Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2023 08:41
Behavioral task
behavioral1
Sample
a8327e7f73f4d7a3931072ca1e489d82.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a8327e7f73f4d7a3931072ca1e489d82.exe
Resource
win10v2004-20221111-en
General
-
Target
a8327e7f73f4d7a3931072ca1e489d82.exe
-
Size
1.5MB
-
MD5
a8327e7f73f4d7a3931072ca1e489d82
-
SHA1
33fa6a7fa73a790c876582c9f638fc7e71a0f284
-
SHA256
38ee5db6247e3637509a731d894af10c97be040b388aac5a87b9b4a0b19a03c3
-
SHA512
d7f1ea19127350fc1f4fce1942342b52c128fec6113b7eceac7491da599a292b63e5c0508b2ef17df02aed853b9e24b2d17cc71342d56f9239df914a56e4dae4
-
SSDEEP
24576:P2G/nvxW3WV0Boz7PdSo8OhfvG83PxEXY5TZ95f+bYy4HKTtadCK2yseqa+B7:PbA3HBodSo80/GXC9+bl4ewpEe+h
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2932 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 2932 schtasks.exe -
Processes:
resource yara_rule C:\brokerperf\Hypersaves.exe dcrat C:\brokerperf\Hypersaves.exe dcrat behavioral2/memory/1708-139-0x0000000000840000-0x0000000000976000-memory.dmp dcrat C:\odt\dllhost.exe dcrat C:\odt\dllhost.exe dcrat -
Executes dropped EXE 2 IoCs
Processes:
Hypersaves.exedllhost.exepid process 1708 Hypersaves.exe 5028 dllhost.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a8327e7f73f4d7a3931072ca1e489d82.exeWScript.exeHypersaves.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation a8327e7f73f4d7a3931072ca1e489d82.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation Hypersaves.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Hypersaves.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe Hypersaves.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\55b276f4edf653 Hypersaves.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe Hypersaves.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\56085415360792 Hypersaves.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 308 schtasks.exe 1852 schtasks.exe 5108 schtasks.exe 3640 schtasks.exe 3608 schtasks.exe 4776 schtasks.exe 208 schtasks.exe 3288 schtasks.exe 4980 schtasks.exe 4800 schtasks.exe 3088 schtasks.exe 1388 schtasks.exe 4516 schtasks.exe 4840 schtasks.exe 4976 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
a8327e7f73f4d7a3931072ca1e489d82.exeHypersaves.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings a8327e7f73f4d7a3931072ca1e489d82.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings Hypersaves.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Hypersaves.exedllhost.exepid process 1708 Hypersaves.exe 1708 Hypersaves.exe 1708 Hypersaves.exe 1708 Hypersaves.exe 1708 Hypersaves.exe 1708 Hypersaves.exe 1708 Hypersaves.exe 5028 dllhost.exe 5028 dllhost.exe 5028 dllhost.exe 5028 dllhost.exe 5028 dllhost.exe 5028 dllhost.exe 5028 dllhost.exe 5028 dllhost.exe 5028 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 5028 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Hypersaves.exedllhost.exedescription pid process Token: SeDebugPrivilege 1708 Hypersaves.exe Token: SeDebugPrivilege 5028 dllhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
a8327e7f73f4d7a3931072ca1e489d82.exeWScript.execmd.exeHypersaves.execmd.exedescription pid process target process PID 376 wrote to memory of 4312 376 a8327e7f73f4d7a3931072ca1e489d82.exe WScript.exe PID 376 wrote to memory of 4312 376 a8327e7f73f4d7a3931072ca1e489d82.exe WScript.exe PID 376 wrote to memory of 4312 376 a8327e7f73f4d7a3931072ca1e489d82.exe WScript.exe PID 4312 wrote to memory of 1952 4312 WScript.exe cmd.exe PID 4312 wrote to memory of 1952 4312 WScript.exe cmd.exe PID 4312 wrote to memory of 1952 4312 WScript.exe cmd.exe PID 1952 wrote to memory of 1708 1952 cmd.exe Hypersaves.exe PID 1952 wrote to memory of 1708 1952 cmd.exe Hypersaves.exe PID 1708 wrote to memory of 1312 1708 Hypersaves.exe cmd.exe PID 1708 wrote to memory of 1312 1708 Hypersaves.exe cmd.exe PID 1312 wrote to memory of 2284 1312 cmd.exe w32tm.exe PID 1312 wrote to memory of 2284 1312 cmd.exe w32tm.exe PID 1312 wrote to memory of 5028 1312 cmd.exe dllhost.exe PID 1312 wrote to memory of 5028 1312 cmd.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8327e7f73f4d7a3931072ca1e489d82.exe"C:\Users\Admin\AppData\Local\Temp\a8327e7f73f4d7a3931072ca1e489d82.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\brokerperf\yzbbss9f6DVhZcZfA4yi.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\brokerperf\05no77bTSSxqXTtNATW8hKup6yLON.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\brokerperf\Hypersaves.exe"C:\brokerperf\Hypersaves.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5LnsTu22OR.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\odt\dllhost.exe"C:\odt\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Videos\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5LnsTu22OR.batFilesize
183B
MD56ebbe00319e29874452d2b739838f699
SHA19855f0ba5a30302443d922822b5b0b816631c28d
SHA256ac3c179826e65a87b6629a139370b888b4d4d9aeae13403a545c436f9ef9d9b1
SHA51244527e06014d4cf20a3f9091c988b7d90a94d524edc8b321b10f5b7237e1fd836d2aa11d1fa7cfaf78f48892c2251d9df23c0c4c435441075eb68366544447d2
-
C:\brokerperf\05no77bTSSxqXTtNATW8hKup6yLON.batFilesize
30B
MD540887cda573d24c154df9f6ecc8508b7
SHA12991ac00d79b896c1433fa0edba4b176a75738a4
SHA256fa50577412b6e089d86ea596b6838c2d9ee37c73c70815e546e71d759cd07b7e
SHA512593c9184332faedbc70a3152ee264850d5b0c39b7e080edf9bad9530fbb031964bede11e05617168c1ec9291c68c190db645215484f15f39d535c7d7fbcb77b7
-
C:\brokerperf\Hypersaves.exeFilesize
1.2MB
MD5b313d25c0fed1c6069e6a72e73a5751f
SHA11717db41053d68f4b6cb0619eaee7d7617a6ebc9
SHA25601e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd
SHA5126807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3
-
C:\brokerperf\Hypersaves.exeFilesize
1.2MB
MD5b313d25c0fed1c6069e6a72e73a5751f
SHA11717db41053d68f4b6cb0619eaee7d7617a6ebc9
SHA25601e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd
SHA5126807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3
-
C:\brokerperf\yzbbss9f6DVhZcZfA4yi.vbeFilesize
216B
MD5e7db9f8708a135db0bb83dafb0f9256b
SHA1fee4cc69a17f2633ead4ff37798d3dfdaba83081
SHA2562bbc8edaf231e644b254b41338ef3dd019bbbac117c0b204907d8274ea2dded9
SHA51209c201f43cd84008787c657810ec31936827026a6a05bc8ed502b0cb6cb850c81d60a712f98d8bbb7f921b4d2c686a007e456ca7b7455f4924537373ff90b83d
-
C:\odt\dllhost.exeFilesize
1.2MB
MD5b313d25c0fed1c6069e6a72e73a5751f
SHA11717db41053d68f4b6cb0619eaee7d7617a6ebc9
SHA25601e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd
SHA5126807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3
-
C:\odt\dllhost.exeFilesize
1.2MB
MD5b313d25c0fed1c6069e6a72e73a5751f
SHA11717db41053d68f4b6cb0619eaee7d7617a6ebc9
SHA25601e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd
SHA5126807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3
-
memory/1312-142-0x0000000000000000-mapping.dmp
-
memory/1708-140-0x000000001B560000-0x000000001B5B0000-memory.dmpFilesize
320KB
-
memory/1708-141-0x00007FFDA4430000-0x00007FFDA4EF1000-memory.dmpFilesize
10.8MB
-
memory/1708-139-0x0000000000840000-0x0000000000976000-memory.dmpFilesize
1.2MB
-
memory/1708-145-0x00007FFDA4430000-0x00007FFDA4EF1000-memory.dmpFilesize
10.8MB
-
memory/1708-136-0x0000000000000000-mapping.dmp
-
memory/1952-135-0x0000000000000000-mapping.dmp
-
memory/2284-144-0x0000000000000000-mapping.dmp
-
memory/4312-132-0x0000000000000000-mapping.dmp
-
memory/5028-146-0x0000000000000000-mapping.dmp
-
memory/5028-149-0x00007FFDA4000000-0x00007FFDA4AC1000-memory.dmpFilesize
10.8MB
-
memory/5028-150-0x00007FFDA4000000-0x00007FFDA4AC1000-memory.dmpFilesize
10.8MB