Overview

overview

10

Static

static

10

2222-main/Build.exe

windows7_x64

10

2222-main/Build.exe

windows10_x64

10

2222-main/...se.dll

windows7_x64

1

2222-main/...se.dll

windows10_x64

1

2222-main/OTC.dll

windows7_x64

1

2222-main/OTC.dll

windows10_x64

1

2222-main/OTC2.dll

windows7_x64

1

2222-main/OTC2.dll

windows10_x64

1

2222-main/aurora.dll

windows7_x64

1

2222-main/aurora.dll

windows10_x64

1

2222-main/...ty.dll

windows7_x64

1

2222-main/...ty.dll

windows10_x64

3

2222-main/gan.exe

windows7_x64

10

2222-main/gan.exe

windows10_x64

10

2222-main/mySThe.exe

windows7_x64

10

2222-main/mySThe.exe

windows10_x64

10

2222-main/myporno.exe

windows7_x64

10

2222-main/myporno.exe

windows10_x64

8

2222-main/pandora.dll

windows7_x64

1

2222-main/pandora.dll

windows10_x64

10

2222-main/pass.exe

windows7_x64

10

2222-main/pass.exe

windows10_x64

10

2222-main/petya.exe

windows7_x64

6

2222-main/petya.exe

windows10_x64

6

2222-main/sheyhST.exe

windows7_x64

10

2222-main/sheyhST.exe

windows10_x64

10

2222-main/...io.exe

windows7_x64

10

2222-main/...io.exe

windows10_x64

7

2222-main/test.exe

windows7_x64

3

2222-main/test.exe

windows10_x64

3

2222-main/token.exe

windows7_x64

6

2222-main/token.exe

windows10_x64

6

Analysis

  • max time kernel
    69s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    30-07-2021 07:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2222-main/Build.exe

  • Size

    1.8MB

  • MD5

    9886d20dd6f3d896861cc5f8ea0ca84b

  • SHA1

    96ab3affa0279d5795a29f3e1ecae37546b8bb11

  • SHA256

    56ec9503792bc40353a2f197bb3a6561325d66dfe914573a9fea9ccdedd98929

  • SHA512

    02272f3a85b44fa8e6806356492109474c57c2d7da7f55cba4d93e4983162ed48582a73723d06689c9e89e87ba6ed8c30e409676669af0d8604d23288cfe8079

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • DCRat Payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe
    "C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:416
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
          "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1440
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:516
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Boot\zh-CN\RuntimeBroker.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3992
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\takeown\dllhost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3128
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\microsoft-windows-kernel-power-events\SppExtComObj.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3208
          • C:\Boot\zh-CN\RuntimeBroker.exe
            "C:\Boot\zh-CN\RuntimeBroker.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Boot\zh-CN\RuntimeBroker.exe
    MD5

    413be497be904c09aa8bfe8f0182a949

    SHA1

    9c5a69c83dbe2629290823d33c0afbce6d37f7bf

    SHA256

    6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

    SHA512

    01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

    Download Submit
  • C:\Boot\zh-CN\RuntimeBroker.exe
    MD5

    413be497be904c09aa8bfe8f0182a949

    SHA1

    9c5a69c83dbe2629290823d33c0afbce6d37f7bf

    SHA256

    6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

    SHA512

    01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

    Download Submit
  • C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
    MD5

    413be497be904c09aa8bfe8f0182a949

    SHA1

    9c5a69c83dbe2629290823d33c0afbce6d37f7bf

    SHA256

    6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

    SHA512

    01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

    Download Submit
  • C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
    MD5

    413be497be904c09aa8bfe8f0182a949

    SHA1

    9c5a69c83dbe2629290823d33c0afbce6d37f7bf

    SHA256

    6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

    SHA512

    01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

    Download Submit
  • C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe
    MD5

    559cdf34199c7353804d3d3550ccc3a3

    SHA1

    43da9eae85816d75b10f537452a9b5c2ef9ae1f6

    SHA256

    c1475bfc785af561b6954cd740f44083bbdb6e15b1dabbc2249e35b5eae82108

    SHA512

    a4431b8817a1464f54f01bc223f01c4673521e99289c010a4158d25bbe542a735b59d6a6de406e2a0efb3ed20de5958cf6bea5acb14069b9f690b0cde619c86c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat
    MD5

    d5f5523af702e22a702e95fadf058335

    SHA1

    e495f695eed69a9af60dd6303b20ce0df82cadbb

    SHA256

    5ae2bbf6e9576cb737edef26860e3f843c13b78cd77ed31ebb5578d80dbbcac3

    SHA512

    f0fbc8757d2083e8ea93f059d0fad236c2e45f8db67c6cf11801a225bee758f0761c5eac2d468c646adcf86028f3317931e704778cc5f2d971403873c3de82b6

    Download Submit
  • memory/516-127-0x0000000000000000-mapping.dmp
    Download
  • memory/1316-125-0x0000000003090000-0x0000000003092000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1316-123-0x0000000000D10000-0x0000000000D11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1316-120-0x0000000000000000-mapping.dmp
    Download
  • memory/1440-126-0x0000000000000000-mapping.dmp
    Download
  • memory/2176-119-0x0000000000000000-mapping.dmp
    Download
  • memory/2216-116-0x0000000000000000-mapping.dmp
    Download
  • memory/3128-129-0x0000000000000000-mapping.dmp
    Download
  • memory/3208-130-0x0000000000000000-mapping.dmp
    Download
  • memory/3992-128-0x0000000000000000-mapping.dmp
    Download
  • memory/4076-131-0x0000000000000000-mapping.dmp
    Download
  • memory/4076-136-0x000000001BF02000-0x000000001BF03000-memory.dmp
    Filesize

    4KB

    Download