Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2023 10:57
Static task
static1
Behavioral task
behavioral1
Sample
71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe
Resource
win10v2004-20230220-en
General
-
Target
71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe
-
Size
3.4MB
-
MD5
8136421aa9596cb02a6c30a99b376db5
-
SHA1
a4866f30925441944eb06e9540fd8740a7302b84
-
SHA256
71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8
-
SHA512
a6b2fcb864ecc6b10a2a08373d12d8f59f16e9ca22b1b014c2326807a1bb90ab84e1a0b9afd637a408c179f9025eee28f017e35bf6543fb59e06a12c9860bf8c
-
SSDEEP
24576:0BgrBN6i/BEuM75fCJaBSDVdMYHl6I4H8ykD3A:yIWqgBSDAYHl4cykD3A
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral2/memory/1976-133-0x0000000000400000-0x00000000004D8000-memory.dmp dcrat -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ipinfo.io 23 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exedescription pid process target process PID 1672 set thread context of 1976 1672 71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe InstallUtil.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3620 1672 WerFault.exe 71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
InstallUtil.exepid process 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe 1976 InstallUtil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid process 1976 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 1976 InstallUtil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exedescription pid process target process PID 1672 wrote to memory of 1976 1672 71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe InstallUtil.exe PID 1672 wrote to memory of 1976 1672 71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe InstallUtil.exe PID 1672 wrote to memory of 1976 1672 71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe InstallUtil.exe PID 1672 wrote to memory of 1976 1672 71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe InstallUtil.exe PID 1672 wrote to memory of 1976 1672 71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe InstallUtil.exe PID 1672 wrote to memory of 1976 1672 71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe InstallUtil.exe PID 1672 wrote to memory of 1976 1672 71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe InstallUtil.exe PID 1672 wrote to memory of 1976 1672 71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe"C:\Users\Admin\AppData\Local\Temp\71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 4482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1672 -ip 16721⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1976-133-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1976-134-0x0000000006400000-0x00000000069A4000-memory.dmpFilesize
5.6MB
-
memory/1976-135-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1976-136-0x0000000006190000-0x00000000061F6000-memory.dmpFilesize
408KB
-
memory/1976-137-0x0000000006300000-0x0000000006350000-memory.dmpFilesize
320KB
-
memory/1976-138-0x00000000069B0000-0x0000000006A42000-memory.dmpFilesize
584KB
-
memory/1976-139-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1976-140-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1976-141-0x00000000073A0000-0x0000000007562000-memory.dmpFilesize
1.8MB
-
memory/1976-142-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1976-145-0x0000000007DE0000-0x000000000830C000-memory.dmpFilesize
5.2MB
-
memory/1976-144-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1976-143-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB