Analysis
-
max time kernel
84s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2023 11:50
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
1.9MB
-
MD5
ffae9d3dd55cdb9bb47aa553d05d458b
-
SHA1
e43439834646330d3f3dc1f142acead1e7ac6f24
-
SHA256
4689a7fee8a2d671659d2f8c68d9bd8d1d734867654abb88f059defc5beb9b63
-
SHA512
e88a375b4680889befb88f66c50084af7908a6377302d3cc4eb9504808b9b5567ea6a1cadf1f607c6fdb08a94b88d2b8eb33a50f92854475130c8333d51a100e
-
SSDEEP
49152:ubA3jqYHNVf0jxYiwmy+FsT2vB+098DeDt7:ubrSfwGiwH+UYBt9bt7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exe dcrat C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exe dcrat behavioral2/memory/4768-150-0x0000000000320000-0x00000000004CA000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4768 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 4768 svchost.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
file.exeWScript.execmd.exedescription pid process target process PID 5000 wrote to memory of 3360 5000 file.exe WScript.exe PID 5000 wrote to memory of 3360 5000 file.exe WScript.exe PID 5000 wrote to memory of 3360 5000 file.exe WScript.exe PID 5000 wrote to memory of 4684 5000 file.exe WScript.exe PID 5000 wrote to memory of 4684 5000 file.exe WScript.exe PID 5000 wrote to memory of 4684 5000 file.exe WScript.exe PID 3360 wrote to memory of 1576 3360 WScript.exe cmd.exe PID 3360 wrote to memory of 1576 3360 WScript.exe cmd.exe PID 3360 wrote to memory of 1576 3360 WScript.exe cmd.exe PID 1576 wrote to memory of 4768 1576 cmd.exe svchost.exe PID 1576 wrote to memory of 4768 1576 cmd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fontwin\A5pg7.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fontwin\lcJgodXq4rO.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fontwin\file.vbs"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\A5pg7.vbeFilesize
199B
MD5d20ee83ba327ad6f773016820e223b8e
SHA1cba80bf5f728f4a2e942c567dbf704e77c8a8e5e
SHA256ee8df87d26c7a650d23630a339d8c5fd3d30c3edbcfd757f1bbcd588c1e14d53
SHA512e17ff3c81c2af5bd30537419b5288872cb10ac93f179cf0cd4333628b8c756e840f54f9383ab2b540c3fa491b8a40a434cc9803442dabfc2655211cab23f3a60
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\lcJgodXq4rO.batFilesize
28B
MD553529a1d50b9ab9d67c700e57e2aa1b1
SHA13bc9026745ee38552d3cc5f37b6cfdc5c6306368
SHA256490f184d7adffb16420be10ba5aa0b17dc0b81c1c57d9da5e949eb1bdc2845ea
SHA5127f8cd5a7b4f154d6f6bfdfd8f575a8979c722181782962c2e781a17cde9ce56a9d481f208a59fe4e6b2f7fc1adc4efbfba2e6f31757173c1ef6a7fab9b528201
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exeFilesize
1.6MB
MD5c6349132a9523e079ef707292430b039
SHA1e1a65a06120b2d875d879aecbc9154cce2f93dc9
SHA2563540f44678e05db9c3c341e326a3c92ca20efb890755166934428c47b3faeeed
SHA51279db000bec4caa9bc210756566414d31dfe505591ddb8b4ad5568ab2a03d51b3ca542e957d46a56d420c8a7901bbeb829b22604e4e24a158ff463de066928a2a
-
C:\Users\Admin\AppData\Local\Temp\Fontwin\svchost.exeFilesize
1.6MB
MD5c6349132a9523e079ef707292430b039
SHA1e1a65a06120b2d875d879aecbc9154cce2f93dc9
SHA2563540f44678e05db9c3c341e326a3c92ca20efb890755166934428c47b3faeeed
SHA51279db000bec4caa9bc210756566414d31dfe505591ddb8b4ad5568ab2a03d51b3ca542e957d46a56d420c8a7901bbeb829b22604e4e24a158ff463de066928a2a
-
memory/4768-150-0x0000000000320000-0x00000000004CA000-memory.dmpFilesize
1.7MB