Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 14:01
Behavioral task
behavioral1
Sample
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe
-
Size
1.3MB
-
MD5
bbcb2719208a4b82dce603101e18c7d9
-
SHA1
dc778b4cc86f331381cbbccf6c823a2c31225288
-
SHA256
1901ac563dc9ca30665837cb510c5e05b757e0017ac8e6dd038f1b8b87a69e30
-
SHA512
adec71d8daf3ae8bb241840808fb274bb997f8554b47057270c0cf06cc4696a6e1a55ebd977c7e67f8b66d08b36aed430498e6f209b7b543cf76d38c2c040a90
-
SSDEEP
24576:t/4NroVWFKq4XG+b3cuEx9V9P8nt6Qhc0yB+4:KNroVWhclcuE9VWoIJ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\PersonalizationCSP\\taskhostw.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\PersonalizationCSP\\taskhostw.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\PersonalizationCSP\\taskhostw.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\PersonalizationCSP\\taskhostw.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\", \"C:\\ProgramData\\ssh\\Idle.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\PersonalizationCSP\\taskhostw.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\", \"C:\\ProgramData\\ssh\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\smss.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\PersonalizationCSP\\taskhostw.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\", \"C:\\ProgramData\\ssh\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\smss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0\\OfficeClickToRun.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe -
Processes:
resource yara_rule behavioral2/memory/2548-132-0x00000000001F0000-0x0000000000342000-memory.dmp dcrat C:\PerfLogs\SppExtComObj.exe dcrat C:\PerfLogs\SppExtComObj.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
SppExtComObj.exepid process 3692 SppExtComObj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\ssh\\Idle.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\ssh\\Idle.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft\\Temp\\smss.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0\\OfficeClickToRun.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0\\OfficeClickToRun.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Documents and Settings\\OfficeClickToRun.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Documents and Settings\\OfficeClickToRun.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\PerfLogs\\SppExtComObj.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\PerfLogs\\SppExtComObj.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft\\Temp\\smss.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\PersonalizationCSP\\taskhostw.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\PersonalizationCSP\\taskhostw.exe\"" HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe -
Drops file in System32 directory 3 IoCs
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exedescription ioc process File created C:\Windows\System32\PersonalizationCSP\taskhostw.exe HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe File opened for modification C:\Windows\System32\PersonalizationCSP\taskhostw.exe HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe File created C:\Windows\System32\PersonalizationCSP\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe -
Drops file in Program Files directory 4 IoCs
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Temp\smss.exe HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe File created C:\Program Files (x86)\Microsoft\Temp\69ddcba757bf72f7d36c464c71f42baab150b2b9 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0\OfficeClickToRun.exe HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0\e6c9b481da804f07baff8eff543b0a1441069b5d HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1548 schtasks.exe 4708 schtasks.exe 4400 schtasks.exe 4656 schtasks.exe 4344 schtasks.exe 1932 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exeSppExtComObj.exepid process 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe 3692 SppExtComObj.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exeSppExtComObj.exedescription pid process Token: SeDebugPrivilege 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe Token: SeDebugPrivilege 3692 SppExtComObj.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.execmd.exedescription pid process target process PID 2548 wrote to memory of 4344 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 4344 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 1932 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 1932 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 1548 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 1548 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 4708 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 4708 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 4400 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 4400 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 4656 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 4656 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe schtasks.exe PID 2548 wrote to memory of 720 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe cmd.exe PID 2548 wrote to memory of 720 2548 HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe cmd.exe PID 720 wrote to memory of 4888 720 cmd.exe chcp.com PID 720 wrote to memory of 4888 720 cmd.exe chcp.com PID 720 wrote to memory of 2392 720 cmd.exe PING.EXE PID 720 wrote to memory of 2392 720 cmd.exe PING.EXE PID 720 wrote to memory of 3692 720 cmd.exe SppExtComObj.exe PID 720 wrote to memory of 3692 720 cmd.exe SppExtComObj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.LightStone.gen-1901ac563dc.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\PersonalizationCSP\taskhostw.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\PerfLogs\SppExtComObj.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Documents and Settings\OfficeClickToRun.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\ssh\Idle.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\smss.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0\OfficeClickToRun.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8kssQNp1lk.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
-
C:\PerfLogs\SppExtComObj.exe"C:\PerfLogs\SppExtComObj.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\SppExtComObj.exeFilesize
1.3MB
MD5bbcb2719208a4b82dce603101e18c7d9
SHA1dc778b4cc86f331381cbbccf6c823a2c31225288
SHA2561901ac563dc9ca30665837cb510c5e05b757e0017ac8e6dd038f1b8b87a69e30
SHA512adec71d8daf3ae8bb241840808fb274bb997f8554b47057270c0cf06cc4696a6e1a55ebd977c7e67f8b66d08b36aed430498e6f209b7b543cf76d38c2c040a90
-
C:\PerfLogs\SppExtComObj.exeFilesize
1.3MB
MD5bbcb2719208a4b82dce603101e18c7d9
SHA1dc778b4cc86f331381cbbccf6c823a2c31225288
SHA2561901ac563dc9ca30665837cb510c5e05b757e0017ac8e6dd038f1b8b87a69e30
SHA512adec71d8daf3ae8bb241840808fb274bb997f8554b47057270c0cf06cc4696a6e1a55ebd977c7e67f8b66d08b36aed430498e6f209b7b543cf76d38c2c040a90
-
C:\Users\Admin\AppData\Local\Temp\8kssQNp1lk.batFilesize
194B
MD55ba0d04e4fa4997d9699e0016abd62c0
SHA15104fa2aa3f1fceaf06ad281068621889f28b506
SHA25648927ef34cfd0a98ecebdb9d84b289f52e1f4ab4856cd5a2cf888245b33ac8a8
SHA5124e402bfd70737b71bac05fb824136bc8d7624eab49546bcfb272856a2d0d4636f61b520844c33e7b457069bd412faba480ec90f7a687751f5746844774d6d61f
-
memory/720-140-0x0000000000000000-mapping.dmp
-
memory/1548-136-0x0000000000000000-mapping.dmp
-
memory/1932-135-0x0000000000000000-mapping.dmp
-
memory/2392-144-0x0000000000000000-mapping.dmp
-
memory/2548-143-0x00007FFA6DF40000-0x00007FFA6EA01000-memory.dmpFilesize
10.8MB
-
memory/2548-132-0x00000000001F0000-0x0000000000342000-memory.dmpFilesize
1.3MB
-
memory/2548-133-0x00007FFA6DF40000-0x00007FFA6EA01000-memory.dmpFilesize
10.8MB
-
memory/3692-145-0x0000000000000000-mapping.dmp
-
memory/3692-148-0x00007FFA6DF40000-0x00007FFA6EA01000-memory.dmpFilesize
10.8MB
-
memory/3692-149-0x00007FFA6DF40000-0x00007FFA6EA01000-memory.dmpFilesize
10.8MB
-
memory/4344-134-0x0000000000000000-mapping.dmp
-
memory/4400-138-0x0000000000000000-mapping.dmp
-
memory/4656-139-0x0000000000000000-mapping.dmp
-
memory/4708-137-0x0000000000000000-mapping.dmp
-
memory/4888-142-0x0000000000000000-mapping.dmp