Analysis
-
max time kernel
32s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 01:31
Behavioral task
behavioral1
Sample
82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe
Resource
win10v2004-20230220-en
General
-
Target
82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe
-
Size
1.6MB
-
MD5
a0fb4af03514fe70e036bbea624ea81f
-
SHA1
435f3ef79e360d89cab884e990a558722c9ce272
-
SHA256
82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b
-
SHA512
d3bc4a717f7057b4b2da642c6272f0d357dc0bdf39f898931491e409d4b58790a715138541668a56046c5332178ddb10fc439e5c4d0a7ac6825b82f34e9c268c
-
SSDEEP
24576:B2G/nvxW3WQnkHnDIlJzbBA5clWJG4kQy0ohgEGdHKK5Cu8Kc9mfCQbZ8/zARp:BbA37kHnDIbzi5MWjmuHNKQbi/E/
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 1880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 1880 schtasks.exe -
Processes:
resource yara_rule C:\PortfontWin\agentNet.exe dcrat C:\PortfontWin\agentNet.exe dcrat behavioral2/memory/2684-150-0x0000000000180000-0x00000000002D0000-memory.dmp dcrat C:\Program Files\Windows Security\wininit.exe dcrat C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe dcrat C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exeWScript.exeagentNet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation agentNet.exe -
Executes dropped EXE 2 IoCs
Processes:
agentNet.exespoolsv.exepid process 2684 agentNet.exe 4700 spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 2 IoCs
Processes:
agentNet.exedescription ioc process File created C:\Program Files\Windows Security\wininit.exe agentNet.exe File created C:\Program Files\Windows Security\56085415360792 agentNet.exe -
Drops file in Windows directory 4 IoCs
Processes:
agentNet.exedescription ioc process File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe agentNet.exe File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\f3b6ecef712a24 agentNet.exe File created C:\Windows\ja-JP\RuntimeBroker.exe agentNet.exe File created C:\Windows\ja-JP\9e8d7a4ca61bd9 agentNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2716 schtasks.exe 4016 schtasks.exe 548 schtasks.exe 972 schtasks.exe 1640 schtasks.exe 4476 schtasks.exe 544 schtasks.exe 3316 schtasks.exe 1708 schtasks.exe 1220 schtasks.exe 1852 schtasks.exe 1152 schtasks.exe 1612 schtasks.exe 4540 schtasks.exe 5068 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exeagentNet.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings 82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings agentNet.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
agentNet.exespoolsv.exepid process 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 2684 agentNet.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
agentNet.exespoolsv.exedescription pid process Token: SeDebugPrivilege 2684 agentNet.exe Token: SeDebugPrivilege 4700 spoolsv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exeWScript.execmd.exeagentNet.execmd.exedescription pid process target process PID 3804 wrote to memory of 1980 3804 82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe WScript.exe PID 3804 wrote to memory of 1980 3804 82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe WScript.exe PID 3804 wrote to memory of 1980 3804 82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe WScript.exe PID 3804 wrote to memory of 3208 3804 82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe WScript.exe PID 3804 wrote to memory of 3208 3804 82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe WScript.exe PID 3804 wrote to memory of 3208 3804 82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe WScript.exe PID 1980 wrote to memory of 216 1980 WScript.exe cmd.exe PID 1980 wrote to memory of 216 1980 WScript.exe cmd.exe PID 1980 wrote to memory of 216 1980 WScript.exe cmd.exe PID 216 wrote to memory of 2684 216 cmd.exe agentNet.exe PID 216 wrote to memory of 2684 216 cmd.exe agentNet.exe PID 2684 wrote to memory of 2324 2684 agentNet.exe cmd.exe PID 2684 wrote to memory of 2324 2684 agentNet.exe cmd.exe PID 2324 wrote to memory of 3908 2324 cmd.exe w32tm.exe PID 2324 wrote to memory of 3908 2324 cmd.exe w32tm.exe PID 2324 wrote to memory of 4700 2324 cmd.exe spoolsv.exe PID 2324 wrote to memory of 4700 2324 cmd.exe spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe"C:\Users\Admin\AppData\Local\Temp\82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortfontWin\faioFQaWMfyQql5F1lpCdLP.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortfontWin\ItIWhmVbvimfR.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\PortfontWin\agentNet.exe"C:\PortfontWin\agentNet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6kFxoAmZcR.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe"C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortfontWin\file.vbs"2⤵PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\odt\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PortfontWin\ItIWhmVbvimfR.batFilesize
29B
MD5fd0d6ddda55e2608a242669717a0d517
SHA1294004545081c4634c07f7cca31819207588c310
SHA256dd0a8c6636afc291a09f480b9294860f6412555b0bfda3808917eff3637a005d
SHA512d23fddbf26c32b50c3fe3eb654da3ac25e84b7d5bf3501c682bac74f39295a58c1072dd02b97e340a0ec28e30c58ed1bb1448badb5e680baea4d6bce769215a0
-
C:\PortfontWin\agentNet.exeFilesize
1.3MB
MD5cd663693d7804e051bd4d890a643a521
SHA1186510d39cc3a7d928f47c3d6813c27c5e7e3674
SHA256f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873
SHA512a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e
-
C:\PortfontWin\agentNet.exeFilesize
1.3MB
MD5cd663693d7804e051bd4d890a643a521
SHA1186510d39cc3a7d928f47c3d6813c27c5e7e3674
SHA256f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873
SHA512a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e
-
C:\PortfontWin\faioFQaWMfyQql5F1lpCdLP.vbeFilesize
201B
MD5d82d15119bf0f8e8e3077d786bcbbefb
SHA192a74c59f2984d8f7f9fcd22f44c463cc0177cbd
SHA2561be73a1a92fa60e7ec1ab2b7777780d7f958c284b4c1596ea9ab5c3ad581e76f
SHA5129aaa9dd3906c1b531b9c85f61b9da3d11f458f7eba22a4107fa4ed49868b45f1d0f804296f1ef35c62115d77204b99c235c9e6f504b65d752caf3f58c44eacaa
-
C:\PortfontWin\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Program Files\Windows Security\wininit.exeFilesize
1.3MB
MD5cd663693d7804e051bd4d890a643a521
SHA1186510d39cc3a7d928f47c3d6813c27c5e7e3674
SHA256f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873
SHA512a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e
-
C:\Users\Admin\AppData\Local\Temp\6kFxoAmZcR.batFilesize
255B
MD5001c70b047714710b6fcdc030b0bc28f
SHA1c83b2692dd6590d03a035a7c00eab413b09dd2a9
SHA256b0bb086d44e00356e737d572f3048fa3659f3c4d1ea9c2f1613f19ecdb04668c
SHA512f76dc15a4776e2647b3ce7cb33ba8183d55bacd7eaf65e0e23012396a26916cdef2c171a9f5d5767a8f8aa2ae0a9b42805053abf66dcfbc200d6da36be456a69
-
C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exeFilesize
1.3MB
MD5cd663693d7804e051bd4d890a643a521
SHA1186510d39cc3a7d928f47c3d6813c27c5e7e3674
SHA256f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873
SHA512a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e
-
C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exeFilesize
1.3MB
MD5cd663693d7804e051bd4d890a643a521
SHA1186510d39cc3a7d928f47c3d6813c27c5e7e3674
SHA256f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873
SHA512a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e
-
memory/2684-151-0x000000001AF20000-0x000000001AF70000-memory.dmpFilesize
320KB
-
memory/2684-152-0x000000001CC40000-0x000000001D168000-memory.dmpFilesize
5.2MB
-
memory/2684-153-0x000000001AFA0000-0x000000001AFB0000-memory.dmpFilesize
64KB
-
memory/2684-150-0x0000000000180000-0x00000000002D0000-memory.dmpFilesize
1.3MB
-
memory/4700-173-0x0000000002880000-0x0000000002890000-memory.dmpFilesize
64KB
-
memory/4700-185-0x0000000002880000-0x0000000002890000-memory.dmpFilesize
64KB