Analysis
-
max time kernel
31s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-02-2023 11:50
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
1.9MB
-
MD5
ffae9d3dd55cdb9bb47aa553d05d458b
-
SHA1
e43439834646330d3f3dc1f142acead1e7ac6f24
-
SHA256
4689a7fee8a2d671659d2f8c68d9bd8d1d734867654abb88f059defc5beb9b63
-
SHA512
e88a375b4680889befb88f66c50084af7908a6377302d3cc4eb9504808b9b5567ea6a1cadf1f607c6fdb08a94b88d2b8eb33a50f92854475130c8333d51a100e
-
SSDEEP
49152:ubA3jqYHNVf0jxYiwmy+FsT2vB+098DeDt7:ubrSfwGiwH+UYBt9bt7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Fontwin\svchost.exe dcrat \Users\Admin\AppData\Local\Temp\Fontwin\svchost.exe dcrat C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exe dcrat C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exe dcrat behavioral1/memory/1536-72-0x0000000000A00000-0x0000000000BAA000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1536 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1140 cmd.exe 1140 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1536 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
file.exeWScript.execmd.exedescription pid process target process PID 1756 wrote to memory of 1900 1756 file.exe WScript.exe PID 1756 wrote to memory of 1900 1756 file.exe WScript.exe PID 1756 wrote to memory of 1900 1756 file.exe WScript.exe PID 1756 wrote to memory of 1900 1756 file.exe WScript.exe PID 1756 wrote to memory of 680 1756 file.exe WScript.exe PID 1756 wrote to memory of 680 1756 file.exe WScript.exe PID 1756 wrote to memory of 680 1756 file.exe WScript.exe PID 1756 wrote to memory of 680 1756 file.exe WScript.exe PID 1900 wrote to memory of 1140 1900 WScript.exe cmd.exe PID 1900 wrote to memory of 1140 1900 WScript.exe cmd.exe PID 1900 wrote to memory of 1140 1900 WScript.exe cmd.exe PID 1900 wrote to memory of 1140 1900 WScript.exe cmd.exe PID 1140 wrote to memory of 1536 1140 cmd.exe svchost.exe PID 1140 wrote to memory of 1536 1140 cmd.exe svchost.exe PID 1140 wrote to memory of 1536 1140 cmd.exe svchost.exe PID 1140 wrote to memory of 1536 1140 cmd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fontwin\A5pg7.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Fontwin\lcJgodXq4rO.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fontwin\file.vbs"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\A5pg7.vbeFilesize
199B
MD5d20ee83ba327ad6f773016820e223b8e
SHA1cba80bf5f728f4a2e942c567dbf704e77c8a8e5e
SHA256ee8df87d26c7a650d23630a339d8c5fd3d30c3edbcfd757f1bbcd588c1e14d53
SHA512e17ff3c81c2af5bd30537419b5288872cb10ac93f179cf0cd4333628b8c756e840f54f9383ab2b540c3fa491b8a40a434cc9803442dabfc2655211cab23f3a60
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\lcJgodXq4rO.batFilesize
28B
MD553529a1d50b9ab9d67c700e57e2aa1b1
SHA13bc9026745ee38552d3cc5f37b6cfdc5c6306368
SHA256490f184d7adffb16420be10ba5aa0b17dc0b81c1c57d9da5e949eb1bdc2845ea
SHA5127f8cd5a7b4f154d6f6bfdfd8f575a8979c722181782962c2e781a17cde9ce56a9d481f208a59fe4e6b2f7fc1adc4efbfba2e6f31757173c1ef6a7fab9b528201
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exeFilesize
1.6MB
MD5c6349132a9523e079ef707292430b039
SHA1e1a65a06120b2d875d879aecbc9154cce2f93dc9
SHA2563540f44678e05db9c3c341e326a3c92ca20efb890755166934428c47b3faeeed
SHA51279db000bec4caa9bc210756566414d31dfe505591ddb8b4ad5568ab2a03d51b3ca542e957d46a56d420c8a7901bbeb829b22604e4e24a158ff463de066928a2a
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exeFilesize
1.6MB
MD5c6349132a9523e079ef707292430b039
SHA1e1a65a06120b2d875d879aecbc9154cce2f93dc9
SHA2563540f44678e05db9c3c341e326a3c92ca20efb890755166934428c47b3faeeed
SHA51279db000bec4caa9bc210756566414d31dfe505591ddb8b4ad5568ab2a03d51b3ca542e957d46a56d420c8a7901bbeb829b22604e4e24a158ff463de066928a2a
-
\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exeFilesize
1.6MB
MD5c6349132a9523e079ef707292430b039
SHA1e1a65a06120b2d875d879aecbc9154cce2f93dc9
SHA2563540f44678e05db9c3c341e326a3c92ca20efb890755166934428c47b3faeeed
SHA51279db000bec4caa9bc210756566414d31dfe505591ddb8b4ad5568ab2a03d51b3ca542e957d46a56d420c8a7901bbeb829b22604e4e24a158ff463de066928a2a
-
\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exeFilesize
1.6MB
MD5c6349132a9523e079ef707292430b039
SHA1e1a65a06120b2d875d879aecbc9154cce2f93dc9
SHA2563540f44678e05db9c3c341e326a3c92ca20efb890755166934428c47b3faeeed
SHA51279db000bec4caa9bc210756566414d31dfe505591ddb8b4ad5568ab2a03d51b3ca542e957d46a56d420c8a7901bbeb829b22604e4e24a158ff463de066928a2a
-
memory/1536-72-0x0000000000A00000-0x0000000000BAA000-memory.dmpFilesize
1.7MB
-
memory/1536-73-0x000000001AD30000-0x000000001ADB0000-memory.dmpFilesize
512KB
-
memory/1536-74-0x00000000004E0000-0x00000000004EE000-memory.dmpFilesize
56KB