Analysis

  • max time kernel
    120s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2023 22:43

General

  • Target

    tmp.exe

  • Size

    3.7MB

  • MD5

    3046d5ac745d33c5b5ea76db29ccc58e

  • SHA1

    6711bd52d11fb81d34552bda8f7819b97341bd41

  • SHA256

    da42677a574b2f5e9ac01fb0c3436bdf029576f1301d2c7ee6fe0ef30f535b9e

  • SHA512

    b20dfc9b05de7116f52569a8317236d5790f6738bb56131d9bc0b642a38f4c74a90e7b8f1a5fba0d97af33388f1de161530fd11c83fb98565d2d897b572ac074

  • SSDEEP

    98304:3LsCPUwTp1ATLdiRmAAnQ8AoY0JxDow5FXJ8QAyFqbpu8:7KwXAdLPYCUc2QDFmV

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Users\Admin\AppData\Local\Temp\system.exe
        "C:\Users\Admin\AppData\Local\Temp\system.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4168
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
          4⤵
            PID:4916
        • C:\Users\Admin\AppData\Local\Temp\sys.exe
          "C:\Users\Admin\AppData\Local\Temp\sys.exe"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4296
          • C:\Users\Default\Templates\winlogon.exe
            "C:\Users\Default\Templates\winlogon.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Tasks\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3340

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    2
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\sys.exe
      Filesize

      1.4MB

      MD5

      bbd5709ac40896d243f619941d4789c3

      SHA1

      d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

      SHA256

      d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

      SHA512

      61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

    • C:\Users\Admin\AppData\Local\Temp\sys.exe
      Filesize

      1.4MB

      MD5

      bbd5709ac40896d243f619941d4789c3

      SHA1

      d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

      SHA256

      d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

      SHA512

      61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

    • C:\Users\Admin\AppData\Local\Temp\system.exe
      Filesize

      2.5MB

      MD5

      d4c1aa3204a0a20362be094af647d35c

      SHA1

      f4078cff90e96e64477c3a5ecf9f7b4c5f41a888

      SHA256

      6b17273197480205ca53e9cca4298dc16346b65ac29d5ca883690ab1ff1b4183

      SHA512

      2891a2b728d0363a55a15d2159702407ebe7132a325038747240d5768b3e43d85f0ed9bf22c4c4c1cbc1658bd4271bad69ad24117fb6f50f1b2ac1dc9f657ac2

    • C:\Users\Admin\AppData\Roaming\bebra.exe
      Filesize

      5B

      MD5

      8b1a9953c4611296a827abf8c47804d7

      SHA1

      f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0

      SHA256

      185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

      SHA512

      3615f80c9d293ed7402687f94b22d58e529b8cc7916f8fac7fddf7fbd5af4cf777d3d795a7a00a16bf7e7f3fb9561ee9baae480da9fe7a18769e71886b03f315

    • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\winlogon.exe
      Filesize

      1.4MB

      MD5

      bbd5709ac40896d243f619941d4789c3

      SHA1

      d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

      SHA256

      d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

      SHA512

      61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

    • C:\Users\Default\Templates\winlogon.exe
      Filesize

      1.4MB

      MD5

      bbd5709ac40896d243f619941d4789c3

      SHA1

      d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

      SHA256

      d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

      SHA512

      61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

    • memory/1180-152-0x0000000000000000-mapping.dmp
    • memory/1180-157-0x00007FFE4E700000-0x00007FFE4F1C1000-memory.dmp
      Filesize

      10.8MB

    • memory/1180-156-0x00007FFE4E700000-0x00007FFE4F1C1000-memory.dmp
      Filesize

      10.8MB

    • memory/2268-135-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

    • memory/2268-134-0x0000000000000000-mapping.dmp
    • memory/2416-132-0x00000000008D0000-0x0000000000E4A000-memory.dmp
      Filesize

      5.5MB

    • memory/4168-141-0x0000000000000000-mapping.dmp
    • memory/4296-151-0x000000001CA80000-0x000000001CFA8000-memory.dmp
      Filesize

      5.2MB

    • memory/4296-150-0x00007FFE4E700000-0x00007FFE4F1C1000-memory.dmp
      Filesize

      10.8MB

    • memory/4296-149-0x000000001C3D0000-0x000000001C420000-memory.dmp
      Filesize

      320KB

    • memory/4296-144-0x0000000000000000-mapping.dmp
    • memory/4296-155-0x00007FFE4E700000-0x00007FFE4F1C1000-memory.dmp
      Filesize

      10.8MB

    • memory/4296-147-0x0000000000060000-0x00000000001C2000-memory.dmp
      Filesize

      1.4MB

    • memory/4916-143-0x0000000000000000-mapping.dmp