Analysis
-
max time kernel
165s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 17:27
Static task
static1
Behavioral task
behavioral1
Sample
4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe
Resource
win10v2004-20220812-en
General
-
Target
4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe
-
Size
574KB
-
MD5
b5a28a29823b875076ccca3344499426
-
SHA1
cf51bddf543b5b3570e43d7eb83d201309da36a3
-
SHA256
4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df
-
SHA512
e9a648701f6612c1f5f0956d226282b5af26beee4e517a1d5670f97bb97dae8edd010080a1857213dd72d5b89f80da4f9f00f1d19c4459d1c06ca5ef936fe144
-
SSDEEP
12288:HQnk3GDYKGcbllbp8VTbS8thdRok51TvLH5W:JAOcZxpgTbS8tZokU
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\savessvc\svcnet.exe dcrat C:\savessvc\svcnet.exe dcrat behavioral2/memory/1028-146-0x000001A8C45E0000-0x000001A8C4646000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
zE5aikUa0klpw3r9Qf0i.exesvcnet.exepid process 4684 zE5aikUa0klpw3r9Qf0i.exe 1028 svcnet.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
zE5aikUa0klpw3r9Qf0i.exeWScript.exe4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation zE5aikUa0klpw3r9Qf0i.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exezE5aikUa0klpw3r9Qf0i.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings zE5aikUa0klpw3r9Qf0i.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svcnet.exedescription pid process Token: SeDebugPrivilege 1028 svcnet.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exeWScript.execmd.exezE5aikUa0klpw3r9Qf0i.exeWScript.execmd.exedescription pid process target process PID 552 wrote to memory of 4980 552 4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe WScript.exe PID 552 wrote to memory of 4980 552 4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe WScript.exe PID 552 wrote to memory of 4980 552 4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe WScript.exe PID 4980 wrote to memory of 852 4980 WScript.exe cmd.exe PID 4980 wrote to memory of 852 4980 WScript.exe cmd.exe PID 4980 wrote to memory of 852 4980 WScript.exe cmd.exe PID 852 wrote to memory of 4684 852 cmd.exe zE5aikUa0klpw3r9Qf0i.exe PID 852 wrote to memory of 4684 852 cmd.exe zE5aikUa0klpw3r9Qf0i.exe PID 852 wrote to memory of 4684 852 cmd.exe zE5aikUa0klpw3r9Qf0i.exe PID 4684 wrote to memory of 2916 4684 zE5aikUa0klpw3r9Qf0i.exe WScript.exe PID 4684 wrote to memory of 2916 4684 zE5aikUa0klpw3r9Qf0i.exe WScript.exe PID 4684 wrote to memory of 2916 4684 zE5aikUa0klpw3r9Qf0i.exe WScript.exe PID 2916 wrote to memory of 1516 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 1516 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 1516 2916 WScript.exe cmd.exe PID 1516 wrote to memory of 1028 1516 cmd.exe svcnet.exe PID 1516 wrote to memory of 1028 1516 cmd.exe svcnet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe"C:\Users\Admin\AppData\Local\Temp\4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\savessvc\JUcz4WZXVbZk8gcmJxrEcb4ximqA6j.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\savessvc\sNk4kRXBNanZfVivadaVjhIxLvG7qo.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\savessvc\zE5aikUa0klpw3r9Qf0i.exezE5aikUa0klpw3r9Qf0i.exe -p72bd158fbe13eb6fc612f01b05e6c25dc8fa84ad4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\savessvc\DWBa6JeVc6vTABpoy0bZfYmmDxHKHw.vbe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\savessvc\4YgFlhWIPSsjQhMRmTQaO5X1cSnM5U.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\savessvc\svcnet.exe"C:\savessvc\svcnet.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\savessvc\4YgFlhWIPSsjQhMRmTQaO5X1cSnM5U.batFilesize
24B
MD5412431155f5031d9ada5f524fea990a4
SHA1580e09a584bd0a02f65bf008c9e8915db2113c2e
SHA2561c2b54b913b727f357e89e2ce9faf5ea8eb6e520c4d59af56681bf7d15b57eaa
SHA5121f8b66e63697e4d3f7f82b94e0a61aa9fd65e07183df7725c5106f5e70c704326b2be1048bfdf7f802818a7ea367c8656605fe364a62b6f8d7757a9d32568eb5
-
C:\savessvc\DWBa6JeVc6vTABpoy0bZfYmmDxHKHw.vbeFilesize
220B
MD57504ec033e802fcdb608cb4c8a280776
SHA1a79e62b38bef2ede56cb9fd2aa535b47b0dd3459
SHA256c53facfea48298509fb9ee6df7d1bf92f01bd3cd73145e315ef5155f0146ddbb
SHA512a8ebc85d0c28075065ae7c8cec406fb44e4d42cfc54e336c5db7cc3d311ada3f8028870f7e680d0a637b03d8390312d7dae078b145787e9bb100924cc7e85e26
-
C:\savessvc\JUcz4WZXVbZk8gcmJxrEcb4ximqA6j.vbeFilesize
144B
MD53557d032c699a7de99188110aac459ef
SHA196d3160be15cdb3a547030b624fd2a8d6ff335ea
SHA256eb6f895f786b67e38b3e14a3e5f40cc82f7e62e69d574ac3001896ced8a71615
SHA51201a0fb2e0963b80b69d35a4cf1de1abcb17b3dc6d5ba631d50eb3a12da67e045026723aeba6438accf1fceca4ada970ce6bd2c17d6cc1cc3fe1e2f989166bbaf
-
C:\savessvc\sNk4kRXBNanZfVivadaVjhIxLvG7qo.batFilesize
615B
MD58f295bcb8644fb442459f3ac739270f1
SHA1256371569e013d7d097f09a4ca1bab119621097c
SHA256b7433239dffc8671a2eabc6700d4ffec37adbf199bf64d3228d9d48226250e27
SHA512c2d61a11e92a871c689ca66d41eb4f20fc73919b38565060f4d81f5e17e807a8942d02593274ad0582d3091adceccc49e06796b40ddaac4080b3987add0ab919
-
C:\savessvc\svcnet.exeFilesize
375KB
MD5c855e27232bb8440beca03334c686b5a
SHA17b2043bc4d04fdd44c5be6c5e7676b9f16ce21e7
SHA25686635219f27c28bb252af0d9e551f379ec4151318268aaca3523616cf716f8ab
SHA512cc282f5c1c3d56a9f20fc2aa49ff8ea1afd6bdc246d51400abd83631d3adeb3a9458e541e24771c1bb7907d7a663a930024c4e2cc3f298529502b964242e33d1
-
C:\savessvc\svcnet.exeFilesize
375KB
MD5c855e27232bb8440beca03334c686b5a
SHA17b2043bc4d04fdd44c5be6c5e7676b9f16ce21e7
SHA25686635219f27c28bb252af0d9e551f379ec4151318268aaca3523616cf716f8ab
SHA512cc282f5c1c3d56a9f20fc2aa49ff8ea1afd6bdc246d51400abd83631d3adeb3a9458e541e24771c1bb7907d7a663a930024c4e2cc3f298529502b964242e33d1
-
C:\savessvc\zE5aikUa0klpw3r9Qf0i.exeFilesize
439KB
MD5608b5a7325eaf4d926ddf6f386297f40
SHA1697f30c063d7d5330495bc4742a6dbc1e38d1d31
SHA2563264159e72fc0d2f1890b99ed3c91501194a189e32ba73c34e8b69a2214d8590
SHA512577e2ebee6ee5fde12adff78ad4344a6e9f89d810ca380e3aa499ffc235c05392d1847493c20a066ab1d8f5344b5dc02fc104a5d31f28c0256f82a91c0dee652
-
C:\savessvc\zE5aikUa0klpw3r9Qf0i.exeFilesize
439KB
MD5608b5a7325eaf4d926ddf6f386297f40
SHA1697f30c063d7d5330495bc4742a6dbc1e38d1d31
SHA2563264159e72fc0d2f1890b99ed3c91501194a189e32ba73c34e8b69a2214d8590
SHA512577e2ebee6ee5fde12adff78ad4344a6e9f89d810ca380e3aa499ffc235c05392d1847493c20a066ab1d8f5344b5dc02fc104a5d31f28c0256f82a91c0dee652
-
memory/852-135-0x0000000000000000-mapping.dmp
-
memory/1028-146-0x000001A8C45E0000-0x000001A8C4646000-memory.dmpFilesize
408KB
-
memory/1028-143-0x0000000000000000-mapping.dmp
-
memory/1028-147-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmpFilesize
10.8MB
-
memory/1028-148-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmpFilesize
10.8MB
-
memory/1028-149-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmpFilesize
10.8MB
-
memory/1516-142-0x0000000000000000-mapping.dmp
-
memory/2916-139-0x0000000000000000-mapping.dmp
-
memory/4684-136-0x0000000000000000-mapping.dmp
-
memory/4980-132-0x0000000000000000-mapping.dmp