Overview

overview

10

Static

static

10

2222-main/Build.exe

windows7-x64

10

2222-main/Build.exe

windows10-2004-x64

10

2222-main/...se.dll

windows7-x64

1

2222-main/...se.dll

windows10-2004-x64

2222-main/OTC.dll

windows7-x64

1

2222-main/OTC.dll

windows10-2004-x64

1

2222-main/OTC2.dll

windows7-x64

1

2222-main/OTC2.dll

windows10-2004-x64

1

2222-main/aurora.dll

windows7-x64

1

2222-main/aurora.dll

windows10-2004-x64

1

2222-main/...ty.dll

windows7-x64

3

2222-main/...ty.dll

windows10-2004-x64

3

2222-main/gan.exe

windows7-x64

6

2222-main/gan.exe

windows10-2004-x64

10

2222-main/mySThe.exe

windows7-x64

10

2222-main/mySThe.exe

windows10-2004-x64

10

2222-main/myporno.exe

windows7-x64

7

2222-main/myporno.exe

windows10-2004-x64

10

2222-main/pandora.dll

windows7-x64

3

2222-main/pandora.dll

windows10-2004-x64

3

2222-main/pass.exe

windows7-x64

10

2222-main/pass.exe

windows10-2004-x64

10

2222-main/petya.exe

windows7-x64

6

2222-main/petya.exe

windows10-2004-x64

6

2222-main/sheyhST.exe

windows7-x64

10

2222-main/sheyhST.exe

windows10-2004-x64

10

2222-main/...io.exe

windows7-x64

6

2222-main/...io.exe

windows10-2004-x64

7

2222-main/test.exe

windows7-x64

3

2222-main/test.exe

windows10-2004-x64

7

2222-main/token.exe

windows7-x64

6

2222-main/token.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2024 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2222-main/Build.exe

  • Size

    1.8MB

  • MD5

    9886d20dd6f3d896861cc5f8ea0ca84b

  • SHA1

    96ab3affa0279d5795a29f3e1ecae37546b8bb11

  • SHA256

    56ec9503792bc40353a2f197bb3a6561325d66dfe914573a9fea9ccdedd98929

  • SHA512

    02272f3a85b44fa8e6806356492109474c57c2d7da7f55cba4d93e4983162ed48582a73723d06689c9e89e87ba6ed8c30e409676669af0d8604d23288cfe8079

  • SSDEEP

    49152:UbA30gth6l+eGtUvcx+GXJsVXu6jFKpveKB:Ubkth6l8x+GX4erpvzB

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 5 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe
    "C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
          "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1884
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\msvcr110\winlogon.exe'" /rl HIGHEST /f
            5⤵
            • DcRat
            • Creates scheduled task(s)
            PID:2200
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\pstorsvc\taskhost.exe'" /rl HIGHEST /f
            5⤵
            • DcRat
            • Creates scheduled task(s)
            PID:2924
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\mswmdm\conhost.exe'" /rl HIGHEST /f
            5⤵
            • DcRat
            • Creates scheduled task(s)
            PID:1896
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "Connections Rontime Broker" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a\Connections Rontime Broker.exe'" /rl HIGHEST /f
            5⤵
            • DcRat
            • Creates scheduled task(s)
            PID:476
          • C:\Windows\System32\msvcr110\winlogon.exe
            "C:\Windows\System32\msvcr110\winlogon.exe"
            5⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
    Filesize

    1.5MB

    MD5

    413be497be904c09aa8bfe8f0182a949

    SHA1

    9c5a69c83dbe2629290823d33c0afbce6d37f7bf

    SHA256

    6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

    SHA512

    01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe
    Filesize

    273B

    MD5

    559cdf34199c7353804d3d3550ccc3a3

    SHA1

    43da9eae85816d75b10f537452a9b5c2ef9ae1f6

    SHA256

    c1475bfc785af561b6954cd740f44083bbdb6e15b1dabbc2249e35b5eae82108

    SHA512

    a4431b8817a1464f54f01bc223f01c4673521e99289c010a4158d25bbe542a735b59d6a6de406e2a0efb3ed20de5958cf6bea5acb14069b9f690b0cde619c86c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat
    Filesize

    108B

    MD5

    d5f5523af702e22a702e95fadf058335

    SHA1

    e495f695eed69a9af60dd6303b20ce0df82cadbb

    SHA256

    5ae2bbf6e9576cb737edef26860e3f843c13b78cd77ed31ebb5578d80dbbcac3

    SHA512

    f0fbc8757d2083e8ea93f059d0fad236c2e45f8db67c6cf11801a225bee758f0761c5eac2d468c646adcf86028f3317931e704778cc5f2d971403873c3de82b6

    Download Submit

  • C:\Windows\System32\msvcr110\winlogon.exe
    Filesize

    896KB

    MD5

    7330a3afa85f417c18d18268f15a8f33

    SHA1

    d20494b1cc3b1efc6728496961684e34c0fe2b18

    SHA256

    14ac31ab18585050f381e9c0dc73067f17e99c570ea2edd17332e9ba77899f8b

    SHA512

    d9e629e8a7b471d30bbdae1a159377d5cb658d90dd5240703aabb5d12a39246ad879a02a531b2dd3ca916b52d9769f1dc3dd24548780c61663587027741cea81

    Download Submit

  • C:\Windows\System32\msvcr110\winlogon.exe
    Filesize

    384KB

    MD5

    fcd983b4c0241ffed79369a391f877fc

    SHA1

    ad272a12d237cd82a5b8fb856546bf54eb840d12

    SHA256

    26e4d6e90e8213b0540898a02046080ece6f0295c1f46202bda323730e57967e

    SHA512

    18b1770805ba9770c36943d6aae8a54069eedf79ff522daaf41eba834c2707c0803e8fb39e9ee814fef4371d643e1898e8283488af07de2985630383e0769fbb

    Download Submit

  • memory/1492-31-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1492-30-0x0000000001070000-0x00000000011F2000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1492-33-0x000000001B230000-0x000000001B2B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1492-34-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1884-15-0x000000001AEC0000-0x000000001AF40000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1884-14-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1884-13-0x0000000000380000-0x0000000000502000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1884-32-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

    Filesize

    9.9MB

    Download