Overview

overview

10

Static

static

10

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2023 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe

  • Size

    1.3MB

  • MD5

    b9a0002e9a104374dea2f4ba571f1764

  • SHA1

    627488abb7aeeb5f8f411a9694cebd6b4748a86f

  • SHA256

    5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

  • SHA512

    439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5

  • SSDEEP

    24576:U2G/nvxW3Ww0t4952ytIS/Zgi5N5vC8bg7Mj9W4eHdELPh:UbA30QAytISht5q8bQMB4o

Score
10/10
dcratevasioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
    persistence
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 18 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe
    "C:\Users\Admin\AppData\Local\Temp\5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:384
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4844
        • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
          "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2440
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Uy6LsnJKZb.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1012
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4348
              • C:\Program Files\Internet Explorer\ja-JP\SppExtComObj.exe
                "C:\Program Files\Internet Explorer\ja-JP\SppExtComObj.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:1108
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:4976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:204
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperReviewwinh" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\hyperReviewwin.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperReviewwin" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\hyperReviewwin.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperReviewwinh" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\hyperReviewwin.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Videos\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5080

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Internet Explorer\ja-JP\SppExtComObj.exe
      Filesize

      1.0MB

      MD5

      ce9d81db072369459840b1fe59a54ac9

      SHA1

      5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

      SHA256

      62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

      SHA512

      6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

      Download Submit
    • C:\Program Files\Internet Explorer\ja-JP\SppExtComObj.exe
      Filesize

      1.0MB

      MD5

      ce9d81db072369459840b1fe59a54ac9

      SHA1

      5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

      SHA256

      62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

      SHA512

      6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Uy6LsnJKZb.bat
      Filesize

      222B

      MD5

      7d8b8a904e5741fb91828b6e6e6b6726

      SHA1

      58279ccd03332ddf2b902140a10dab55a2660d9d

      SHA256

      9645ddfcec31844fe57b735fbbf3dc607844986754bcf7e6743d08332a5ad2dc

      SHA512

      7778ec1b7f0b4348bdadee2228eed61fea0b56c7bae778708715416c41d9e341c30961891825b7efa8b62949df8f32cbd7e5fad4158ebb9b980ad8ea3be95b63

      Download Submit
    • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat
      Filesize

      173B

      MD5

      2445216481e9c79fe7a7d2dddd5dd047

      SHA1

      5caaf8f423f587b26c0d98bb57db0e295d7ca6a7

      SHA256

      0d8405ad4bde2e23144377872f204baf9cdbc1343a55c075dabeec49a64c7c3d

      SHA512

      7000b171a053a0bb20c435765f2c76272e71eb4f429e2b500282f4765b9141757cdcb93a94480ae8ae0b78624098a02bb71caa111e8ab516f12c863725f86484

      Download Submit
    • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe
      Filesize

      221B

      MD5

      fc584ab062886ba5b7b34c8a8e4f1809

      SHA1

      6be7eeee2021f69be9e4513f0cb28408a56caba9

      SHA256

      873395e08f2ca43b4698329c5e2b6667dec76f2eeb08b05a1cff0a14e5a9db76

      SHA512

      a74d1b3567e169ed0ec0d135e31312eeae71f87e43c2311a16539f670116f2ce75bb4b4f33a6b462aa417c3764637b3e6c027b44728b2da7874031ac0cc4a7b8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
      Filesize

      1.0MB

      MD5

      ce9d81db072369459840b1fe59a54ac9

      SHA1

      5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

      SHA256

      62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

      SHA512

      6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
      Filesize

      1.0MB

      MD5

      ce9d81db072369459840b1fe59a54ac9

      SHA1

      5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

      SHA256

      62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

      SHA512

      6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

      Download Submit
    • memory/384-132-0x0000000000000000-mapping.dmp
      Download
    • memory/1012-141-0x0000000000000000-mapping.dmp
      Download
    • memory/1108-146-0x0000000000000000-mapping.dmp
      Download
    • memory/1108-150-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1108-149-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2440-140-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2440-142-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2440-139-0x0000000000CD0000-0x0000000000DDA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2440-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4348-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4844-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4976-143-0x0000000000000000-mapping.dmp
      Download