Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    302s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2023 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe

  • Size

    1.3MB

  • MD5

    b9a0002e9a104374dea2f4ba571f1764

  • SHA1

    627488abb7aeeb5f8f411a9694cebd6b4748a86f

  • SHA256

    5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

  • SHA512

    439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5

  • SSDEEP

    24576:U2G/nvxW3Ww0t4952ytIS/Zgi5N5vC8bg7Mj9W4eHdELPh:UbA30QAytISht5q8bQMB4o

Score
10/10
dcratevasioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 7 IoCs
    persistence
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe
    "C:\Users\Admin\AppData\Local\Temp\5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
          "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:324
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dO9tjRSg4o.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1748
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1728
              • C:\Users\All Users\Start Menu\csrss.exe
                "C:\Users\All Users\Start Menu\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1488
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1956
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1192
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:436

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Start Menu\csrss.exe
      Filesize

      1.0MB

      MD5

      ce9d81db072369459840b1fe59a54ac9

      SHA1

      5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

      SHA256

      62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

      SHA512

      6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dO9tjRSg4o.bat
      Filesize

      204B

      MD5

      51368d4b8d43af37919877da00252470

      SHA1

      df38e901e4a4e0d8cae50c1a5a99cef4684d0c6e

      SHA256

      3f1052d1a2b83e826f67672215b283f81b1368a6ee83c4f09fde39c8d1ef9ee0

      SHA512

      8771bc3ba4788e5ad75b8bd14c448de8257be6f7d503a832e9e596f9fc9d878f26672c37d3c12b0aac70c53ff7db9098d986de1973f8dbc75ac8fa7a00dbbec6

      Download Submit
    • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat
      Filesize

      173B

      MD5

      2445216481e9c79fe7a7d2dddd5dd047

      SHA1

      5caaf8f423f587b26c0d98bb57db0e295d7ca6a7

      SHA256

      0d8405ad4bde2e23144377872f204baf9cdbc1343a55c075dabeec49a64c7c3d

      SHA512

      7000b171a053a0bb20c435765f2c76272e71eb4f429e2b500282f4765b9141757cdcb93a94480ae8ae0b78624098a02bb71caa111e8ab516f12c863725f86484

      Download Submit
    • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe
      Filesize

      221B

      MD5

      fc584ab062886ba5b7b34c8a8e4f1809

      SHA1

      6be7eeee2021f69be9e4513f0cb28408a56caba9

      SHA256

      873395e08f2ca43b4698329c5e2b6667dec76f2eeb08b05a1cff0a14e5a9db76

      SHA512

      a74d1b3567e169ed0ec0d135e31312eeae71f87e43c2311a16539f670116f2ce75bb4b4f33a6b462aa417c3764637b3e6c027b44728b2da7874031ac0cc4a7b8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
      Filesize

      1.0MB

      MD5

      ce9d81db072369459840b1fe59a54ac9

      SHA1

      5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

      SHA256

      62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

      SHA512

      6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
      Filesize

      1.0MB

      MD5

      ce9d81db072369459840b1fe59a54ac9

      SHA1

      5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

      SHA256

      62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

      SHA512

      6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

      Download Submit
    • C:\Users\All Users\Start Menu\csrss.exe
      Filesize

      1.0MB

      MD5

      ce9d81db072369459840b1fe59a54ac9

      SHA1

      5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

      SHA256

      62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

      SHA512

      6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

      Download Submit
    • \Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
      Filesize

      1.0MB

      MD5

      ce9d81db072369459840b1fe59a54ac9

      SHA1

      5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

      SHA256

      62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

      SHA512

      6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

      Download Submit
    • \Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
      Filesize

      1.0MB

      MD5

      ce9d81db072369459840b1fe59a54ac9

      SHA1

      5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

      SHA256

      62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

      SHA512

      6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

      Download Submit
    • memory/272-71-0x0000000000000000-mapping.dmp
      Download
    • memory/324-65-0x00000000012D0000-0x00000000013DA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/324-66-0x0000000000240000-0x0000000000250000-memory.dmp
      Filesize

      64KB

      Download
    • memory/324-67-0x0000000000250000-0x000000000025C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/324-68-0x0000000000260000-0x0000000000268000-memory.dmp
      Filesize

      32KB

      Download
    • memory/324-69-0x0000000000270000-0x000000000027C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/324-63-0x0000000000000000-mapping.dmp
      Download
    • memory/840-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1352-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1488-75-0x0000000000000000-mapping.dmp
      Download
    • memory/1488-77-0x0000000000820000-0x000000000092A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1596-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1728-73-0x0000000000000000-mapping.dmp
      Download
    • memory/1748-70-0x0000000000000000-mapping.dmp
      Download