Analysis
-
max time kernel
2339s -
max time network
2344s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-03-2023 21:25
Static task
static1
Behavioral task
behavioral1
Sample
HeInstaller.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
HeInstaller.exe
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
HeInstaller.exe
Resource
win10v2004-20230220-en
General
-
Target
HeInstaller.exe
-
Size
46.7MB
-
MD5
36b72eb9b84d29b97dc67493144d281d
-
SHA1
87ed47da38b5c2a8b3564aaba5d92391900f7c12
-
SHA256
15443c40e026f2aed7f025261a8e3a0d25ac8b2160df15f8cf40206c80eca148
-
SHA512
c4388f41362093049b354b0baa602605983392b7eea71d507edb9ec4072f500740b8903ffaa0dbe78d3f03ffa938096b1afa88aaec34f78719c70f1b0d3e923c
-
SSDEEP
786432:lw6mZpUq1siz8tvboefpnP/fnhzs9A22yvBmVT6tcKYocMerZbvF9CfzameBGNv0:e6QUy8tvtfpn3fh42yvBqPr9v3C7ameP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
resource yara_rule behavioral2/memory/2044-107-0x0000000000400000-0x00000000004CE000-memory.dmp dcrat behavioral2/memory/2044-113-0x0000000000400000-0x00000000004CE000-memory.dmp dcrat behavioral2/memory/2044-114-0x0000000000400000-0x00000000004CE000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 688 EBZfayui1.exe -
Loads dropped DLL 2 IoCs
pid Process 1184 Process not Found 1184 Process not Found -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 688 set thread context of 2044 688 EBZfayui1.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main HeInstaller.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2044 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1524 HeInstaller.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: 33 2004 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2004 AUDIODG.EXE Token: 33 2004 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2004 AUDIODG.EXE Token: SeDebugPrivilege 2044 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1524 HeInstaller.exe 1524 HeInstaller.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 688 wrote to memory of 2044 688 EBZfayui1.exe 35 PID 688 wrote to memory of 2044 688 EBZfayui1.exe 35 PID 688 wrote to memory of 2044 688 EBZfayui1.exe 35 PID 688 wrote to memory of 2044 688 EBZfayui1.exe 35 PID 688 wrote to memory of 2044 688 EBZfayui1.exe 35 PID 688 wrote to memory of 2044 688 EBZfayui1.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\HeInstaller.exe"C:\Users\Admin\AppData\Local\Temp\HeInstaller.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1524
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x47c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe"C:\Users\Admin\Desktop\New folder\HeInstaller\EBZfayui1.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
822KB
MD5811faae91071bb739c2f18b0802d0a41
SHA1b7ae85e0d7935254521cf8aca99ac6f2c67c9086
SHA256709b00ad6afcc2940706acc2f65095130ef9df7bb0fbd444c327b0c97971c29d
SHA512d6cca56185f1d1b0d357f0f7ab2b633268e2a45d8bbd31c8d399b175b5e61e9930b27bb3da93913a6a76bb686d40027811dc8dec5ec40a3cf6dbd0ff579c872c
-
Filesize
4.6MB
MD5fab2cc9e8a64f905fb0e84ac8f014bee
SHA14cd94c381554f8a2ed956acb5b073c4f5a704de1
SHA256df921c4f173a6bd6fe0b347f2494ff8c2c4a5407de343e87061e43b89890a712
SHA512a2e7b01dea7c801f34a54fa70de812d032263eccf5f21fd9b5b1bdc448f63c363dfb84b88b275fe2129a7403b2ea3381ec1561d484db43387897f56daf92df9a
-
Filesize
4.6MB
MD5fab2cc9e8a64f905fb0e84ac8f014bee
SHA14cd94c381554f8a2ed956acb5b073c4f5a704de1
SHA256df921c4f173a6bd6fe0b347f2494ff8c2c4a5407de343e87061e43b89890a712
SHA512a2e7b01dea7c801f34a54fa70de812d032263eccf5f21fd9b5b1bdc448f63c363dfb84b88b275fe2129a7403b2ea3381ec1561d484db43387897f56daf92df9a