Overview
overview
10Static
static
10-pril-main...th.exe
windows10-2004-x64
10-pril-main...aw.exe
windows10-2004-x64
10-pril-main...wd.exe
windows10-2004-x64
7-pril-main...gh.exe
windows10-2004-x64
10-pril-main...se.exe
windows10-2004-x64
10-pril-main...ed.exe
windows10-2004-x64
10Installer/CapCut.exe
windows10-2004-x64
10start-main...on.exe
windows10-2004-x64
8start-main/Sushi.exe
windows10-2004-x64
10start-main...wd.exe
windows10-2004-x64
1start-main...sd.exe
windows10-2004-x64
10start-main...fd.exe
windows10-2004-x64
10start-main...we.exe
windows10-2004-x64
5start-main...wd.exe
windows10-2004-x64
10start-main...pu.exe
windows10-2004-x64
10start-main...th.exe
windows10-2004-x64
5start-main...ed.exe
windows10-2004-x64
10start-main...fk.exe
windows10-2004-x64
5start-main...ha.exe
windows10-2004-x64
10start-main...ha.exe
windows10-2004-x64
10start-main...ea.exe
windows10-2004-x64
10start-main...as.exe
windows10-2004-x64
7start-main...dw.exe
windows10-2004-x64
8start-main...ha.exe
windows10-2004-x64
1start-main...wt.exe
windows10-2004-x64
10start-main...wd.exe
windows10-2004-x64
10start-main...gh.exe
windows10-2004-x64
3start-main/pdf.exe
windows10-2004-x64
10start-main...dh.exe
windows10-2004-x64
10start-main...as.exe
windows10-2004-x64
7start-main...tj.exe
windows10-2004-x64
10Analysis
-
max time kernel
136s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 08:01
Static task
static1
Behavioral task
behavioral1
Sample
-pril-main/dwthjadth.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
-pril-main/feuiyjjdaw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
-pril-main/kldrgawdtjawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
-pril-main/pothjadwtrgh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
-pril-main/ptjjsekfthse.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
-pril-main/thadkythjawed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Installer/CapCut.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
start-main/Session.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
start-main/Sushi.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
start-main/fgthawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
start-main/gawdrgasd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
start-main/hbfgjhhesfd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
start-main/hdawuithjawe.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
start-main/hnfsefawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
start-main/jerniuiopu.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
start-main/jthusjefth.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
start-main/jythjadthawed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
start-main/khseofk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
start-main/khtoawdltrha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
start-main/ksfawtyha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
start-main/ktyhpldea.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
start-main/lhoefskghas.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
start-main/ltpohpadw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
start-main/mhbiwejrtgha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
start-main/njrtdhadawt.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
start-main/odrsfgawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
start-main/opthjdkawrtgh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
start-main/pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
start-main/pthjadh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
start-main/ptihjawdthas.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
start-main/yjadyjasfdtj.exe
Resource
win10v2004-20241007-en
General
-
Target
start-main/odrsfgawd.exe
-
Size
526KB
-
MD5
29f1c1d7a651b39f96ec5cef9cd4071d
-
SHA1
ce27d36c953fe12c733c920ca9aee4199ee4dbb7
-
SHA256
bdf890b78dc6fd33cec86be7fe593714ae1b713f0644402819cabd5bba5f1bbd
-
SHA512
24149490810f23f2b08fde9e7ab4c8702784bf26d5b72c76b0eab9dce5881fb3412faa6ec1f7c5e183a015fe4e7a3dc332d94782fbd21361f66f19f1cbbb659a
-
SSDEEP
6144:tSveb1jQZD0wmWozuZW5DwwzqLhh13QEGQnh9lTRXvtkpAbj7KvaP5fsz61+:tom1Mh0AZYtzE3TvnhhXFU0j5M61+
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
odrsfgawd.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\"" odrsfgawd.exe -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3196 2868 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 2868 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2868 schtasks.exe 86 -
DCRat payload 2 IoCs
Processes:
resource yara_rule behavioral26/memory/1920-0-0x0000000000A70000-0x0000000000AFA000-memory.dmp family_dcrat_v2 behavioral26/files/0x000a000000023cc7-30.dat family_dcrat_v2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
odrsfgawd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation odrsfgawd.exe -
Executes dropped EXE 1 IoCs
Processes:
staticfile.exepid Process 4284 staticfile.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
odrsfgawd.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\staticfile = "\"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\"" odrsfgawd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\staticfile = "\"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\"" odrsfgawd.exe -
Drops file in System32 directory 2 IoCs
Processes:
csc.exedescription ioc Process File created \??\c:\Windows\System32\CSC37DA9ADBF1D745D1B29811E72178283.TMP csc.exe File created \??\c:\Windows\System32\s_kgxh.exe csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 1 IoCs
Processes:
odrsfgawd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings odrsfgawd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid Process 3196 schtasks.exe 3520 schtasks.exe 896 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
odrsfgawd.exestaticfile.exepid Process 1920 odrsfgawd.exe 1920 odrsfgawd.exe 1920 odrsfgawd.exe 1920 odrsfgawd.exe 1920 odrsfgawd.exe 1920 odrsfgawd.exe 1920 odrsfgawd.exe 1920 odrsfgawd.exe 1920 odrsfgawd.exe 1920 odrsfgawd.exe 1920 odrsfgawd.exe 1920 odrsfgawd.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe 4284 staticfile.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
odrsfgawd.exestaticfile.exedescription pid Process Token: SeDebugPrivilege 1920 odrsfgawd.exe Token: SeDebugPrivilege 4284 staticfile.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
odrsfgawd.execsc.execmd.exedescription pid Process procid_target PID 1920 wrote to memory of 3568 1920 odrsfgawd.exe 90 PID 1920 wrote to memory of 3568 1920 odrsfgawd.exe 90 PID 3568 wrote to memory of 3468 3568 csc.exe 92 PID 3568 wrote to memory of 3468 3568 csc.exe 92 PID 1920 wrote to memory of 3100 1920 odrsfgawd.exe 93 PID 1920 wrote to memory of 3100 1920 odrsfgawd.exe 93 PID 3100 wrote to memory of 5112 3100 cmd.exe 95 PID 3100 wrote to memory of 5112 3100 cmd.exe 95 PID 3100 wrote to memory of 1476 3100 cmd.exe 96 PID 3100 wrote to memory of 1476 3100 cmd.exe 96 PID 3100 wrote to memory of 4284 3100 cmd.exe 103 PID 3100 wrote to memory of 4284 3100 cmd.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\start-main\odrsfgawd.exe"C:\Users\Admin\AppData\Local\Temp\start-main\odrsfgawd.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\knspwv05\knspwv05.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC39.tmp" "c:\Windows\System32\CSC37DA9ADBF1D745D1B29811E72178283.TMP"3⤵PID:3468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JgS7PZGuqI.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:5112
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1476
-
-
C:\Users\Admin\AppData\Local\staticfile.exe"C:\Users\Admin\AppData\Local\staticfile.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "staticfiles" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "staticfile" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "staticfiles" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171B
MD5cb7bf0bc260ea947008cb459e8abb2ea
SHA14645f05ef97e75fde1e093924bfad14c819d7ae5
SHA256b6de8673751e46458c8e750ed1d87e293a9b7a3095480c20142237ba83757ef4
SHA5122b8a26b15e09ac41b432c913bab54f84f18c5889e009b6bf5c86d5518dc9cbceb3ac22c7f8b49a29468adf760db4c34a03e2a39f3b33cc806da9b8dbd7806765
-
Filesize
1KB
MD555a83f8c997973d4231172cbda6acc4c
SHA1b72ead8bec4ec7c835d94ad450beed061eb1985d
SHA25633e2d105d024f60e74f229c67dc088bdb2258164ab28685bbb8ee67860189748
SHA5122407ae6676b78bdf52fb3b85234bd7f0a911e73a1711ae16cde4b96b6c503cea97b22c7e43c98c9063c0508b87be5839de544f1cff567291f4e77968dc38acc4
-
Filesize
526KB
MD529f1c1d7a651b39f96ec5cef9cd4071d
SHA1ce27d36c953fe12c733c920ca9aee4199ee4dbb7
SHA256bdf890b78dc6fd33cec86be7fe593714ae1b713f0644402819cabd5bba5f1bbd
SHA51224149490810f23f2b08fde9e7ab4c8702784bf26d5b72c76b0eab9dce5881fb3412faa6ec1f7c5e183a015fe4e7a3dc332d94782fbd21361f66f19f1cbbb659a
-
Filesize
375B
MD5ffffa19ce1cc39b87d5713ac34aeeb6e
SHA1429b4625aae45e52e3bed7e8ddcaba8189f34553
SHA2560891750ea889ac41d3afd52c14cd8a90ddac2defebf49aa7e07a488e4dc6bc77
SHA5122673a04bff5e8a09622982ecfc2f384a102da0fb90084d888564c3dfe5da96efe43dd688ea25b1374566a0ddccdf49d972649af98a87f1916f095d1794d7fe68
-
Filesize
235B
MD55c9f5d1d993507b20db6b18b67644c89
SHA13fecb77f04b5664832357e2d73b22bb11f75b5a6
SHA256562d7c95d077f55a238b3bb89b0d6e634a46b9dd5d55134f715178302fc42dda
SHA512d51e66fa62ce3381c7694a05bc70c6db0ac3ed5d230d49aec2e44af1056f51b2c1e7746de4a3471527326db53a657dceb7335447b27a17b71bbaef9e0443847b
-
Filesize
1KB
MD5634e281a00b7b9f516c3048badfa1530
SHA1af6369715ce2fe9b99609e470d4f66698880a35a
SHA2560d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8
SHA5121cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b