Overview

overview

10

Static

static

urNhcPontS...a6.exe

windows7_x64

10

urNhcPontS...a6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220331-en
  • submitted
    14-04-2022 20:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    urNhcPontS3CqKADa6.exe

  • Size

    2.6MB

  • MD5

    891ad0c1d43d7921cf6e6f9ab73780f1

  • SHA1

    e08164a1a1739058bfb304579375939091d05486

  • SHA256

    daa70703ccb884159de7c78591d45460ba7a14692db872dd5c459c883acd02a3

  • SHA512

    966066e1162b774907c2ae6b0677fc0c94d50fcbe737064071c79f2744e0a860b63737539a8864222a01eeaa269b0aa138ff2611e91207005fca93f78320ffc5

Score
10/10
dcratmetastealerinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat 7 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\urNhcPontS3CqKADa6.exe
    "C:\Users\Admin\AppData\Local\Temp\urNhcPontS3CqKADa6.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\urNhcPontS3CqKADa6.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\riched20\lsass.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Oracle\Java\javapath\sihost.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Idle.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PushToInstall\taskhostw.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget\OfficeClickToRun.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\smss.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
    • C:\PerfLogs\Idle.exe
      "C:\PerfLogs\Idle.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4704d133-7567-4634-8e64-e57ad9205f6e.vbs"
        3⤵
          PID:4048
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb26409f-6d59-4e94-a56e-eb42a51eac42.vbs"
          3⤵
            PID:2172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\ProgramData\Oracle\Java\javapath\sihost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\riched20\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\PerfLogs\Idle.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\PushToInstall\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3096
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:772

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PerfLogs\Idle.exe
        Filesize

        2.6MB

        MD5

        a2deed787c3258ca3efce7d3b69c826a

        SHA1

        128ebf107be28bf40c0cbffe2d2ab6d37bc4acbc

        SHA256

        e17fec8d04f16041f3a82feeedf64dbcbf2d37b060b6209cfbf748f5dfe01018

        SHA512

        a164d037543fdf7e27ff11fae1953df85386f1551999030ae73ea67ab3abbecbae3dad0f85f0c8cf40458d78037ef0d388f397f689a454db40ee51cd639eca4c

        Download Submit

      • C:\PerfLogs\Idle.exe
        Filesize

        2.6MB

        MD5

        a2deed787c3258ca3efce7d3b69c826a

        SHA1

        128ebf107be28bf40c0cbffe2d2ab6d37bc4acbc

        SHA256

        e17fec8d04f16041f3a82feeedf64dbcbf2d37b060b6209cfbf748f5dfe01018

        SHA512

        a164d037543fdf7e27ff11fae1953df85386f1551999030ae73ea67ab3abbecbae3dad0f85f0c8cf40458d78037ef0d388f397f689a454db40ee51cd639eca4c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        62623d22bd9e037191765d5083ce16a3

        SHA1

        4a07da6872672f715a4780513d95ed8ddeefd259

        SHA256

        95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

        SHA512

        9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd5940f08d0be56e65e5f2aaf47c538e

        SHA1

        d7e31b87866e5e383ab5499da64aba50f03e8443

        SHA256

        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

        SHA512

        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd5940f08d0be56e65e5f2aaf47c538e

        SHA1

        d7e31b87866e5e383ab5499da64aba50f03e8443

        SHA256

        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

        SHA512

        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        9611cc3fb39fedd4b0e81d90b044531c

        SHA1

        e35c10c1c1e29d44222114e0f72d58b3072880fd

        SHA256

        2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec

        SHA512

        92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4704d133-7567-4634-8e64-e57ad9205f6e.vbs
        Filesize

        696B

        MD5

        e6ca5ebdf78fc0997df7fb14fd4c547e

        SHA1

        3ae38322b382c3b65b8fd4d595d3ba7c79454a9c

        SHA256

        b151b8340c06506f53f9b7ba8f4b7731eba5c15ba48ebac98eaf1ac5f0bc650e

        SHA512

        c02cef332bdf93d751f2f394ae461a146c005b6c55aaeb6b325590ebd96e50d5e82de27464e702d2f426cb919028c5c520c0713e991a302117d0e45f67713931

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fb26409f-6d59-4e94-a56e-eb42a51eac42.vbs
        Filesize

        472B

        MD5

        8cc03b6efe3886d461635d0e79099b37

        SHA1

        7bee91e18081eaeed06e44c788a8c8c91995cc1d

        SHA256

        444385ac728219d51019fd132e3be75ab8a26de0a831d344ea64fcaa13e4baa5

        SHA512

        182d25f670742599a40f2f9b8c765ac2e6107a37f6a7b1b90af39a4e06df02fbc847225ca35e59df5ef30bee036218ab199da3bf361dae050e8473a3e001b74b

        Download Submit

      • memory/204-160-0x0000016AE9A13000-0x0000016AE9A15000-memory.dmp

        Filesize

        8KB

        Download

      • memory/204-169-0x0000016AE9A16000-0x0000016AE9A18000-memory.dmp

        Filesize

        8KB

        Download

      • memory/204-158-0x00007FF9E3F00000-0x00007FF9E49C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/204-159-0x0000016AE9A10000-0x0000016AE9A12000-memory.dmp

        Filesize

        8KB

        Download

      • memory/308-155-0x000001F9E7EB0000-0x000001F9E7EB2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/308-153-0x00007FF9E3F00000-0x00007FF9E49C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/308-166-0x000001F9E7EB6000-0x000001F9E7EB8000-memory.dmp

        Filesize

        8KB

        Download

      • memory/308-157-0x000001F9E7EB3000-0x000001F9E7EB5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1064-162-0x000001CE997D0000-0x000001CE997D2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1064-170-0x000001CE997D6000-0x000001CE997D8000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1064-163-0x000001CE997D3000-0x000001CE997D5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1064-161-0x00007FF9E3F00000-0x00007FF9E49C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2412-140-0x00007FF9E3F00000-0x00007FF9E49C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2412-168-0x0000013967E26000-0x0000013967E28000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2412-148-0x0000013967E23000-0x0000013967E25000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2412-141-0x0000013967E20000-0x0000013967E22000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2660-143-0x00007FF9E3F00000-0x00007FF9E49C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2660-150-0x00000160A3113000-0x00000160A3115000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2660-149-0x00000160A3110000-0x00000160A3112000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2660-164-0x00000160A3116000-0x00000160A3118000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4252-126-0x000000001B810000-0x000000001B812000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4252-125-0x00007FF9E3F00000-0x00007FF9E49C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4252-127-0x0000000002A10000-0x0000000002A60000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4252-128-0x000000001CED0000-0x000000001D3F8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4252-124-0x0000000000720000-0x00000000009CC000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4604-138-0x000002835C550000-0x000002835C552000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4604-139-0x000002835C553000-0x000002835C555000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4604-167-0x000002835C556000-0x000002835C558000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4604-136-0x000002835D2E0000-0x000002835D302000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4604-137-0x00007FF9E3F00000-0x00007FF9E49C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4960-147-0x0000000000A20000-0x0000000000CCC000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4960-146-0x00007FF9E3F00000-0x00007FF9E49C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4960-151-0x000000001B9D0000-0x000000001B9D2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/5116-165-0x00000293DB346000-0x00000293DB348000-memory.dmp

        Filesize

        8KB

        Download

      • memory/5116-152-0x00007FF9E3F00000-0x00007FF9E49C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5116-154-0x00000293DB340000-0x00000293DB342000-memory.dmp

        Filesize

        8KB

        Download

      • memory/5116-156-0x00000293DB343000-0x00000293DB345000-memory.dmp

        Filesize

        8KB

        Download