agentServer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
file.exe1.exeWScript.execmd.exedescription pid process target process PID 1160 wrote to memory of 1316 1160 file.exe 1.exe PID 1160 wrote to memory of 1316 1160 file.exe 1.exe PID 1160 wrote to memory of 1316 1160 file.exe 1.exe PID 1160 wrote to memory of 1316 1160 file.exe 1.exe PID 1316 wrote to memory of 1324 1316 1.exe WScript.exe PID 1316 wrote to memory of 1324 1316 1.exe WScript.exe PID 1316 wrote to memory of 1324 1316 1.exe WScript.exe PID 1316 wrote to memory of 1324 1316 1.exe WScript.exe PID 1324 wrote to memory of 1732 1324 WScript.exe cmd.exe PID 1324 wrote to memory of 1732 1324 WScript.exe cmd.exe PID 1324 wrote to memory of 1732 1324 WScript.exe cmd.exe PID 1324 wrote to memory of 1732 1324 WScript.exe cmd.exe PID 1732 wrote to memory of 468 1732 cmd.exe agentServer.exe PID 1732 wrote to memory of 468 1732 cmd.exe agentServer.exe PID 1732 wrote to memory of 468 1732 cmd.exe agentServer.exe PID 1732 wrote to memory of 468 1732 cmd.exe agentServer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\x1j7cF9kcN8pqeKG.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\siisuPTUTbkLrYbSx0rFkkTlZVh.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe"C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exeFilesize
1.7MB
MD530fb2a1f02123032ff27d37353cbbd67
SHA1f8c229f0b3b23d3131be7bc35867b478676aef50
SHA256cb05b0d5108bb05b57e68b8e12bba7cc7f22d461558dbd22f9be3430127976de
SHA51253a5b66374f8cebbdbf120930d94d2b99b3813f95ce8820d04ba4199d98372f98043e47060a78e2861ac0d1caa9d5a94b7fdf6de25fd8f245e6dc3b192acaa98
-
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exeFilesize
1.7MB
MD530fb2a1f02123032ff27d37353cbbd67
SHA1f8c229f0b3b23d3131be7bc35867b478676aef50
SHA256cb05b0d5108bb05b57e68b8e12bba7cc7f22d461558dbd22f9be3430127976de
SHA51253a5b66374f8cebbdbf120930d94d2b99b3813f95ce8820d04ba4199d98372f98043e47060a78e2861ac0d1caa9d5a94b7fdf6de25fd8f245e6dc3b192acaa98
-
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\siisuPTUTbkLrYbSx0rFkkTlZVh.batFilesize
48B
MD59ab646ca1ef6e402e57d0027bce41104
SHA18d8ec9bd07764b2a21121b620abcbd9e4a9cdc72
SHA2567dd0dcbc4ece8af21597c712e241648580a6781b32267d21e1b899b9ad1b258f
SHA5125e10b2a62e89c9312849a8bde48e593de5a1fa619d94cfd294e87c138d5de92fc0061937db7315b9b40335957e55e8956d851389cd12ac62f6e67ffb18748ff2
-
C:\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\x1j7cF9kcN8pqeKG.vbeFilesize
231B
MD5ed62e680eec74b04138d15259ad35814
SHA105e048618c085e9f7c7de400507339c52bbdcc99
SHA2567775b76ed99205dbbb58e7346077c466a14c385ee195fc8ba0e5a46a3c3f56f4
SHA512007ba0a7173e057d4ac196ad7dafbb91f3a07ba4c1150eee541dbc07d173e5aa42aee0e26faf270fd7d1f5ad80d941f82556d986d32c06814cadbb919fcbd1e5
-
C:\Windows\Temp\1.exeFilesize
2.0MB
MD58c2bfaedee15c793704661073648516d
SHA1659f9362eb4e4b8212e5195c8953a51bfd5b918b
SHA256607e3ed8d528f4bfeac6f591e588b6aa35f04e70898d535935e5f6d318d648ff
SHA512ccca3dcbd57003de418c688fe9cc307ff4a0fd35bbe02c36de1b066b19414029cc9a8bafd891f789d468585a46a8ff8dd0c079827eb51c558524c6f0aea64c0a
-
C:\Windows\Temp\1.exeFilesize
2.0MB
MD58c2bfaedee15c793704661073648516d
SHA1659f9362eb4e4b8212e5195c8953a51bfd5b918b
SHA256607e3ed8d528f4bfeac6f591e588b6aa35f04e70898d535935e5f6d318d648ff
SHA512ccca3dcbd57003de418c688fe9cc307ff4a0fd35bbe02c36de1b066b19414029cc9a8bafd891f789d468585a46a8ff8dd0c079827eb51c558524c6f0aea64c0a
-
\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exeFilesize
1.7MB
MD530fb2a1f02123032ff27d37353cbbd67
SHA1f8c229f0b3b23d3131be7bc35867b478676aef50
SHA256cb05b0d5108bb05b57e68b8e12bba7cc7f22d461558dbd22f9be3430127976de
SHA51253a5b66374f8cebbdbf120930d94d2b99b3813f95ce8820d04ba4199d98372f98043e47060a78e2861ac0d1caa9d5a94b7fdf6de25fd8f245e6dc3b192acaa98
-
\Users\Admin\AppData\Local\Temp\portSurrogatewebsession\agentServer.exeFilesize
1.7MB
MD530fb2a1f02123032ff27d37353cbbd67
SHA1f8c229f0b3b23d3131be7bc35867b478676aef50
SHA256cb05b0d5108bb05b57e68b8e12bba7cc7f22d461558dbd22f9be3430127976de
SHA51253a5b66374f8cebbdbf120930d94d2b99b3813f95ce8820d04ba4199d98372f98043e47060a78e2861ac0d1caa9d5a94b7fdf6de25fd8f245e6dc3b192acaa98
-
\Windows\Temp\1.exeFilesize
2.0MB
MD58c2bfaedee15c793704661073648516d
SHA1659f9362eb4e4b8212e5195c8953a51bfd5b918b
SHA256607e3ed8d528f4bfeac6f591e588b6aa35f04e70898d535935e5f6d318d648ff
SHA512ccca3dcbd57003de418c688fe9cc307ff4a0fd35bbe02c36de1b066b19414029cc9a8bafd891f789d468585a46a8ff8dd0c079827eb51c558524c6f0aea64c0a
-
memory/468-71-0x0000000000000000-mapping.dmp
-
memory/468-73-0x0000000001380000-0x0000000001544000-memory.dmpFilesize
1.8MB
-
memory/468-74-0x0000000000150000-0x000000000015E000-memory.dmpFilesize
56KB
-
memory/1160-54-0x0000000004FB0000-0x0000000005188000-memory.dmpFilesize
1.8MB
-
memory/1160-57-0x0000000075A91000-0x0000000075A93000-memory.dmpFilesize
8KB
-
memory/1160-56-0x00000000056C0000-0x00000000058D4000-memory.dmpFilesize
2.1MB
-
memory/1160-55-0x0000000004DD0000-0x0000000004FA4000-memory.dmpFilesize
1.8MB
-
memory/1316-59-0x0000000000000000-mapping.dmp
-
memory/1324-63-0x0000000000000000-mapping.dmp
-
memory/1732-67-0x0000000000000000-mapping.dmp