Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25/08/2023, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
Windscribe_2.5.18.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Windscribe_2.5.18.exe
Resource
win10v2004-20230703-en
General
-
Target
Windscribe_2.5.18.exe
-
Size
20.5MB
-
MD5
8b45ea7fa70ea3e60c1642001ab66bb1
-
SHA1
69ab31a64f4d1c7ab2d5bf08b6ff05fe29efcfe1
-
SHA256
34b8535955457b70007bc360d6f60a59dc70bd0aa8030ccaff77a07bd38ca320
-
SHA512
9175435ca08cfbd498c5ab2dc63a29ebea508178397db2413d830a997673a2d60b4ca2178972c75dc57a33e9122e7d51aee2169dcc2dce8b445dcf33646a9b8e
-
SSDEEP
393216:uVgDgNg+Vim3Tp8YTLz4Iom3CgnuhGQ5DtOCmJ6z5OqHCQZFsAIWKCYoyLV0:uV2WIiGYTX4VPhZs7JSFlIW9V
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
resource yara_rule behavioral1/files/0x000e00000001225c-5.dat dcrat behavioral1/files/0x000e00000001225c-7.dat dcrat behavioral1/files/0x000e00000001225c-12.dat dcrat behavioral1/files/0x000e00000001225c-9.dat dcrat behavioral1/files/0x000e00000001225c-14.dat dcrat behavioral1/files/0x000e00000001225c-15.dat dcrat behavioral1/files/0x0007000000016ce6-34.dat dcrat behavioral1/files/0x0007000000016ce6-33.dat dcrat behavioral1/files/0x0007000000016ce6-32.dat dcrat behavioral1/files/0x0007000000016ce6-31.dat dcrat behavioral1/memory/2508-35-0x0000000000150000-0x0000000000358000-memory.dmp dcrat behavioral1/memory/2508-38-0x000000001B0F0000-0x000000001B170000-memory.dmp dcrat -
Executes dropped EXE 4 IoCs
pid Process 2192 Windscribe_2.5.18.exe 2844 Windscribe_2.5.18_licensekey.exe 1196 Process not Found 2508 Runtime Broker.exe -
Loads dropped DLL 6 IoCs
pid Process 2616 Windscribe_2.5.18.exe 2616 Windscribe_2.5.18.exe 2616 Windscribe_2.5.18.exe 2616 Windscribe_2.5.18.exe 3028 cmd.exe 3028 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2508 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2192 2616 Windscribe_2.5.18.exe 28 PID 2616 wrote to memory of 2192 2616 Windscribe_2.5.18.exe 28 PID 2616 wrote to memory of 2192 2616 Windscribe_2.5.18.exe 28 PID 2616 wrote to memory of 2192 2616 Windscribe_2.5.18.exe 28 PID 2192 wrote to memory of 2900 2192 Windscribe_2.5.18.exe 29 PID 2192 wrote to memory of 2900 2192 Windscribe_2.5.18.exe 29 PID 2192 wrote to memory of 2900 2192 Windscribe_2.5.18.exe 29 PID 2192 wrote to memory of 2900 2192 Windscribe_2.5.18.exe 29 PID 2616 wrote to memory of 2844 2616 Windscribe_2.5.18.exe 30 PID 2616 wrote to memory of 2844 2616 Windscribe_2.5.18.exe 30 PID 2616 wrote to memory of 2844 2616 Windscribe_2.5.18.exe 30 PID 2616 wrote to memory of 2844 2616 Windscribe_2.5.18.exe 30 PID 2900 wrote to memory of 3028 2900 WScript.exe 33 PID 2900 wrote to memory of 3028 2900 WScript.exe 33 PID 2900 wrote to memory of 3028 2900 WScript.exe 33 PID 2900 wrote to memory of 3028 2900 WScript.exe 33 PID 3028 wrote to memory of 2508 3028 cmd.exe 31 PID 3028 wrote to memory of 2508 3028 cmd.exe 31 PID 3028 wrote to memory of 2508 3028 cmd.exe 31 PID 3028 wrote to memory of 2508 3028 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windscribe_2.5.18.exe"C:\Users\Admin\AppData\Local\Temp\Windscribe_2.5.18.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\tmTZAu0ww6EK.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Temp\2b3nvEZbyOKVLO0rFX9CQNCe.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18_licensekey.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windscribe_2.5.18_licensekey.exe"2⤵
- Executes dropped EXE
PID:2844
-
-
C:\Temp\Runtime Broker.exe"C:\Temp\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28B
MD51c0820915b23fa02cd5c9d5ee69e2110
SHA1cb03a2ee3817d3fa191364429eada237f1fc15a4
SHA2561d73a85802574d06a478525aa333dcbed44c1c2cdec62e637a9a729c6c524fcb
SHA5122d16a37ca7542bd7d41f456ddbaa2d9f44f1fc0a862549f262abde4de8728766b8c2d13e641f700c81d7c4ca6158d7ec3ee97bf51a90603e08cbef288f465ec2
-
Filesize
2.0MB
MD567917ccf46c06770ac8b68d659e0de29
SHA12ab5ae38cc7fef5d40dcb99a75d64f70bb5e96bc
SHA2567a65428437ef2479cf54f7feb139f0dfd3c56fb75f51d1c1d373e1658c974c18
SHA5120d58f3de18aa45a90ba6c6f78ca07d81ee83c3608d096b4eed15065bda90435130e98990b34858a3b629ee0ef51e71cdbfa47c3429fbdfa0caac6809e6471947
-
Filesize
2.0MB
MD567917ccf46c06770ac8b68d659e0de29
SHA12ab5ae38cc7fef5d40dcb99a75d64f70bb5e96bc
SHA2567a65428437ef2479cf54f7feb139f0dfd3c56fb75f51d1c1d373e1658c974c18
SHA5120d58f3de18aa45a90ba6c6f78ca07d81ee83c3608d096b4eed15065bda90435130e98990b34858a3b629ee0ef51e71cdbfa47c3429fbdfa0caac6809e6471947
-
Filesize
205B
MD5c1b104067034ac2b7fdd77ed7da7cd0f
SHA19dc28714822c1a33ba6e634c0a068f7bb6c3ad2e
SHA25654d0b9ec8a5a9a11da51dec73b72633be8046c01798b78c89507594b3b4b0a49
SHA512869bafe2f1a2ae32362f4c9a6ac4ae82278c21b338773a9a818372f8b93b08ec2ad368338a17e049952a2f1bd9129cc34a1de1fc551a0c3ea58e8d563481ba52
-
Filesize
2.3MB
MD56a4743cb09423008c69f5051470aecb8
SHA13795816b9a20af3ad0ce0186e0978fc7d0b99908
SHA256ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261
SHA5121af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d
-
Filesize
2.3MB
MD56a4743cb09423008c69f5051470aecb8
SHA13795816b9a20af3ad0ce0186e0978fc7d0b99908
SHA256ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261
SHA5121af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d
-
Filesize
2.3MB
MD56a4743cb09423008c69f5051470aecb8
SHA13795816b9a20af3ad0ce0186e0978fc7d0b99908
SHA256ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261
SHA5121af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d
-
Filesize
18.8MB
MD55729d7f8fff698e46f35abc7d904ece9
SHA17017eb70ff16eeaf91e9e9f7d60b938f83fb0169
SHA256a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475
SHA512e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7
-
Filesize
18.8MB
MD55729d7f8fff698e46f35abc7d904ece9
SHA17017eb70ff16eeaf91e9e9f7d60b938f83fb0169
SHA256a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475
SHA512e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7
-
Filesize
2.0MB
MD567917ccf46c06770ac8b68d659e0de29
SHA12ab5ae38cc7fef5d40dcb99a75d64f70bb5e96bc
SHA2567a65428437ef2479cf54f7feb139f0dfd3c56fb75f51d1c1d373e1658c974c18
SHA5120d58f3de18aa45a90ba6c6f78ca07d81ee83c3608d096b4eed15065bda90435130e98990b34858a3b629ee0ef51e71cdbfa47c3429fbdfa0caac6809e6471947
-
Filesize
2.0MB
MD567917ccf46c06770ac8b68d659e0de29
SHA12ab5ae38cc7fef5d40dcb99a75d64f70bb5e96bc
SHA2567a65428437ef2479cf54f7feb139f0dfd3c56fb75f51d1c1d373e1658c974c18
SHA5120d58f3de18aa45a90ba6c6f78ca07d81ee83c3608d096b4eed15065bda90435130e98990b34858a3b629ee0ef51e71cdbfa47c3429fbdfa0caac6809e6471947
-
Filesize
2.3MB
MD56a4743cb09423008c69f5051470aecb8
SHA13795816b9a20af3ad0ce0186e0978fc7d0b99908
SHA256ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261
SHA5121af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d
-
Filesize
2.3MB
MD56a4743cb09423008c69f5051470aecb8
SHA13795816b9a20af3ad0ce0186e0978fc7d0b99908
SHA256ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261
SHA5121af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d
-
Filesize
2.3MB
MD56a4743cb09423008c69f5051470aecb8
SHA13795816b9a20af3ad0ce0186e0978fc7d0b99908
SHA256ace228d260a36bdbf8d349d2140dfe5a98a9ef202129e02f1173d7baf1b6e261
SHA5121af678abd2d8670400695802fb2b3036feca2152baedc4ba841bd59d7763df4b220c3b27e65f29749b1b36eb0f1901622ad46958f46bf3e977f1c66292d0da4d
-
Filesize
18.8MB
MD55729d7f8fff698e46f35abc7d904ece9
SHA17017eb70ff16eeaf91e9e9f7d60b938f83fb0169
SHA256a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475
SHA512e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7
-
Filesize
18.8MB
MD55729d7f8fff698e46f35abc7d904ece9
SHA17017eb70ff16eeaf91e9e9f7d60b938f83fb0169
SHA256a58515e3c3b350de864bfd41ebd570724efdffe44e17de571f78da74b5ef7475
SHA512e7d7c26484daf285cdc0d436ba2e9298cb9594a32181fffc62ce3f2d5bfc894445417e28fd2af8e9c1558d15540be61f8154ac70f275fdec827db881201eace7