Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2023 21:04
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
1.6MB
-
MD5
373992db74a918562686a9e9144ecbbe
-
SHA1
953c7daaec55cdf106b371b555bc73f83a127b26
-
SHA256
c17ee50458ad78fb43b23fd8001002cd35bb8effac19ec33091ddadefbc7dcac
-
SHA512
ddf9af3d9b765708ce9e91f1ba7631f4111202016deae60f0da80026688fd465e9877fe55ec175be0296db153e300188a5aeadd5566b2e72fc8cf0e1bb8a80e4
-
SSDEEP
24576:U2G/nvxW3Ww0t1urfikuV13mFFkwIuKOaZDIpw6P/KlBrJ/GB+8xNEJnw:UbA30Wiku13qF1jtpwG/KR/YxNEJw
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 116 964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 964 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe dcrat C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe dcrat behavioral2/memory/776-145-0x00000000006F0000-0x0000000000844000-memory.dmp dcrat C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe dcrat C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe dcrat C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exeWScript.execomponentMonitorcommon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation componentMonitorcommon.exe -
Executes dropped EXE 2 IoCs
Processes:
componentMonitorcommon.exesysmon.exepid process 776 componentMonitorcommon.exe 1504 sysmon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 ipinfo.io 34 ipinfo.io -
Drops file in System32 directory 2 IoCs
Processes:
componentMonitorcommon.exedescription ioc process File created C:\Windows\SysWOW64\pl-PL\Idle.exe componentMonitorcommon.exe File created C:\Windows\SysWOW64\pl-PL\6ccacd8608530f componentMonitorcommon.exe -
Drops file in Program Files directory 2 IoCs
Processes:
componentMonitorcommon.exedescription ioc process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\121e5b5079f7c0 componentMonitorcommon.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe componentMonitorcommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 704 schtasks.exe 3976 schtasks.exe 4068 schtasks.exe 3336 schtasks.exe 116 schtasks.exe 2892 schtasks.exe 3220 schtasks.exe 2572 schtasks.exe 112 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
tmp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings tmp.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
componentMonitorcommon.exepowershell.exepowershell.exepowershell.exepowershell.exesysmon.exepid process 776 componentMonitorcommon.exe 776 componentMonitorcommon.exe 776 componentMonitorcommon.exe 1756 powershell.exe 4368 powershell.exe 2376 powershell.exe 1776 powershell.exe 4368 powershell.exe 2376 powershell.exe 1504 sysmon.exe 1756 powershell.exe 1776 powershell.exe 1504 sysmon.exe 1504 sysmon.exe 1504 sysmon.exe 1504 sysmon.exe 1504 sysmon.exe 1504 sysmon.exe 1504 sysmon.exe 1504 sysmon.exe 1504 sysmon.exe 1504 sysmon.exe 1504 sysmon.exe 1504 sysmon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sysmon.exepid process 1504 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
componentMonitorcommon.exepowershell.exepowershell.exepowershell.exepowershell.exesysmon.exedescription pid process Token: SeDebugPrivilege 776 componentMonitorcommon.exe Token: SeDebugPrivilege 4368 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 1504 sysmon.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
tmp.exeWScript.execmd.execomponentMonitorcommon.exedescription pid process target process PID 1268 wrote to memory of 3324 1268 tmp.exe WScript.exe PID 1268 wrote to memory of 3324 1268 tmp.exe WScript.exe PID 1268 wrote to memory of 3324 1268 tmp.exe WScript.exe PID 3324 wrote to memory of 2300 3324 WScript.exe cmd.exe PID 3324 wrote to memory of 2300 3324 WScript.exe cmd.exe PID 3324 wrote to memory of 2300 3324 WScript.exe cmd.exe PID 2300 wrote to memory of 776 2300 cmd.exe componentMonitorcommon.exe PID 2300 wrote to memory of 776 2300 cmd.exe componentMonitorcommon.exe PID 776 wrote to memory of 1756 776 componentMonitorcommon.exe powershell.exe PID 776 wrote to memory of 1756 776 componentMonitorcommon.exe powershell.exe PID 776 wrote to memory of 1776 776 componentMonitorcommon.exe powershell.exe PID 776 wrote to memory of 1776 776 componentMonitorcommon.exe powershell.exe PID 776 wrote to memory of 4368 776 componentMonitorcommon.exe powershell.exe PID 776 wrote to memory of 4368 776 componentMonitorcommon.exe powershell.exe PID 776 wrote to memory of 2376 776 componentMonitorcommon.exe powershell.exe PID 776 wrote to memory of 2376 776 componentMonitorcommon.exe powershell.exe PID 776 wrote to memory of 1504 776 componentMonitorcommon.exe sysmon.exe PID 776 wrote to memory of 1504 776 componentMonitorcommon.exe sysmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\vQ3VIYUYL2xofTcP0gCIzAw.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\mQTPECbUX38DuLpdMmoUBOwQ.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe"C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\pl-PL\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\pl-PL\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SysWOW64\pl-PL\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\pl-PL\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exeFilesize
1.3MB
MD5231efb7ab5b36cda91e06456480228c1
SHA111edb782a254ead91bef459fb4dac0ca393ffeaf
SHA2565d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d
SHA512c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exeFilesize
1.3MB
MD5231efb7ab5b36cda91e06456480228c1
SHA111edb782a254ead91bef459fb4dac0ca393ffeaf
SHA2565d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d
SHA512c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exeFilesize
1.3MB
MD5231efb7ab5b36cda91e06456480228c1
SHA111edb782a254ead91bef459fb4dac0ca393ffeaf
SHA2565d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d
SHA512c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvvd0ezl.jos.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exeFilesize
1.3MB
MD5231efb7ab5b36cda91e06456480228c1
SHA111edb782a254ead91bef459fb4dac0ca393ffeaf
SHA2565d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d
SHA512c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017
-
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exeFilesize
1.3MB
MD5231efb7ab5b36cda91e06456480228c1
SHA111edb782a254ead91bef459fb4dac0ca393ffeaf
SHA2565d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d
SHA512c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017
-
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\mQTPECbUX38DuLpdMmoUBOwQ.batFilesize
55B
MD54eca9a6bf6c52d04c26fa14ea74bf227
SHA1ca0fea58051517e6295da2da5e3f249ad4ff3504
SHA25696ca7d8a38fd1f411bf623f952bbd4b8e93243167c2158917eba0d68f00e85cc
SHA5123d818f8e1ea332deb3a0aaff2284deb6380639a56dc30a7e675cfe76c253f0c626783e5b7652cd6dbad541022ccb6058376ec5d7f12d0674a4478cfefef9df18
-
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\vQ3VIYUYL2xofTcP0gCIzAw.vbeFilesize
224B
MD57b5df8b8d4d8d1b95b3313ffaf3c420b
SHA170c9cb3ea22d5349044e03f7e6fa4d98e6bc208d
SHA2561c307726e10a7546162838a9981c0d0565306998ed731ee73a047d664d72a3ea
SHA512ddc870977887cd25ca709ff3b3be1311d7478e5c361936d3ff3dd845aa04633fcc081a27bc088e20001f1105862c88972d9325a3b40126157906400ccda65270
-
memory/776-145-0x00000000006F0000-0x0000000000844000-memory.dmpFilesize
1.3MB
-
memory/776-146-0x0000000000F90000-0x0000000000FA0000-memory.dmpFilesize
64KB
-
memory/776-147-0x000000001B9F0000-0x000000001BA40000-memory.dmpFilesize
320KB
-
memory/1504-217-0x000000001BE70000-0x000000001BE80000-memory.dmpFilesize
64KB
-
memory/1504-257-0x000000001BE70000-0x000000001BE80000-memory.dmpFilesize
64KB
-
memory/1504-218-0x000000001CF40000-0x000000001D102000-memory.dmpFilesize
1.8MB
-
memory/1504-219-0x000000001DB40000-0x000000001E068000-memory.dmpFilesize
5.2MB
-
memory/1504-255-0x000000001BDB0000-0x000000001BDE0000-memory.dmpFilesize
192KB
-
memory/1504-256-0x000000001D610000-0x000000001D7B9000-memory.dmpFilesize
1.7MB
-
memory/1756-164-0x000001E5BC310000-0x000001E5BC320000-memory.dmpFilesize
64KB
-
memory/1756-170-0x000001E5BC310000-0x000001E5BC320000-memory.dmpFilesize
64KB
-
memory/1756-188-0x000001E5D47B0000-0x000001E5D47D2000-memory.dmpFilesize
136KB
-
memory/2376-163-0x0000025247F40000-0x0000025247F50000-memory.dmpFilesize
64KB
-
memory/2376-161-0x0000025247F40000-0x0000025247F50000-memory.dmpFilesize
64KB
-
memory/4368-169-0x0000028F496E0000-0x0000028F496F0000-memory.dmpFilesize
64KB
-
memory/4368-168-0x0000028F496E0000-0x0000028F496F0000-memory.dmpFilesize
64KB