Overview

overview

10

Static

static

10

inject_for....0.exe

windows7-x64

10

inject_for....0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    inject_fortniteV3.0.exe

  • Size

    3.1MB

  • MD5

    20442abc1fd9cf9d34a54aed6ec06a1f

  • SHA1

    b623b106f07257bc7187428b48769b5df89ffccb

  • SHA256

    5f44a568a45580bb598b8a5a81ca26e74e3cea5b78689ed715ab0c8848673541

  • SHA512

    a63349720b7c98ca5a1e9f4138ded365fd971210608ab5666a3870107509d5b68cf90e945996d0a346352c7204b8cdf872d4c3ec283368a8ae96425eb995254e

  • SSDEEP

    49152:AbA3i4CGZQFM1jq6t6aHad355B8MzzgGa0RBAreWjDu/dHnZGxIGcAXI21I9S:AbCZQFMRq6pM3bcjCBibDqHIxIGWXU

Score
10/10
dcratevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\inject_fortniteV3.0.exe
    "C:\Users\Admin\AppData\Local\Temp\inject_fortniteV3.0.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\comFont\MTGYlSdhuDKs8XfONjnFlP.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\comFont\E1o0vS.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\comFont\hyperAgentCommon.exe
          "C:\comFont\hyperAgentCommon.exe"
          4⤵
          • Modifies WinLogon for persistence
          • UAC bypass
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2188
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4472
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:608
              • C:\comFont\sihost.exe
                "C:\comFont\sihost.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:2544
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:756
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\comFont\file.vbs"
        2⤵
          PID:2256
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\comFont\sihost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1128
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\comFont\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\comFont\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1392

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      5
      T1112

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.bat
        Filesize

        186B

        MD5

        768efe72c603f73b40a7198aa6ff3ec1

        SHA1

        f30aecc733458b2a1e27478c96b0970ea2f02995

        SHA256

        73a7ad2a02e6660a1bee3cf70ccbb491a810229c40c5d0846f6abbc8beb0d39e

        SHA512

        23423356488f30ffeb0e9e5d2827a88d0af56c42bf99a3d1c9e63cdd365a46a49db27a0c772bff77e1f6289d06dde7a5abec5130a44388e11b74f1309f657e1b

        Download Submit
      • C:\comFont\E1o0vS.bat
        Filesize

        145B

        MD5

        55297b61af195c9d7dfb6a792f4efea8

        SHA1

        95a2077282be37258d2d9f46494214ef8c5a84de

        SHA256

        7b4520bd2ad33a7ea82f904a77c709a3fd4e9f80d4a027862d412108d05174e9

        SHA512

        5aefee445ebf19e885ce72d5e55ada4ead4bf07f5b9e648844248fe79c96df7fc3137f013f43680642b777906f65b01ac0a18c1f222b11720c8ee32602018254

        Download Submit
      • C:\comFont\MTGYlSdhuDKs8XfONjnFlP.vbe
        Filesize

        190B

        MD5

        dfbdf30a0582237ed21b02f950e89d4d

        SHA1

        c9afa656cd126e8fca8b51aebe169a38934c6cba

        SHA256

        be770bef82038bc3c7b49f04e1598017c3a841a464f133393e90804acc1995d8

        SHA512

        d683b7baa8a913b80ce5f9ec313fd9399ceadb9acc1da232c277ed80716dac3558aec6d4258bb5804484a32273690c482c9d0367e352355dc139485ff46b61d0

        Download Submit
      • C:\comFont\file.vbs
        Filesize

        34B

        MD5

        677cc4360477c72cb0ce00406a949c61

        SHA1

        b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

        SHA256

        f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

        SHA512

        7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

        Download Submit
      • C:\comFont\hyperAgentCommon.exe
        Filesize

        2.7MB

        MD5

        31d0bae6b505d3a01522e082bd4e66bc

        SHA1

        5df1a2ec9e16b207c1da1cbd79878fd58682c381

        SHA256

        b60658d2dd8c986ef67cdd249cc9638214ce9fe78c7de8a76011c35f5569b24c

        SHA512

        cb6fda5bb453d9a0987222fbe38f1852b7423a196690d1dacf7b1d53cd36b2e7d1c780db9cb195d4c8d09bc5d1f11d4d3c32a8c7a1579e5b1a62e24c0c7145fd

        Download Submit
      • C:\comFont\hyperAgentCommon.exe
        Filesize

        2.7MB

        MD5

        31d0bae6b505d3a01522e082bd4e66bc

        SHA1

        5df1a2ec9e16b207c1da1cbd79878fd58682c381

        SHA256

        b60658d2dd8c986ef67cdd249cc9638214ce9fe78c7de8a76011c35f5569b24c

        SHA512

        cb6fda5bb453d9a0987222fbe38f1852b7423a196690d1dacf7b1d53cd36b2e7d1c780db9cb195d4c8d09bc5d1f11d4d3c32a8c7a1579e5b1a62e24c0c7145fd

        Download Submit
      • C:\comFont\sihost.exe
        Filesize

        2.7MB

        MD5

        31d0bae6b505d3a01522e082bd4e66bc

        SHA1

        5df1a2ec9e16b207c1da1cbd79878fd58682c381

        SHA256

        b60658d2dd8c986ef67cdd249cc9638214ce9fe78c7de8a76011c35f5569b24c

        SHA512

        cb6fda5bb453d9a0987222fbe38f1852b7423a196690d1dacf7b1d53cd36b2e7d1c780db9cb195d4c8d09bc5d1f11d4d3c32a8c7a1579e5b1a62e24c0c7145fd

        Download Submit
      • C:\comFont\sihost.exe
        Filesize

        2.7MB

        MD5

        31d0bae6b505d3a01522e082bd4e66bc

        SHA1

        5df1a2ec9e16b207c1da1cbd79878fd58682c381

        SHA256

        b60658d2dd8c986ef67cdd249cc9638214ce9fe78c7de8a76011c35f5569b24c

        SHA512

        cb6fda5bb453d9a0987222fbe38f1852b7423a196690d1dacf7b1d53cd36b2e7d1c780db9cb195d4c8d09bc5d1f11d4d3c32a8c7a1579e5b1a62e24c0c7145fd

        Download Submit
      • memory/444-132-0x0000000000000000-mapping.dmp
        Download
      • memory/608-147-0x0000000000000000-mapping.dmp
        Download
      • memory/756-149-0x0000000000000000-mapping.dmp
        Download
      • memory/2056-137-0x0000000000000000-mapping.dmp
        Download
      • memory/2188-144-0x000000001D9B0000-0x000000001DED8000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/2188-143-0x000000001BB00000-0x000000001BB50000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2188-142-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2188-148-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2188-141-0x0000000000D40000-0x0000000000FF0000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/2188-138-0x0000000000000000-mapping.dmp
        Download
      • memory/2256-133-0x0000000000000000-mapping.dmp
        Download
      • memory/2544-150-0x0000000000000000-mapping.dmp
        Download
      • memory/2544-153-0x00007FFDCF440000-0x00007FFDCFF01000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2544-154-0x00007FFDCF440000-0x00007FFDCFF01000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2544-155-0x000000001DEF0000-0x000000001E0B2000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4472-145-0x0000000000000000-mapping.dmp
        Download