Analysis
-
max time kernel
142s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:26
Static task
static1
Behavioral task
behavioral1
Sample
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe
Resource
win10v2004-20220812-en
General
-
Target
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe
-
Size
433KB
-
MD5
2e421d1efddf596ee6487321df0ae484
-
SHA1
38cdf0bd60efdb86c0ea363cfb3c5fbd2ddf997b
-
SHA256
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca
-
SHA512
72a642acfccfc83f84ab7723c9e5f31c678233d8959c11a8afcdc8a1f8e98940d33865a77ea93a4ec477bb068a9310b8d427e14f6078668d5ad578acdf65b247
-
SSDEEP
12288:0Qnk3GDYKGcblwtX+t4Y8vd9CaOUG5Y+mh:IAOcZwXYO2J5zE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\perfinto\crtwin.exe dcrat C:\perfinto\crtwin.exe dcrat behavioral2/memory/4744-139-0x00000206906F0000-0x0000020690750000-memory.dmp dcrat C:\Users\conhost.exe dcrat C:\Documents and Settings\conhost.exe dcrat -
Executes dropped EXE 2 IoCs
Processes:
crtwin.execonhost.exepid process 4744 crtwin.exe 212 conhost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops file in Program Files directory 4 IoCs
Processes:
crtwin.exedescription ioc process File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe crtwin.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d crtwin.exe File created C:\Program Files (x86)\Internet Explorer\fr-FR\WmiPrvSE.exe crtwin.exe File created C:\Program Files (x86)\Internet Explorer\fr-FR\24dbde2999530ef5fd907494bc374d663924116c crtwin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4888 schtasks.exe 620 schtasks.exe 1812 schtasks.exe 3640 schtasks.exe 2812 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
crtwin.execonhost.exepid process 4744 crtwin.exe 212 conhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
crtwin.execonhost.exedescription pid process Token: SeDebugPrivilege 4744 crtwin.exe Token: SeDebugPrivilege 212 conhost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exeWScript.execmd.execrtwin.exedescription pid process target process PID 5112 wrote to memory of 1796 5112 417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe WScript.exe PID 5112 wrote to memory of 1796 5112 417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe WScript.exe PID 5112 wrote to memory of 1796 5112 417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe WScript.exe PID 1796 wrote to memory of 4820 1796 WScript.exe cmd.exe PID 1796 wrote to memory of 4820 1796 WScript.exe cmd.exe PID 1796 wrote to memory of 4820 1796 WScript.exe cmd.exe PID 4820 wrote to memory of 4744 4820 cmd.exe crtwin.exe PID 4820 wrote to memory of 4744 4820 cmd.exe crtwin.exe PID 4744 wrote to memory of 4888 4744 crtwin.exe schtasks.exe PID 4744 wrote to memory of 4888 4744 crtwin.exe schtasks.exe PID 4744 wrote to memory of 620 4744 crtwin.exe schtasks.exe PID 4744 wrote to memory of 620 4744 crtwin.exe schtasks.exe PID 4744 wrote to memory of 1812 4744 crtwin.exe schtasks.exe PID 4744 wrote to memory of 1812 4744 crtwin.exe schtasks.exe PID 4744 wrote to memory of 3640 4744 crtwin.exe schtasks.exe PID 4744 wrote to memory of 3640 4744 crtwin.exe schtasks.exe PID 4744 wrote to memory of 2812 4744 crtwin.exe schtasks.exe PID 4744 wrote to memory of 2812 4744 crtwin.exe schtasks.exe PID 4744 wrote to memory of 212 4744 crtwin.exe conhost.exe PID 4744 wrote to memory of 212 4744 crtwin.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe"C:\Users\Admin\AppData\Local\Temp\417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\perfinto\i48JYD4oJA0cMfil2yKzMD37Ydu3jL.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\perfinto\ERovcdbkxlUoLK71txXW3cA964JSkD.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\perfinto\crtwin.exe"C:\perfinto\crtwin.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\perfinto\StartMenuExperienceHost.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Documents and Settings\conhost.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Documents and Settings\conhost.exe"C:\Documents and Settings\conhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings\conhost.exeFilesize
356KB
MD5922a77e55160186e8d3558c88f45f0fd
SHA197981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA25640a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA51204aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
-
C:\Users\conhost.exeFilesize
356KB
MD5922a77e55160186e8d3558c88f45f0fd
SHA197981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA25640a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA51204aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
-
C:\perfinto\ERovcdbkxlUoLK71txXW3cA964JSkD.batFilesize
24B
MD556e3a5d60991108ba8d984f67c27d59d
SHA1f0ca46ab72e8f9237660ee112d9077abe59dc71d
SHA2569be93ab4ea35cccd861162176e9e1cb49f753ff071f44bc8531885cf7b5171db
SHA512dfcb1b4742d0daa4c8b0de16249d7d44e7dc5f4d0befa696915846f1bbd0c145888b9db32cd4d07ca6e7b7974aec6b4125af759663065eeff8baf643248eb061
-
C:\perfinto\crtwin.exeFilesize
356KB
MD5922a77e55160186e8d3558c88f45f0fd
SHA197981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA25640a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA51204aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
-
C:\perfinto\crtwin.exeFilesize
356KB
MD5922a77e55160186e8d3558c88f45f0fd
SHA197981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA25640a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA51204aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
-
C:\perfinto\i48JYD4oJA0cMfil2yKzMD37Ydu3jL.vbeFilesize
220B
MD5224d54950cf34464d6cf812c3d6ac98b
SHA12861f8019ec27a520c0751cbe196e7d19e1e93a8
SHA2569890d7cd354a1444ca02970c09721238ff6223c305f8819cd2219bf8724627b2
SHA512ff8b1dff61f8dd8c68a57b5b43a3a4a5156fe5dd0704e9264e0fb71e6da5a4d3bbd114881a58ebc79d4e06d24abf21a42e027ee9a4824fb378e0299579a4b73f
-
memory/212-147-0x0000000000000000-mapping.dmp
-
memory/212-153-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmpFilesize
10.8MB
-
memory/212-152-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmpFilesize
10.8MB
-
memory/212-151-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmpFilesize
10.8MB
-
memory/620-143-0x0000000000000000-mapping.dmp
-
memory/1796-132-0x0000000000000000-mapping.dmp
-
memory/1812-144-0x0000000000000000-mapping.dmp
-
memory/2812-146-0x0000000000000000-mapping.dmp
-
memory/3640-145-0x0000000000000000-mapping.dmp
-
memory/4744-136-0x0000000000000000-mapping.dmp
-
memory/4744-139-0x00000206906F0000-0x0000020690750000-memory.dmpFilesize
384KB
-
memory/4744-150-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmpFilesize
10.8MB
-
memory/4744-141-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmpFilesize
10.8MB
-
memory/4744-140-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmpFilesize
10.8MB
-
memory/4820-135-0x0000000000000000-mapping.dmp
-
memory/4888-142-0x0000000000000000-mapping.dmp