Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2023 09:51
Behavioral task
behavioral1
Sample
ae23ccbd31f96a4051015724d155f40e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ae23ccbd31f96a4051015724d155f40e.exe
Resource
win10v2004-20221111-en
General
-
Target
ae23ccbd31f96a4051015724d155f40e.exe
-
Size
828KB
-
MD5
ae23ccbd31f96a4051015724d155f40e
-
SHA1
799439e532b69c36f2e1fb5346ae7f93510c9594
-
SHA256
c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69
-
SHA512
61f683a97b8bc1550af40253e2c2e42d8edf4a5c06afb3f5dcc9216ab10c16550f9647ac6dbc85c1f5b3b7b8ab860090ccd6b92b8f41905264b079baf3ae16f8
-
SSDEEP
12288:23SruAQLbAfu30JfjobsOk4VJ4eCeIPrHyw735Mg2Ob/B:gcuA8bA/JfjoLkO4ea15F2OTB
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3552 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 3028 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 3028 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/1948-132-0x0000000000430000-0x0000000000506000-memory.dmp dcrat C:\Recovery\WindowsRE\winlogon.exe dcrat C:\Recovery\WindowsRE\winlogon.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
winlogon.exepid process 4484 winlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ae23ccbd31f96a4051015724d155f40e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ae23ccbd31f96a4051015724d155f40e.exe -
Drops file in Program Files directory 5 IoCs
Processes:
ae23ccbd31f96a4051015724d155f40e.exedescription ioc process File created C:\Program Files\Microsoft Office 15\SppExtComObj.exe ae23ccbd31f96a4051015724d155f40e.exe File created C:\Program Files\Microsoft Office 15\e1ef82546f0b02 ae23ccbd31f96a4051015724d155f40e.exe File created C:\Program Files (x86)\Windows Portable Devices\winlogon.exe ae23ccbd31f96a4051015724d155f40e.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\winlogon.exe ae23ccbd31f96a4051015724d155f40e.exe File created C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d ae23ccbd31f96a4051015724d155f40e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4840 schtasks.exe 1048 schtasks.exe 3392 schtasks.exe 3552 schtasks.exe 4788 schtasks.exe 1152 schtasks.exe 4976 schtasks.exe 4868 schtasks.exe 1908 schtasks.exe 4912 schtasks.exe 4856 schtasks.exe 3756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
ae23ccbd31f96a4051015724d155f40e.exewinlogon.exepid process 1948 ae23ccbd31f96a4051015724d155f40e.exe 1948 ae23ccbd31f96a4051015724d155f40e.exe 1948 ae23ccbd31f96a4051015724d155f40e.exe 1948 ae23ccbd31f96a4051015724d155f40e.exe 1948 ae23ccbd31f96a4051015724d155f40e.exe 4484 winlogon.exe 4484 winlogon.exe 4484 winlogon.exe 4484 winlogon.exe 4484 winlogon.exe 4484 winlogon.exe 4484 winlogon.exe 4484 winlogon.exe 4484 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ae23ccbd31f96a4051015724d155f40e.exewinlogon.exedescription pid process Token: SeDebugPrivilege 1948 ae23ccbd31f96a4051015724d155f40e.exe Token: SeDebugPrivilege 4484 winlogon.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ae23ccbd31f96a4051015724d155f40e.exedescription pid process target process PID 1948 wrote to memory of 4484 1948 ae23ccbd31f96a4051015724d155f40e.exe winlogon.exe PID 1948 wrote to memory of 4484 1948 ae23ccbd31f96a4051015724d155f40e.exe winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae23ccbd31f96a4051015724d155f40e.exe"C:\Users\Admin\AppData\Local\Temp\ae23ccbd31f96a4051015724d155f40e.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\winlogon.exe"C:\Recovery\WindowsRE\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\winlogon.exeFilesize
828KB
MD5ae23ccbd31f96a4051015724d155f40e
SHA1799439e532b69c36f2e1fb5346ae7f93510c9594
SHA256c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69
SHA51261f683a97b8bc1550af40253e2c2e42d8edf4a5c06afb3f5dcc9216ab10c16550f9647ac6dbc85c1f5b3b7b8ab860090ccd6b92b8f41905264b079baf3ae16f8
-
C:\Recovery\WindowsRE\winlogon.exeFilesize
828KB
MD5ae23ccbd31f96a4051015724d155f40e
SHA1799439e532b69c36f2e1fb5346ae7f93510c9594
SHA256c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69
SHA51261f683a97b8bc1550af40253e2c2e42d8edf4a5c06afb3f5dcc9216ab10c16550f9647ac6dbc85c1f5b3b7b8ab860090ccd6b92b8f41905264b079baf3ae16f8
-
memory/1948-132-0x0000000000430000-0x0000000000506000-memory.dmpFilesize
856KB
-
memory/1948-133-0x00007FF81C150000-0x00007FF81CC11000-memory.dmpFilesize
10.8MB
-
memory/1948-137-0x00007FF81C150000-0x00007FF81CC11000-memory.dmpFilesize
10.8MB
-
memory/4484-134-0x0000000000000000-mapping.dmp
-
memory/4484-138-0x00007FF81C150000-0x00007FF81CC11000-memory.dmpFilesize
10.8MB
-
memory/4484-139-0x00007FF81C150000-0x00007FF81CC11000-memory.dmpFilesize
10.8MB