Analysis
-
max time kernel
93s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2023 03:06
Behavioral task
behavioral1
Sample
HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe
Resource
win10v2004-20230220-en
General
-
Target
HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe
-
Size
1.4MB
-
MD5
86855a4c90ef303681ee3d2139033042
-
SHA1
8492cdedf5f5a61c08582607c1bbede20c325020
-
SHA256
ea8525ed14bdc8f98f18f97b86b2853749eb99f1a517b7dfed4257dae18a7ce9
-
SHA512
a091565a282bb7bba6a3c23fbb198d9eb59cde9a9d8c2877eb25b690468c0696bc9ef45fd47e2c0930e2aee10b953b308305ea8f0e2729c385127c581be95d79
-
SSDEEP
24576:q2G/nvxW3WuU7l19j0EF+b9ZEFMwHjM7pyscuEHvbp/lgN+4:qbA3Q2BZEHw7pWIU
Malware Config
Signatures
-
DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeHEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exeschtasks.exeschtasks.exepid process 4644 schtasks.exe 3156 schtasks.exe 4204 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe 4548 schtasks.exe 3360 schtasks.exe -
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 3004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 3004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 3004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 3004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 3004 schtasks.exe -
Processes:
resource yara_rule C:\FontDriverSession\FontDriverSessionintoRuntimenet.exe dcrat C:\FontDriverSession\FontDriverSessionintoRuntimenet.exe dcrat behavioral2/memory/4476-146-0x0000000000720000-0x000000000083A000-memory.dmp dcrat C:\Windows\SysWOW64\nlhtml\cmd.exe dcrat C:\Windows\System32\WPDSp\fontdrvhost.exe dcrat C:\Windows\System32\WPDSp\fontdrvhost.exe dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exeWScript.exeFontDriverSessionintoRuntimenet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation FontDriverSessionintoRuntimenet.exe -
Executes dropped EXE 2 IoCs
Processes:
FontDriverSessionintoRuntimenet.exefontdrvhost.exepid process 4476 FontDriverSessionintoRuntimenet.exe 4648 fontdrvhost.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
FontDriverSessionintoRuntimenet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\Migration\\WTR\\backgroundTaskHost.exe\"" FontDriverSessionintoRuntimenet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\WPDSp\\fontdrvhost.exe\"" FontDriverSessionintoRuntimenet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\FontDriverSession\\csrss.exe\"" FontDriverSessionintoRuntimenet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\setupact\\sysmon.exe\"" FontDriverSessionintoRuntimenet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\SysWOW64\\nlhtml\\cmd.exe\"" FontDriverSessionintoRuntimenet.exe -
Drops file in System32 directory 4 IoCs
Processes:
FontDriverSessionintoRuntimenet.exedescription ioc process File created C:\Windows\SysWOW64\nlhtml\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228 FontDriverSessionintoRuntimenet.exe File created C:\Windows\System32\WPDSp\fontdrvhost.exe FontDriverSessionintoRuntimenet.exe File created C:\Windows\System32\WPDSp\5b884080fd4f94e2695da25c503f9e33b9605b83 FontDriverSessionintoRuntimenet.exe File created C:\Windows\SysWOW64\nlhtml\cmd.exe FontDriverSessionintoRuntimenet.exe -
Drops file in Windows directory 5 IoCs
Processes:
FontDriverSessionintoRuntimenet.exedescription ioc process File created C:\Windows\Migration\WTR\backgroundTaskHost.exe FontDriverSessionintoRuntimenet.exe File created C:\Windows\Migration\WTR\eddb19405b7ce1152b3e19997f2b467f0b72b3d3 FontDriverSessionintoRuntimenet.exe File created C:\Windows\setupact\sysmon.exe FontDriverSessionintoRuntimenet.exe File opened for modification C:\Windows\setupact\sysmon.exe FontDriverSessionintoRuntimenet.exe File created C:\Windows\setupact\121e5b5079f7c0e46d90f99b3864022518bbbda9 FontDriverSessionintoRuntimenet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4204 schtasks.exe 4548 schtasks.exe 3360 schtasks.exe 4644 schtasks.exe 3156 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
FontDriverSessionintoRuntimenet.exefontdrvhost.exepid process 4476 FontDriverSessionintoRuntimenet.exe 4476 FontDriverSessionintoRuntimenet.exe 4476 FontDriverSessionintoRuntimenet.exe 4648 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FontDriverSessionintoRuntimenet.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 4476 FontDriverSessionintoRuntimenet.exe Token: SeDebugPrivilege 4648 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exeWScript.execmd.exeFontDriverSessionintoRuntimenet.exedescription pid process target process PID 4412 wrote to memory of 1500 4412 HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe WScript.exe PID 4412 wrote to memory of 1500 4412 HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe WScript.exe PID 4412 wrote to memory of 1500 4412 HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe WScript.exe PID 1500 wrote to memory of 2372 1500 WScript.exe cmd.exe PID 1500 wrote to memory of 2372 1500 WScript.exe cmd.exe PID 1500 wrote to memory of 2372 1500 WScript.exe cmd.exe PID 2372 wrote to memory of 4476 2372 cmd.exe FontDriverSessionintoRuntimenet.exe PID 2372 wrote to memory of 4476 2372 cmd.exe FontDriverSessionintoRuntimenet.exe PID 4476 wrote to memory of 4648 4476 FontDriverSessionintoRuntimenet.exe fontdrvhost.exe PID 4476 wrote to memory of 4648 4476 FontDriverSessionintoRuntimenet.exe fontdrvhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FontDriverSession\cPZCKnDLEbcUj6.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\FontDriverSession\eD4OHy4urtKXgDWHI7.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\FontDriverSession\FontDriverSessionintoRuntimenet.exe"C:\FontDriverSession\FontDriverSessionintoRuntimenet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WPDSp\fontdrvhost.exe"C:\Windows\System32\WPDSp\fontdrvhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\setupact\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\nlhtml\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\WPDSp\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\FontDriverSession\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\FontDriverSession\FontDriverSessionintoRuntimenet.exeFilesize
1.1MB
MD50cf708a5d6a1798ad4044479830c15e9
SHA14f631e26309dd21716b465f962e69fdfa9b30727
SHA2562a4fe636c4e72fe06ff8371024951b163954e5b1d35970eaf26540ffa332a7e5
SHA5127385586c8ad62384bb0e66932e2e0d62afdc1ec357b8a97e71778557961c8939a055bed96382f8b3e89af41b7da37e9805471dce7ed2ed31fb25865c368e30dd
-
C:\FontDriverSession\FontDriverSessionintoRuntimenet.exeFilesize
1.1MB
MD50cf708a5d6a1798ad4044479830c15e9
SHA14f631e26309dd21716b465f962e69fdfa9b30727
SHA2562a4fe636c4e72fe06ff8371024951b163954e5b1d35970eaf26540ffa332a7e5
SHA5127385586c8ad62384bb0e66932e2e0d62afdc1ec357b8a97e71778557961c8939a055bed96382f8b3e89af41b7da37e9805471dce7ed2ed31fb25865c368e30dd
-
C:\FontDriverSession\cPZCKnDLEbcUj6.vbeFilesize
212B
MD5208d2c7db202616f22fea0fde88b7440
SHA16bc69d8e5b730bd7f0665bc7f4e181b68af0914d
SHA256bc958bcffdc07a6c0c86d91d1bfdfb2cbf6e552a6677ba6f89251620f3cb0b10
SHA51284cde4d5b4c1285dc8afca4bd4a0a415417b47befe6b38ddb3b529b3142d8bb7c61ef4f6176d958931b5df663f43dd92f2385d957999e2e379bcb1820e75fa33
-
C:\FontDriverSession\eD4OHy4urtKXgDWHI7.batFilesize
58B
MD5efd9703e54aad815ef609078225b11bd
SHA191471d48f477f0f8978cbee215f791ac37148274
SHA256a9227a123265509b3d0ad51aa9cf6d8a091c86d8acaa922251351ee173ee7838
SHA5123b4b002e0de1669cd0693a15f5d4653f5d3f6d16409c790066ca8d91e9658052e7182342034a8a6bbb539884c32005b58b9ce579f581753b3f682a4fce5996f5
-
C:\Windows\SysWOW64\nlhtml\cmd.exeFilesize
1.1MB
MD50cf708a5d6a1798ad4044479830c15e9
SHA14f631e26309dd21716b465f962e69fdfa9b30727
SHA2562a4fe636c4e72fe06ff8371024951b163954e5b1d35970eaf26540ffa332a7e5
SHA5127385586c8ad62384bb0e66932e2e0d62afdc1ec357b8a97e71778557961c8939a055bed96382f8b3e89af41b7da37e9805471dce7ed2ed31fb25865c368e30dd
-
C:\Windows\System32\WPDSp\fontdrvhost.exeFilesize
1.1MB
MD50cf708a5d6a1798ad4044479830c15e9
SHA14f631e26309dd21716b465f962e69fdfa9b30727
SHA2562a4fe636c4e72fe06ff8371024951b163954e5b1d35970eaf26540ffa332a7e5
SHA5127385586c8ad62384bb0e66932e2e0d62afdc1ec357b8a97e71778557961c8939a055bed96382f8b3e89af41b7da37e9805471dce7ed2ed31fb25865c368e30dd
-
C:\Windows\System32\WPDSp\fontdrvhost.exeFilesize
1.1MB
MD50cf708a5d6a1798ad4044479830c15e9
SHA14f631e26309dd21716b465f962e69fdfa9b30727
SHA2562a4fe636c4e72fe06ff8371024951b163954e5b1d35970eaf26540ffa332a7e5
SHA5127385586c8ad62384bb0e66932e2e0d62afdc1ec357b8a97e71778557961c8939a055bed96382f8b3e89af41b7da37e9805471dce7ed2ed31fb25865c368e30dd
-
memory/4476-146-0x0000000000720000-0x000000000083A000-memory.dmpFilesize
1.1MB
-
memory/4476-147-0x0000000001020000-0x0000000001030000-memory.dmpFilesize
64KB
-
memory/4648-169-0x0000000002A90000-0x0000000002AA0000-memory.dmpFilesize
64KB