Analysis
-
max time kernel
61s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 03:16
Behavioral task
behavioral1
Sample
HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
Resource
win10v2004-20221111-en
General
-
Target
HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
-
Size
1.1MB
-
MD5
96e7fbbe91a544face9f073d359eb4f6
-
SHA1
f148a329a3a8bb6bc97ccc01139a3651eef3d8bd
-
SHA256
3d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483
-
SHA512
95448fe82c03652b3be42d4cc662c3e4760dd2ba62a8a79f45782385c5255d4f8938e1a1cbd867eeba666c948f915f8cdc9f20a44bc97d1fd03d77aa58755569
-
SSDEEP
24576:xKdL0OLe2/fCNK1PfW9ckdV6Yit9shid+4:gd0IvkKJH0D
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral2/memory/4860-132-0x0000000000660000-0x0000000000780000-memory.dmp dcrat C:\Windows\System32\deploymentcsps\dllhost.exe dcrat C:\Windows\System32\deploymentcsps\dllhost.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 4516 dllhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe -
Drops file in System32 directory 4 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exedescription ioc process File created C:\Windows\System32\deploymentcsps\dllhost.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe File created C:\Windows\System32\deploymentcsps\5940a34987c99120d96dace90a3f93f329dcad63 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe File created C:\Windows\System32\wbem\PrintManagementProvider\WmiPrvSE.exe HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe File created C:\Windows\System32\wbem\PrintManagementProvider\24dbde2999530ef5fd907494bc374d663924116c HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4084 schtasks.exe 1536 schtasks.exe 1868 schtasks.exe 4300 schtasks.exe 3364 schtasks.exe 1660 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exedllhost.exepid process 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe 4516 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exedllhost.exedescription pid process Token: SeDebugPrivilege 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe Token: SeDebugPrivilege 4516 dllhost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.execmd.exedescription pid process target process PID 4860 wrote to memory of 1536 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 1536 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 1868 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 1868 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 4300 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 4300 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 3364 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 3364 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 1660 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 1660 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 4084 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 4084 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe schtasks.exe PID 4860 wrote to memory of 1628 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe cmd.exe PID 4860 wrote to memory of 1628 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe cmd.exe PID 1628 wrote to memory of 1604 1628 cmd.exe chcp.com PID 1628 wrote to memory of 1604 1628 cmd.exe chcp.com PID 1628 wrote to memory of 4348 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 4348 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 4516 1628 cmd.exe dllhost.exe PID 1628 wrote to memory of 4516 1628 cmd.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\PerfLogs\SppExtComObj.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\jawshtml\HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\deploymentcsps\dllhost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Application Data\smss.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\PrintManagementProvider\WmiPrvSE.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1ZexmEaf4.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
-
C:\Windows\System32\deploymentcsps\dllhost.exe"C:\Windows\System32\deploymentcsps\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\s1ZexmEaf4.batFilesize
212B
MD5d557f97584b67cda36aab47b2264e37c
SHA16592c947952684e80903f230ca5323436f78b960
SHA256236ef06af69226e31c2073b6384959ba6ea7cf217484181b5fb7a331dad41676
SHA512acee98a5acaac461fa182fdda999123fb49b515f3c8a706296e67d9ee28d69266fda50861b0a9332bb564b60f2ec08135aaf1e5d499207a49e55a9305dddde4a
-
C:\Windows\System32\deploymentcsps\dllhost.exeFilesize
1.1MB
MD596e7fbbe91a544face9f073d359eb4f6
SHA1f148a329a3a8bb6bc97ccc01139a3651eef3d8bd
SHA2563d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483
SHA51295448fe82c03652b3be42d4cc662c3e4760dd2ba62a8a79f45782385c5255d4f8938e1a1cbd867eeba666c948f915f8cdc9f20a44bc97d1fd03d77aa58755569
-
C:\Windows\System32\deploymentcsps\dllhost.exeFilesize
1.1MB
MD596e7fbbe91a544face9f073d359eb4f6
SHA1f148a329a3a8bb6bc97ccc01139a3651eef3d8bd
SHA2563d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483
SHA51295448fe82c03652b3be42d4cc662c3e4760dd2ba62a8a79f45782385c5255d4f8938e1a1cbd867eeba666c948f915f8cdc9f20a44bc97d1fd03d77aa58755569
-
memory/1536-134-0x0000000000000000-mapping.dmp
-
memory/1604-142-0x0000000000000000-mapping.dmp
-
memory/1628-140-0x0000000000000000-mapping.dmp
-
memory/1660-138-0x0000000000000000-mapping.dmp
-
memory/1868-135-0x0000000000000000-mapping.dmp
-
memory/3364-137-0x0000000000000000-mapping.dmp
-
memory/4084-139-0x0000000000000000-mapping.dmp
-
memory/4300-136-0x0000000000000000-mapping.dmp
-
memory/4348-144-0x0000000000000000-mapping.dmp
-
memory/4516-145-0x0000000000000000-mapping.dmp
-
memory/4516-148-0x00007FFB75730000-0x00007FFB761F1000-memory.dmpFilesize
10.8MB
-
memory/4516-149-0x00007FFB75730000-0x00007FFB761F1000-memory.dmpFilesize
10.8MB
-
memory/4860-143-0x00007FFB75BA0000-0x00007FFB76661000-memory.dmpFilesize
10.8MB
-
memory/4860-132-0x0000000000660000-0x0000000000780000-memory.dmpFilesize
1.1MB
-
memory/4860-133-0x00007FFB75BA0000-0x00007FFB76661000-memory.dmpFilesize
10.8MB