Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 03:43
Behavioral task
behavioral1
Sample
injector.exe
Resource
win7-20230220-en
General
-
Target
injector.exe
-
Size
4.1MB
-
MD5
05baef98bd302a685a7b0412341223ad
-
SHA1
3808f40778dd09ca2437e531725a48f1cbc34a50
-
SHA256
aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41
-
SHA512
93e5f1c5176c473823bcb5e9ecbfffdd789962b401dbd7f7212126dcd3613f3a8a9005eee175590c4040b7a39c7288e3c47028700f579ab85d5b8b67c3d1cdaf
-
SSDEEP
98304:phfEZMB8SQTr3cEA6Ql2GyzXCNHmCWK4DYq5Ek:/fEZQ8NTrMB6QlozyOYqWk
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 4456 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 4456 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 4456 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 4456 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 4456 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 4456 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/3252-136-0x0000000000D60000-0x00000000016DA000-memory.dmp dcrat behavioral2/memory/3252-137-0x0000000000D60000-0x00000000016DA000-memory.dmp dcrat behavioral2/memory/3252-155-0x0000000000D60000-0x00000000016DA000-memory.dmp dcrat behavioral2/memory/3424-162-0x0000000000DC0000-0x000000000173A000-memory.dmp dcrat behavioral2/memory/3424-163-0x0000000000DC0000-0x000000000173A000-memory.dmp dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
injector.exesmss.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ injector.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
smss.exeinjector.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smss.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
injector.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation injector.exe -
Executes dropped EXE 1 IoCs
Processes:
smss.exepid process 3424 smss.exe -
Processes:
resource yara_rule behavioral2/memory/3252-136-0x0000000000D60000-0x00000000016DA000-memory.dmp themida behavioral2/memory/3252-137-0x0000000000D60000-0x00000000016DA000-memory.dmp themida behavioral2/memory/3252-155-0x0000000000D60000-0x00000000016DA000-memory.dmp themida C:\Program Files\Common Files\Services\smss.exe themida C:\Program Files\Common Files\Services\smss.exe themida behavioral2/memory/3424-162-0x0000000000DC0000-0x000000000173A000-memory.dmp themida behavioral2/memory/3424-163-0x0000000000DC0000-0x000000000173A000-memory.dmp themida -
Processes:
injector.exesmss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA injector.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
injector.exesmss.exepid process 3252 injector.exe 3424 smss.exe -
Drops file in Program Files directory 4 IoCs
Processes:
injector.exedescription ioc process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe injector.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\e6c9b481da804f injector.exe File opened for modification C:\Program Files\Common Files\Services\smss.exe injector.exe File created C:\Program Files\Common Files\Services\69ddcba757bf72 injector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 264 schtasks.exe 908 schtasks.exe 1360 schtasks.exe 1344 schtasks.exe 600 schtasks.exe 112 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
injector.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings injector.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
injector.exesmss.exepid process 3252 injector.exe 3424 smss.exe 3424 smss.exe 3424 smss.exe 3424 smss.exe 3424 smss.exe 3424 smss.exe 3424 smss.exe 3424 smss.exe 3424 smss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
smss.exepid process 3424 smss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
injector.exesmss.exedescription pid process Token: SeDebugPrivilege 3252 injector.exe Token: SeDebugPrivilege 3424 smss.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
injector.execmd.exew32tm.exedescription pid process target process PID 3252 wrote to memory of 3132 3252 injector.exe cmd.exe PID 3252 wrote to memory of 3132 3252 injector.exe cmd.exe PID 3252 wrote to memory of 3132 3252 injector.exe cmd.exe PID 3132 wrote to memory of 2808 3132 cmd.exe w32tm.exe PID 3132 wrote to memory of 2808 3132 cmd.exe w32tm.exe PID 3132 wrote to memory of 2808 3132 cmd.exe w32tm.exe PID 2808 wrote to memory of 3836 2808 w32tm.exe w32tm.exe PID 2808 wrote to memory of 3836 2808 w32tm.exe w32tm.exe PID 3132 wrote to memory of 3424 3132 cmd.exe smss.exe PID 3132 wrote to memory of 3424 3132 cmd.exe smss.exe PID 3132 wrote to memory of 3424 3132 cmd.exe smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BZzno4kruI.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Services\smss.exeFilesize
4.1MB
MD505baef98bd302a685a7b0412341223ad
SHA13808f40778dd09ca2437e531725a48f1cbc34a50
SHA256aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41
SHA51293e5f1c5176c473823bcb5e9ecbfffdd789962b401dbd7f7212126dcd3613f3a8a9005eee175590c4040b7a39c7288e3c47028700f579ab85d5b8b67c3d1cdaf
-
C:\Program Files\Common Files\Services\smss.exeFilesize
4.1MB
MD505baef98bd302a685a7b0412341223ad
SHA13808f40778dd09ca2437e531725a48f1cbc34a50
SHA256aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41
SHA51293e5f1c5176c473823bcb5e9ecbfffdd789962b401dbd7f7212126dcd3613f3a8a9005eee175590c4040b7a39c7288e3c47028700f579ab85d5b8b67c3d1cdaf
-
C:\Users\Admin\AppData\Local\Temp\BZzno4kruI.batFilesize
212B
MD5790cb5657b7fe9784bc864d4dd7fd46a
SHA114ad4a02117e0162ea8dd603fc3a166bc77fd749
SHA2562e8417bbc2dfa72023362749ef153efd89c281f5d7fa81502d327760cbfe5cc4
SHA51232539c90e663941cb1a8b8c7bff70a0581616c9f8ed9efda6e19fee0771ded3e97e1cd738ae8bbe0bb0fba35aa2c28e95118f71f6322fc7f4faa63d74075da02
-
memory/3252-139-0x00000000040C0000-0x00000000040D0000-memory.dmpFilesize
64KB
-
memory/3252-155-0x0000000000D60000-0x00000000016DA000-memory.dmpFilesize
9.5MB
-
memory/3252-140-0x0000000006970000-0x00000000069C0000-memory.dmpFilesize
320KB
-
memory/3252-141-0x0000000007400000-0x0000000007492000-memory.dmpFilesize
584KB
-
memory/3252-142-0x0000000008AB0000-0x0000000008FDC000-memory.dmpFilesize
5.2MB
-
memory/3252-145-0x0000000008580000-0x00000000085E6000-memory.dmpFilesize
408KB
-
memory/3252-138-0x0000000006DA0000-0x0000000007344000-memory.dmpFilesize
5.6MB
-
memory/3252-133-0x0000000000D60000-0x00000000016DA000-memory.dmpFilesize
9.5MB
-
memory/3252-137-0x0000000000D60000-0x00000000016DA000-memory.dmpFilesize
9.5MB
-
memory/3252-136-0x0000000000D60000-0x00000000016DA000-memory.dmpFilesize
9.5MB
-
memory/3424-159-0x0000000000DC0000-0x000000000173A000-memory.dmpFilesize
9.5MB
-
memory/3424-162-0x0000000000DC0000-0x000000000173A000-memory.dmpFilesize
9.5MB
-
memory/3424-163-0x0000000000DC0000-0x000000000173A000-memory.dmpFilesize
9.5MB
-
memory/3424-165-0x0000000000DC0000-0x000000000173A000-memory.dmpFilesize
9.5MB