Overview

overview

10

Static

static

10

82b8546043...9b.exe

windows7-x64

10

82b8546043...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2023 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe

  • Size

    1.6MB

  • MD5

    a0fb4af03514fe70e036bbea624ea81f

  • SHA1

    435f3ef79e360d89cab884e990a558722c9ce272

  • SHA256

    82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b

  • SHA512

    d3bc4a717f7057b4b2da642c6272f0d357dc0bdf39f898931491e409d4b58790a715138541668a56046c5332178ddb10fc439e5c4d0a7ac6825b82f34e9c268c

  • SSDEEP

    24576:B2G/nvxW3WQnkHnDIlJzbBA5clWJG4kQy0ohgEGdHKK5Cu8Kc9mfCQbZ8/zARp:BbA37kHnDIbzi5MWjmuHNKQbi/E/

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe
    "C:\Users\Admin\AppData\Local\Temp\82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3804
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\PortfontWin\faioFQaWMfyQql5F1lpCdLP.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\PortfontWin\ItIWhmVbvimfR.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\PortfontWin\agentNet.exe
          "C:\PortfontWin\agentNet.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6kFxoAmZcR.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2324
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3908
              • C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe
                "C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4700
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\PortfontWin\file.vbs"
        2⤵
          PID:3208
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3316
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1152
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1612
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\odt\Registry.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1220
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4540
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5068
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1852

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PortfontWin\ItIWhmVbvimfR.bat
        Filesize

        29B

        MD5

        fd0d6ddda55e2608a242669717a0d517

        SHA1

        294004545081c4634c07f7cca31819207588c310

        SHA256

        dd0a8c6636afc291a09f480b9294860f6412555b0bfda3808917eff3637a005d

        SHA512

        d23fddbf26c32b50c3fe3eb654da3ac25e84b7d5bf3501c682bac74f39295a58c1072dd02b97e340a0ec28e30c58ed1bb1448badb5e680baea4d6bce769215a0

        Download Submit
      • C:\PortfontWin\agentNet.exe
        Filesize

        1.3MB

        MD5

        cd663693d7804e051bd4d890a643a521

        SHA1

        186510d39cc3a7d928f47c3d6813c27c5e7e3674

        SHA256

        f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

        SHA512

        a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

        Download Submit
      • C:\PortfontWin\agentNet.exe
        Filesize

        1.3MB

        MD5

        cd663693d7804e051bd4d890a643a521

        SHA1

        186510d39cc3a7d928f47c3d6813c27c5e7e3674

        SHA256

        f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

        SHA512

        a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

        Download Submit
      • C:\PortfontWin\faioFQaWMfyQql5F1lpCdLP.vbe
        Filesize

        201B

        MD5

        d82d15119bf0f8e8e3077d786bcbbefb

        SHA1

        92a74c59f2984d8f7f9fcd22f44c463cc0177cbd

        SHA256

        1be73a1a92fa60e7ec1ab2b7777780d7f958c284b4c1596ea9ab5c3ad581e76f

        SHA512

        9aaa9dd3906c1b531b9c85f61b9da3d11f458f7eba22a4107fa4ed49868b45f1d0f804296f1ef35c62115d77204b99c235c9e6f504b65d752caf3f58c44eacaa

        Download Submit
      • C:\PortfontWin\file.vbs
        Filesize

        34B

        MD5

        677cc4360477c72cb0ce00406a949c61

        SHA1

        b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

        SHA256

        f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

        SHA512

        7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

        Download Submit
      • C:\Program Files\Windows Security\wininit.exe
        Filesize

        1.3MB

        MD5

        cd663693d7804e051bd4d890a643a521

        SHA1

        186510d39cc3a7d928f47c3d6813c27c5e7e3674

        SHA256

        f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

        SHA512

        a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\6kFxoAmZcR.bat
        Filesize

        255B

        MD5

        001c70b047714710b6fcdc030b0bc28f

        SHA1

        c83b2692dd6590d03a035a7c00eab413b09dd2a9

        SHA256

        b0bb086d44e00356e737d572f3048fa3659f3c4d1ea9c2f1613f19ecdb04668c

        SHA512

        f76dc15a4776e2647b3ce7cb33ba8183d55bacd7eaf65e0e23012396a26916cdef2c171a9f5d5767a8f8aa2ae0a9b42805053abf66dcfbc200d6da36be456a69

        Download Submit
      • C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe
        Filesize

        1.3MB

        MD5

        cd663693d7804e051bd4d890a643a521

        SHA1

        186510d39cc3a7d928f47c3d6813c27c5e7e3674

        SHA256

        f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

        SHA512

        a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

        Download Submit
      • C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\spoolsv.exe
        Filesize

        1.3MB

        MD5

        cd663693d7804e051bd4d890a643a521

        SHA1

        186510d39cc3a7d928f47c3d6813c27c5e7e3674

        SHA256

        f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

        SHA512

        a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

        Download Submit
      • memory/2684-151-0x000000001AF20000-0x000000001AF70000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2684-152-0x000000001CC40000-0x000000001D168000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/2684-153-0x000000001AFA0000-0x000000001AFB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2684-150-0x0000000000180000-0x00000000002D0000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/4700-173-0x0000000002880000-0x0000000002890000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4700-185-0x0000000002880000-0x0000000002890000-memory.dmp
        Filesize

        64KB

        Download