Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
01-02-2023 20:08
General
-
Target
WEXTRACT.exe
-
Size
7.2MB
-
MD5
1031f7f6ee923fa952dbe18807039570
-
SHA1
01a144e221c3a67b4bdc2ad3662a682b66d4dd4a
-
SHA256
24277b308f5f5d2154a648564965df5153921a2b66e3766223732f7f9cfeaca8
-
SHA512
86abaa547484b599039502e04c0be7da1aae396d4d736f6ab79585b8d0bbb4a36704b9c23db6ec7dbedd8323b6baa07f129afb851dce15d21ae85350d03ea491
-
SSDEEP
196608:pbZpm896G7CCcWhF4Ps71GyFoQRC79BHDTZ:plp+Ps7wyF3gBBnZ
Malware Config
Signatures
-
DcRat 25 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 10 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bb.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Webwinruntime\2gQc8XVBJnj7TBoHD.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Webwinruntime\uB8YQKcGBGDFaKvsj7SpRQl6uCT1D7.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Webwinruntime\Mshyperweb.exe"C:\Webwinruntime\Mshyperweb.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LGzIOqzcol.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Users\Public\Desktop\Mshyperweb.exe"C:\Users\Public\Desktop\Mshyperweb.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOOSTE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOOSTE~1.EXE2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exe"bcdedit.exe" /enum {current} /v3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MshyperwebM" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\Mshyperweb.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Mshyperweb" /sc ONLOGON /tr "'C:\Users\Public\Desktop\Mshyperweb.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MshyperwebM" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\Mshyperweb.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Web\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\WMIADAP.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\WMIADAP.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
MD5b46183170e3065a6d1ac305289dacf7a
SHA107e88400afa36e9306497b4ce16a8d485e1d468f
SHA256d9523eba02d2c4b40e69e5fa5c51f1145e40f0c6d203a330c648a853a7e1af03
SHA51264209f3a2159c5bf6bb009dff2d489c412057bd99f85c5db0da254d0646bb66106c2a7332074e35c83b52f240ac28f61c9068cb73c1f5b32404885fecd3004d4
-
Filesize
6.9MB
MD5b46183170e3065a6d1ac305289dacf7a
SHA107e88400afa36e9306497b4ce16a8d485e1d468f
SHA256d9523eba02d2c4b40e69e5fa5c51f1145e40f0c6d203a330c648a853a7e1af03
SHA51264209f3a2159c5bf6bb009dff2d489c412057bd99f85c5db0da254d0646bb66106c2a7332074e35c83b52f240ac28f61c9068cb73c1f5b32404885fecd3004d4
-
Filesize
1.5MB
MD524a066e8e54fe5a1bf3804a8a35048fd
SHA1e0d87bec50ab8ac610b3151b04e8aba5df97f246
SHA2561dbab2f1cce2f16f237f8207e7f3baef7463cbaadb16d7ae427b7b3e902b084b
SHA512ee1583e64ae068849c763827c630cc998bfe2aa4882ab71185bbf49379da37d221a956791a9753a6b30e2c1d8b65dc61c41cfc48e7a4e4e6fb8ba02ad643c3bc
-
Filesize
1.5MB
MD524a066e8e54fe5a1bf3804a8a35048fd
SHA1e0d87bec50ab8ac610b3151b04e8aba5df97f246
SHA2561dbab2f1cce2f16f237f8207e7f3baef7463cbaadb16d7ae427b7b3e902b084b
SHA512ee1583e64ae068849c763827c630cc998bfe2aa4882ab71185bbf49379da37d221a956791a9753a6b30e2c1d8b65dc61c41cfc48e7a4e4e6fb8ba02ad643c3bc
-
Filesize
203B
MD5273fe14c22af54301dcc02d53efb2211
SHA18e5c05a2bff869b427a78ea9de9558ce89c1d7d3
SHA2567eb9a701468b088995a6e8385397a52e995ad2ab4ae47a74ceeaf2ae772d3f34
SHA51264e8a6dfbd8b8e14acb2313b89b9cac438a0359205d0f1d88ff7e436db5bcc234d8f40b26344f1abf4af499b07f9c0569fa2be20080551d2b0c7ba89cae67013
-
Filesize
1.2MB
MD5d73433115c697f50c96f79a03d18e8bb
SHA1b85e8b994ecb5b2b7eb4ae34db82137eabf718d6
SHA256a8fc667e0fcc09b0105f748d39494d84138eb2e4a31b48b5331d5d0f478fc48a
SHA512fa86101b3649eb1c6abcd6e7c4312505f79a605d73266f2816e62e140a0beb27e34e93dfb4646040b38387f1ebfc46eacdadc79c3e5a787441db016dadc09fc6
-
Filesize
1.2MB
MD5d73433115c697f50c96f79a03d18e8bb
SHA1b85e8b994ecb5b2b7eb4ae34db82137eabf718d6
SHA256a8fc667e0fcc09b0105f748d39494d84138eb2e4a31b48b5331d5d0f478fc48a
SHA512fa86101b3649eb1c6abcd6e7c4312505f79a605d73266f2816e62e140a0beb27e34e93dfb4646040b38387f1ebfc46eacdadc79c3e5a787441db016dadc09fc6
-
Filesize
220B
MD5e53776af06260079d97e3419a4b4774c
SHA1fe4710374dd131499aebb0f3a7e1e52a41617860
SHA2569cf240d5602aa5b0364f76267118bd3f5fa1c24f231656c98bbf7179377bda86
SHA5125a2c9c91944b63d872ff949c32236bf8aa2bb67f426fbcb3b9c352ae64a415278a0de98b2a2015f3e4f5b5f15cae46386303f72e34ababa913bed6320bb62b3d
-
Filesize
1.2MB
MD54d52bee2a4760127acb0e831ab92a9a8
SHA1e649e289da449b62b4c94a193e4f0ba0d1732342
SHA2562f4c249c1af01e6279bc40e29f7eadd78e681ab62a02b80c3f6437105c6b88df
SHA51211de1f78066164e03db0d7d4d13b53f5c788d88a44c8ddf0a68beb7f8c876b3c75fc7930a21296de52b989cd761786216f677c325220a9df1a607a5dca7f191a
-
Filesize
1.2MB
MD54d52bee2a4760127acb0e831ab92a9a8
SHA1e649e289da449b62b4c94a193e4f0ba0d1732342
SHA2562f4c249c1af01e6279bc40e29f7eadd78e681ab62a02b80c3f6437105c6b88df
SHA51211de1f78066164e03db0d7d4d13b53f5c788d88a44c8ddf0a68beb7f8c876b3c75fc7930a21296de52b989cd761786216f677c325220a9df1a607a5dca7f191a
-
Filesize
145B
MD583679d1d476b58992a8fc8ad71f93fc0
SHA1784380a4a769f1e7a895f28e25ab3b5453e30036
SHA2563a792ab697f2792e90a60b6caecd986b0c0c5642e15cc5cf0062d731e181ef8b
SHA512d78823f10fc8e562ee556c451a50bf12a1df846fe37dce26803201271c1c81bb60c89d085cd56028853dbf3f7922aaec6c5e7cd70689dc6970c5d241d8f4cacc
-
Filesize
1.2MB
MD54d52bee2a4760127acb0e831ab92a9a8
SHA1e649e289da449b62b4c94a193e4f0ba0d1732342
SHA2562f4c249c1af01e6279bc40e29f7eadd78e681ab62a02b80c3f6437105c6b88df
SHA51211de1f78066164e03db0d7d4d13b53f5c788d88a44c8ddf0a68beb7f8c876b3c75fc7930a21296de52b989cd761786216f677c325220a9df1a607a5dca7f191a
-
Filesize
1.2MB
MD54d52bee2a4760127acb0e831ab92a9a8
SHA1e649e289da449b62b4c94a193e4f0ba0d1732342
SHA2562f4c249c1af01e6279bc40e29f7eadd78e681ab62a02b80c3f6437105c6b88df
SHA51211de1f78066164e03db0d7d4d13b53f5c788d88a44c8ddf0a68beb7f8c876b3c75fc7930a21296de52b989cd761786216f677c325220a9df1a607a5dca7f191a
-
Filesize
2.6MB
-
Filesize
152KB
-
Filesize
192KB
-
Filesize
40KB
-
Filesize
124KB
-
Filesize
40KB
-
Filesize
124KB
-
Filesize
40KB
-
-
Filesize
40KB
-
Filesize
6.9MB
-
-
Filesize
8KB
-
-
-
-
Filesize
1.2MB
-
Filesize
124KB
-
-
Filesize
124KB
-
Filesize
8KB
-
-
-
Filesize
64KB
-
Filesize
124KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
124KB
-
-
Filesize
1.2MB
-
Filesize
124KB
-