Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
04-02-2024 09:41
Static task
static1
Behavioral task
behavioral1
Sample
8ed351e42a16628f6ed3c2d8c7b46d9f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8ed351e42a16628f6ed3c2d8c7b46d9f.exe
Resource
win10v2004-20231222-en
General
-
Target
8ed351e42a16628f6ed3c2d8c7b46d9f.exe
-
Size
1.6MB
-
MD5
8ed351e42a16628f6ed3c2d8c7b46d9f
-
SHA1
91812e5337d42ace0794b5d85b84205ba460ef22
-
SHA256
8df81f1dd45838d93492643da45db3beecf6e3f37bc3a6f5644f94f89d2d7d11
-
SHA512
1b25ad4ea4011d72c6982069e651a5e460c36f562f9af8be395a7f0d2a180a07815e3d20a42e953f7082228c93b34e01c88f54af39cec2aa4bbfae1e7d2e7a39
-
SSDEEP
49152:utv5FSXcj3BwQI0PKr3OJPiin3qcaif7M4avroP:upSMjRwQIa2ORJ3HaieoP
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
resource yara_rule behavioral2/memory/4416-1-0x0000000000760000-0x0000000000BA0000-memory.dmp dcrat behavioral2/memory/4416-24-0x0000000000760000-0x0000000000BA0000-memory.dmp dcrat behavioral2/memory/4080-32-0x0000000000070000-0x00000000004B0000-memory.dmp dcrat behavioral2/memory/4080-30-0x0000000000070000-0x00000000004B0000-memory.dmp dcrat behavioral2/memory/4080-36-0x0000000000070000-0x00000000004B0000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 8ed351e42a16628f6ed3c2d8c7b46d9f.exe -
Executes dropped EXE 1 IoCs
pid Process 4080 OfficeClickToRun.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\wbem\wpdcomp\WmiPrvSE.exe 8ed351e42a16628f6ed3c2d8c7b46d9f.exe File created C:\Windows\SysWOW64\wbem\wpdcomp\24dbde2999530ef5fd907494bc374d663924116c 8ed351e42a16628f6ed3c2d8c7b46d9f.exe File created C:\Windows\SysWOW64\dhcpcsvc\fontdrvhost.exe 8ed351e42a16628f6ed3c2d8c7b46d9f.exe File created C:\Windows\SysWOW64\dhcpcsvc\5b884080fd4f94e2695da25c503f9e33b9605b83 8ed351e42a16628f6ed3c2d8c7b46d9f.exe File created C:\Windows\SysWOW64\wbem\wscenter\WmiPrvSE.exe 8ed351e42a16628f6ed3c2d8c7b46d9f.exe File created C:\Windows\SysWOW64\wbem\wscenter\24dbde2999530ef5fd907494bc374d663924116c 8ed351e42a16628f6ed3c2d8c7b46d9f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 4080 OfficeClickToRun.exe 4080 OfficeClickToRun.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe 8ed351e42a16628f6ed3c2d8c7b46d9f.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe 8ed351e42a16628f6ed3c2d8c7b46d9f.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\886983d96e3d3e31032c679b2d4ea91b6c05afef 8ed351e42a16628f6ed3c2d8c7b46d9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2600 schtasks.exe 4200 schtasks.exe 4896 schtasks.exe 1924 schtasks.exe 4512 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 8ed351e42a16628f6ed3c2d8c7b46d9f.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2860 PING.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 4080 OfficeClickToRun.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe Token: SeDebugPrivilege 4080 OfficeClickToRun.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 4080 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4416 wrote to memory of 1924 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 91 PID 4416 wrote to memory of 1924 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 91 PID 4416 wrote to memory of 1924 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 91 PID 4416 wrote to memory of 4200 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 98 PID 4416 wrote to memory of 4200 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 98 PID 4416 wrote to memory of 4200 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 98 PID 4416 wrote to memory of 2600 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 97 PID 4416 wrote to memory of 2600 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 97 PID 4416 wrote to memory of 2600 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 97 PID 4416 wrote to memory of 4512 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 96 PID 4416 wrote to memory of 4512 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 96 PID 4416 wrote to memory of 4512 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 96 PID 4416 wrote to memory of 4896 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 100 PID 4416 wrote to memory of 4896 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 100 PID 4416 wrote to memory of 4896 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 100 PID 4416 wrote to memory of 1816 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 105 PID 4416 wrote to memory of 1816 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 105 PID 4416 wrote to memory of 1816 4416 8ed351e42a16628f6ed3c2d8c7b46d9f.exe 105 PID 1816 wrote to memory of 1948 1816 cmd.exe 102 PID 1816 wrote to memory of 1948 1816 cmd.exe 102 PID 1816 wrote to memory of 1948 1816 cmd.exe 102 PID 1816 wrote to memory of 2860 1816 cmd.exe 101 PID 1816 wrote to memory of 2860 1816 cmd.exe 101 PID 1816 wrote to memory of 2860 1816 cmd.exe 101 PID 1816 wrote to memory of 4080 1816 cmd.exe 107 PID 1816 wrote to memory of 4080 1816 cmd.exe 107 PID 1816 wrote to memory of 4080 1816 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ed351e42a16628f6ed3c2d8c7b46d9f.exe"C:\Users\Admin\AppData\Local\Temp\8ed351e42a16628f6ed3c2d8c7b46d9f.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1924
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wscenter\WmiPrvSE.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4512
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\dhcpcsvc\fontdrvhost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2600
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wpdcomp\WmiPrvSE.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4200
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4896
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\icg1wVJtlk.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\odt\OfficeClickToRun.exe"C:\odt\OfficeClickToRun.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4080
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost1⤵
- Runs ping.exe
PID:2860
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:1948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193B
MD53b242e4155acbe2c93d48ba09b2f1fcb
SHA156e3e1070e79f0442fef98d91fc40a6a2278315e
SHA256d63fa1f86452bfe5a31560df41ffdcaf35402c79edb8e6cb2b75ac6601e9e42e
SHA5122c4444b4e80c606cc3507da73fca498a9aa55f4237c1a9d32726088adb2edcfd3043fe43ec70d763daaae3cf7f1a4a7e599691e53c2c909a196b462ee6842e5d
-
Filesize
1.1MB
MD5fba59b146a036da519a3a8efa67bcdfc
SHA13f544a1323190e9cfd97044051ab241c1c1d7f05
SHA25640652cbcf0b11bbdd9541e7bd81c81ef9467d4a5e6f982b276cd4ae08db067ba
SHA5121988af39c3f46888c268688defade7231a02302ae601923ede84500198b8afd4bf5e5e8f7a767445e72c5abb1e4f488a9a14726c79964fd08a923b2bd95a19ee
-
Filesize
122KB
MD5c5392478ea58aa9cc7ab220ab1cddbfb
SHA159e8e7aaab9e96c32dfc6b816e216c53b457c343
SHA256b3690e08a497b72af16d90c91a7e47b91148236aa2a48cb25daaf4b426793b4b
SHA51260bac1f98d8a5b73f04cf3fd56415936f0c0a9d07c997d38c15bb7b24c663be3f3a3e928b805a0d232c8dcfce535e36518c28e329561c1a0f0da305396f593d2
-
Filesize
77KB
MD5cc9b5a9263071846026c20b3c843c9b7
SHA158cda6288cef6e257763f01b92ab1c4221cd34ba
SHA25684880d8c20cd5c257588254d6daf01d67ed652e5da9b81fc56a2fed658e073eb
SHA512f7903aa06b00461aa5e6a73e57dc1c09465a8fc49c569d12d282892953765de01c3b542a376cf06eeef668a52faa8b8c7c064d614ef7d62eed3e540a52817f7d