Overview

overview

10

Static

static

urNhcPontS...a6.exe

windows7_x64

10

urNhcPontS...a6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294211s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    14-04-2022 20:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    urNhcPontS3CqKADa6.exe

  • Size

    2.6MB

  • MD5

    891ad0c1d43d7921cf6e6f9ab73780f1

  • SHA1

    e08164a1a1739058bfb304579375939091d05486

  • SHA256

    daa70703ccb884159de7c78591d45460ba7a14692db872dd5c459c883acd02a3

  • SHA512

    966066e1162b774907c2ae6b0677fc0c94d50fcbe737064071c79f2744e0a860b63737539a8864222a01eeaa269b0aa138ff2611e91207005fca93f78320ffc5

Score
10/10
dcratinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat 7 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 15 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\urNhcPontS3CqKADa6.exe
    "C:\Users\Admin\AppData\Local\Temp\urNhcPontS3CqKADa6.exe"
    1⤵
    • DcRat
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\urNhcPontS3CqKADa6.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\cf4a3ac2-a0e8-11ec-b024-e8593d876ae9\services.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\linkinfo\winlogon.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\wininit.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dfrgui\csrss.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\winlogon.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsLexicons0046\smss.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9cNOj6XI8U.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1636
        • C:\Windows\System32\dfrgui\csrss.exe
          "C:\Windows\System32\dfrgui\csrss.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1088
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ee08d30-2a28-4e04-9ddd-62ac884a538d.vbs"
            4⤵
              PID:2084
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5504c498-bdd0-44de-8885-e40e7dc2d99d.vbs"
              4⤵
                PID:2108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\cf4a3ac2-a0e8-11ec-b024-e8593d876ae9\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1240
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\linkinfo\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Documents and Settings\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\dfrgui\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0046\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1636

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\5504c498-bdd0-44de-8885-e40e7dc2d99d.vbs
          Filesize

          488B

          MD5

          38057a2f74f18c172a570499f986dd58

          SHA1

          b7974e9e23297a07e420850a8037bc5af982960d

          SHA256

          3c67468e72648d72255b3071698c21a83ff5a267f9bb4b5dc1b3c78854db38f5

          SHA512

          87ec8a8778e10a990ae55fc7bcd2d3fbed4524b46c5eae941a9f17ef824079279cc032dca1e00c46919b6ebbcf640e7ba62ce2d2cab1df04b25e692cada2588b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6ee08d30-2a28-4e04-9ddd-62ac884a538d.vbs
          Filesize

          712B

          MD5

          c64a39f808acd1462b9b62a77ceb98e8

          SHA1

          e9624059cdfe12b8fbfae754bff94b7a627dbd55

          SHA256

          e9a6b7d3c352ac7bfd2068678869467f2124a4640a73b4fc9074eaf08379196a

          SHA512

          e6486d03403f70946e55c1542c60c9fe3aa2b31e4d591b1786800f8e2fda82b3d0efbf1dd959e1c6c8d703d5b43ae9e10deb839fc550cc816640b0c6e26fd28a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\9cNOj6XI8U.bat
          Filesize

          200B

          MD5

          348a34908b3280b443ac2a1ca043618c

          SHA1

          637e9721cb60c8c83cf31262a6587f9eed398030

          SHA256

          aa51df52aeaac6551a64d814609d7c820e454b1f4ea2a57245d4755cf815a40f

          SHA512

          c273efe9eaef4548661a081f8c6e7156dbd3956f9fc6a5afdc0403d1740042c59ba7663f95d654b76aea70addb0e857f0c0079571c3e19b8cc6f2d75089db296

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          9196d3074eb15b1699259943c74ef7b9

          SHA1

          6c5cabf4807acb851d8e74dc12be35ee0097fc52

          SHA256

          d079ef2e299f7bfc21b7634ef360c015709fed64cee215d5c54342e366f5b099

          SHA512

          cac3c0c0bb86cfd974529adae2da03279a742d173bd71a9f1952bbec5686ce955f3f9e816d044cfffc76f1fee5fe38a381ba9d5057192a6cdd37225c05966f46

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          9196d3074eb15b1699259943c74ef7b9

          SHA1

          6c5cabf4807acb851d8e74dc12be35ee0097fc52

          SHA256

          d079ef2e299f7bfc21b7634ef360c015709fed64cee215d5c54342e366f5b099

          SHA512

          cac3c0c0bb86cfd974529adae2da03279a742d173bd71a9f1952bbec5686ce955f3f9e816d044cfffc76f1fee5fe38a381ba9d5057192a6cdd37225c05966f46

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          9196d3074eb15b1699259943c74ef7b9

          SHA1

          6c5cabf4807acb851d8e74dc12be35ee0097fc52

          SHA256

          d079ef2e299f7bfc21b7634ef360c015709fed64cee215d5c54342e366f5b099

          SHA512

          cac3c0c0bb86cfd974529adae2da03279a742d173bd71a9f1952bbec5686ce955f3f9e816d044cfffc76f1fee5fe38a381ba9d5057192a6cdd37225c05966f46

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          9196d3074eb15b1699259943c74ef7b9

          SHA1

          6c5cabf4807acb851d8e74dc12be35ee0097fc52

          SHA256

          d079ef2e299f7bfc21b7634ef360c015709fed64cee215d5c54342e366f5b099

          SHA512

          cac3c0c0bb86cfd974529adae2da03279a742d173bd71a9f1952bbec5686ce955f3f9e816d044cfffc76f1fee5fe38a381ba9d5057192a6cdd37225c05966f46

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          9196d3074eb15b1699259943c74ef7b9

          SHA1

          6c5cabf4807acb851d8e74dc12be35ee0097fc52

          SHA256

          d079ef2e299f7bfc21b7634ef360c015709fed64cee215d5c54342e366f5b099

          SHA512

          cac3c0c0bb86cfd974529adae2da03279a742d173bd71a9f1952bbec5686ce955f3f9e816d044cfffc76f1fee5fe38a381ba9d5057192a6cdd37225c05966f46

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          9196d3074eb15b1699259943c74ef7b9

          SHA1

          6c5cabf4807acb851d8e74dc12be35ee0097fc52

          SHA256

          d079ef2e299f7bfc21b7634ef360c015709fed64cee215d5c54342e366f5b099

          SHA512

          cac3c0c0bb86cfd974529adae2da03279a742d173bd71a9f1952bbec5686ce955f3f9e816d044cfffc76f1fee5fe38a381ba9d5057192a6cdd37225c05966f46

          Download Submit

        • C:\Windows\System32\dfrgui\csrss.exe
          Filesize

          2.6MB

          MD5

          9a1a5880c3862fcb0f57cb7bf1e9a59f

          SHA1

          35be93ad2db5d7abef4ccb34e5a9f83e939c8c29

          SHA256

          369448cd2a648916e99f748de60c141999a3cd70fa4ca1d136b55360bb4ded09

          SHA512

          6359c0bb4cf4db126ca5d7a402ebecfc469e242dcd8d1efe417e006b5ea223bb295fc34e3d4ae754ae08f09ae2fb772eea49c3d2f82cde9b9dccf0c20022b69e

          Download Submit

        • C:\Windows\System32\dfrgui\csrss.exe
          Filesize

          2.6MB

          MD5

          9a1a5880c3862fcb0f57cb7bf1e9a59f

          SHA1

          35be93ad2db5d7abef4ccb34e5a9f83e939c8c29

          SHA256

          369448cd2a648916e99f748de60c141999a3cd70fa4ca1d136b55360bb4ded09

          SHA512

          6359c0bb4cf4db126ca5d7a402ebecfc469e242dcd8d1efe417e006b5ea223bb295fc34e3d4ae754ae08f09ae2fb772eea49c3d2f82cde9b9dccf0c20022b69e

          Download Submit

        • memory/112-90-0x000007FEE9E00000-0x000007FEEA95D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/112-128-0x000000001B770000-0x000000001BA6F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/112-102-0x00000000029F0000-0x00000000029F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/112-103-0x00000000029F2000-0x00000000029F4000-memory.dmp

          Filesize

          8KB

          Download

        • memory/112-139-0x00000000029FB000-0x0000000002A1A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/112-104-0x00000000029F4000-0x00000000029F7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/652-108-0x00000000025C2000-0x00000000025C4000-memory.dmp

          Filesize

          8KB

          Download

        • memory/652-136-0x00000000025CB000-0x00000000025EA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/652-113-0x000007FEE9E00000-0x000007FEEA95D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/652-125-0x000000001B830000-0x000000001BB2F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/652-107-0x00000000025C0000-0x00000000025C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/652-109-0x00000000025C4000-0x00000000025C7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/804-142-0x00000000027CB000-0x00000000027EA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/804-124-0x00000000027C0000-0x00000000027C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/804-123-0x000007FEE9E00000-0x000007FEEA95D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/804-140-0x00000000027C4000-0x00000000027C7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/804-131-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/908-89-0x000007FEE9E00000-0x000007FEEA95D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/908-143-0x000000000243B000-0x000000000245A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/908-129-0x000000001B740000-0x000000001BA3F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/908-98-0x0000000002430000-0x0000000002432000-memory.dmp

          Filesize

          8KB

          Download

        • memory/908-99-0x0000000002432000-0x0000000002434000-memory.dmp

          Filesize

          8KB

          Download

        • memory/908-100-0x0000000002434000-0x0000000002437000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1068-62-0x0000000002100000-0x0000000002156000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1068-66-0x0000000002150000-0x000000000215A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1068-59-0x00000000006C0000-0x00000000006D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1068-61-0x0000000000700000-0x0000000000710000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1068-63-0x0000000002040000-0x0000000002056000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1068-58-0x00000000006B0000-0x00000000006C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1068-64-0x00000000006F0000-0x00000000006F8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1068-65-0x0000000000790000-0x00000000007A2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1068-57-0x00000000006A0000-0x00000000006A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1068-60-0x00000000006D0000-0x00000000006E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1068-67-0x0000000002160000-0x000000000216C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1068-54-0x0000000000010000-0x00000000002BC000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/1068-56-0x0000000000680000-0x000000000069C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1068-55-0x000000001B180000-0x000000001B182000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1068-68-0x0000000002170000-0x000000000217A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1088-119-0x000000001B090000-0x000000001B092000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1088-120-0x00000000008A0000-0x00000000008F6000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1088-121-0x00000000008F0000-0x0000000000902000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1088-118-0x0000000000020000-0x00000000002CC000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/1292-138-0x0000000001F9B000-0x0000000001FBA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1292-114-0x000007FEE9E00000-0x000007FEEA95D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1292-126-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1292-112-0x0000000001F94000-0x0000000001F97000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1292-111-0x0000000001F92000-0x0000000001F94000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1292-110-0x0000000001F90000-0x0000000001F92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1396-137-0x000000000248B000-0x00000000024AA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1396-86-0x000007FEE9E00000-0x000007FEEA95D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1396-96-0x0000000002482000-0x0000000002484000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1396-130-0x000000001B780000-0x000000001BA7F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1396-97-0x0000000002484000-0x0000000002487000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1396-95-0x0000000002480000-0x0000000002482000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1800-141-0x00000000022EB000-0x000000000230A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1800-91-0x000007FEE9E00000-0x000007FEEA95D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1800-101-0x00000000022E0000-0x00000000022E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1800-105-0x00000000022E2000-0x00000000022E4000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1800-127-0x000000001B840000-0x000000001BB3F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1800-76-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1800-106-0x00000000022E4000-0x00000000022E7000-memory.dmp

          Filesize

          12KB

          Download