Overview

overview

10

Static

static

PZCheat.exe

windows7-x64

10

PZCheat.exe

windows10-2004-x64

10

Resubmissions

12-02-2023 06:08

230212-gwaw9shf55 10

02-02-2023 03:07

230202-dmra4see74 10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    02-02-2023 03:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PZCheat.exe

  • Size

    1.5MB

  • MD5

    164ba5ee6f6b30539e874248ccfa4c05

  • SHA1

    6b14ed8dab712359453779f2896e1cbad78871d7

  • SHA256

    fc7ca5dbd9e3d228416ea9725c7283d105d75533f7a4e069d89f2632840e1a5d

  • SHA512

    c9b2eef0e4499832f9c4eca8b503f17f4cc7589d0d2b12fe82572ad5df23e85cef9267bdc24928b7ac6df0fff70fe49d2422d6e9a549f07a74c8f9bd47892cfc

  • SSDEEP

    24576:B2G/nvxW3WLRnhzLfSRyBWkNUk9tJIzxIq2+kt3S5wFAiQuwV4ilByjNTVu1:BbA3+p9SRyBW0Tty2E5wFzQuo4iupRu1

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PZCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\PZCheat.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4392
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\surrogateContainerhostcrtDll\qAjDBhKogos2S0J68ty6.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\surrogateContainerhostcrtDll\fba6WO2dA9UqWb6NlbxSa.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\surrogateContainerhostcrtDll\containersavesCrt.exe
          "C:\surrogateContainerhostcrtDll\containersavesCrt.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4452
          • C:\Program Files\Uninstall Information\taskhostw.exe
            "C:\Program Files\Uninstall Information\taskhostw.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4120
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1088
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Uninstall Information\taskhostw.exe
    Filesize

    1.2MB

    MD5

    963f8f811b559d489ac8f0f5128acb7a

    SHA1

    91b273936ab1e1f562d29893f18bfe13a8be6448

    SHA256

    a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

    SHA512

    6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

    Download Submit
  • C:\Program Files\Uninstall Information\taskhostw.exe
    Filesize

    1.2MB

    MD5

    963f8f811b559d489ac8f0f5128acb7a

    SHA1

    91b273936ab1e1f562d29893f18bfe13a8be6448

    SHA256

    a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

    SHA512

    6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

    Download Submit
  • C:\surrogateContainerhostcrtDll\containersavesCrt.exe
    Filesize

    1.2MB

    MD5

    963f8f811b559d489ac8f0f5128acb7a

    SHA1

    91b273936ab1e1f562d29893f18bfe13a8be6448

    SHA256

    a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

    SHA512

    6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

    Download Submit
  • C:\surrogateContainerhostcrtDll\containersavesCrt.exe
    Filesize

    1.2MB

    MD5

    963f8f811b559d489ac8f0f5128acb7a

    SHA1

    91b273936ab1e1f562d29893f18bfe13a8be6448

    SHA256

    a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

    SHA512

    6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

    Download Submit
  • C:\surrogateContainerhostcrtDll\fba6WO2dA9UqWb6NlbxSa.bat
    Filesize

    55B

    MD5

    f1a7c3c3ddb14918973adcec0ca793e5

    SHA1

    cd8dc923af6be2083d0a41f69fb32c9a08b2ea7a

    SHA256

    ed360b14dbbe3a7a03e882f0bd9b892af8357642fcbb296e62bac96112d4a526

    SHA512

    472f2d9d775d7b3a9a17fc8327040438e591ffbaaf87be8353a4e02446bd5ee805ce39fa2c57f1b32ca6f971210fba6532d3b993b7f861a6dd49edb0986dbccf

    Download Submit
  • C:\surrogateContainerhostcrtDll\qAjDBhKogos2S0J68ty6.vbe
    Filesize

    226B

    MD5

    6a5882c4cb8293cb361d7f95c51de59e

    SHA1

    48662867659024019cfc01e2e4731f9efaa83c67

    SHA256

    1ce3ab815dfa8ab817dab9bb42c012e940041735fa4f2064f780cd44b7a5c0a2

    SHA512

    e5c5940e4f1358688df06cb84ab1b9ea3a26a336ccbef7b02b0c40cb6477894855c8513f037ec602b4fce7a72f4a54b4f4ccf314437b595521aa4b3d4f21fe9f

    Download Submit
  • memory/676-150-0x0000000000450000-0x000000000080C000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/676-152-0x0000000006320000-0x0000000006360000-memory.dmp
    Filesize

    256KB

    Download
  • memory/676-151-0x0000000000450000-0x000000000080C000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/676-148-0x0000000000450000-0x000000000080C000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/676-149-0x0000000000450000-0x000000000080C000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/676-144-0x0000000000000000-mapping.dmp
    Download
  • memory/676-153-0x0000000007820000-0x00000000078B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2196-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2760-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4452-142-0x0000000006980000-0x0000000006A82000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4452-147-0x00000000000B0000-0x000000000046C000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/4452-143-0x0000000006B00000-0x0000000006B66000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4452-141-0x0000000006B70000-0x0000000007114000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4452-140-0x00000000000B0000-0x000000000046C000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/4452-139-0x00000000000B0000-0x000000000046C000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/4452-136-0x0000000000000000-mapping.dmp
    Download