Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2023 14:16
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
897KB
-
MD5
3a68a2cbeb827588f3749568b121a79b
-
SHA1
a40fc3b0c547826353088baf247b379f1e10f25d
-
SHA256
2ab209c8b13fc820c0f2cd15de422053e94e2ca02b939ff97eeb2abceb5bb810
-
SHA512
7ab8bb1605cfed214d05c6dac5dc05df0b66c90e7abe67629e8c879483d5f2784edae832f48acfc92c968a3da1f13e76e5db699890ed85b0c00bb551e0e70b7d
-
SSDEEP
12288:x7Gmaojeh4hLyhLk9el5ih7XrIqEMbs0qFvPrVc8Ml1T5J4rNl99uF04r4hZZ1v6:MTMYP2tP4CKdKh
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral2/memory/3432-133-0x0000000000400000-0x00000000004CE000-memory.dmp dcrat -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C6EDF791-6F43-4FCF-A358-662DC9B717E3}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A16B432B-313B-4426-A271-48AC476FAB34}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1876 set thread context of 3432 1876 file.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2800 1876 WerFault.exe file.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
AppLaunch.exepid process 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe 3432 AppLaunch.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AppLaunch.exepid process 3432 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 3432 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
file.exedescription pid process target process PID 1876 wrote to memory of 3432 1876 file.exe AppLaunch.exe PID 1876 wrote to memory of 3432 1876 file.exe AppLaunch.exe PID 1876 wrote to memory of 3432 1876 file.exe AppLaunch.exe PID 1876 wrote to memory of 3432 1876 file.exe AppLaunch.exe PID 1876 wrote to memory of 3432 1876 file.exe AppLaunch.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1522⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1876 -ip 18761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3432-133-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/3432-138-0x0000000005B90000-0x0000000006134000-memory.dmpFilesize
5.6MB
-
memory/3432-139-0x0000000004E80000-0x0000000004E90000-memory.dmpFilesize
64KB
-
memory/3432-140-0x00000000057B0000-0x0000000005800000-memory.dmpFilesize
320KB
-
memory/3432-141-0x0000000006670000-0x0000000006B9C000-memory.dmpFilesize
5.2MB
-
memory/3432-142-0x0000000006140000-0x00000000061A6000-memory.dmpFilesize
408KB
-
memory/3432-145-0x0000000007040000-0x00000000070D2000-memory.dmpFilesize
584KB
-
memory/3432-146-0x0000000004E80000-0x0000000004E90000-memory.dmpFilesize
64KB