Analysis
-
max time kernel
128s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
11-03-2024 18:51
General
-
Target
2222-main/Build.exe
-
Size
1.8MB
-
MD5
9886d20dd6f3d896861cc5f8ea0ca84b
-
SHA1
96ab3affa0279d5795a29f3e1ecae37546b8bb11
-
SHA256
56ec9503792bc40353a2f197bb3a6561325d66dfe914573a9fea9ccdedd98929
-
SHA512
02272f3a85b44fa8e6806356492109474c57c2d7da7f55cba4d93e4983162ed48582a73723d06689c9e89e87ba6ed8c30e409676669af0d8604d23288cfe8079
-
SSDEEP
49152:UbA30gth6l+eGtUvcx+GXJsVXu6jFKpveKB:Ubkth6l8x+GX4erpvzB
Malware Config
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe"C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe"C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Documents and Settings\conhost.exe'" /rl HIGHEST /f5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\twinapi.appcore\taskhostw.exe'" /rl HIGHEST /f5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\RuntimeBroker.exe'" /rl HIGHEST /f5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\appcompat\encapsulation\RuntimeBroker.exe"C:\Windows\appcompat\encapsulation\RuntimeBroker.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exeFilesize
1.5MB
MD5413be497be904c09aa8bfe8f0182a949
SHA19c5a69c83dbe2629290823d33c0afbce6d37f7bf
SHA2566cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21
SHA51201d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee
-
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbeFilesize
273B
MD5559cdf34199c7353804d3d3550ccc3a3
SHA143da9eae85816d75b10f537452a9b5c2ef9ae1f6
SHA256c1475bfc785af561b6954cd740f44083bbdb6e15b1dabbc2249e35b5eae82108
SHA512a4431b8817a1464f54f01bc223f01c4673521e99289c010a4158d25bbe542a735b59d6a6de406e2a0efb3ed20de5958cf6bea5acb14069b9f690b0cde619c86c
-
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.batFilesize
108B
MD5d5f5523af702e22a702e95fadf058335
SHA1e495f695eed69a9af60dd6303b20ce0df82cadbb
SHA2565ae2bbf6e9576cb737edef26860e3f843c13b78cd77ed31ebb5578d80dbbcac3
SHA512f0fbc8757d2083e8ea93f059d0fad236c2e45f8db67c6cf11801a225bee758f0761c5eac2d468c646adcf86028f3317931e704778cc5f2d971403873c3de82b6
-
C:\Windows\appcompat\encapsulation\RuntimeBroker.exeFilesize
833KB
MD5f947ecce0506d3b47f920c9e7d53c0b1
SHA19ba390f4adf3a66531b3c98028edc6fbffeea54d
SHA256da497cdcf03238e1ca3f83c767ee5931950141f6af7385714674e886d70c3273
SHA51290fd9c76541df344a99c21d8dfecd3b467755b69ab5e550efb2095820c37943c77e04c7275cc130d205a17f58577a325bbc4c98eb886136caf88419ea36e7c23
-
memory/3616-12-0x00000000000C0000-0x0000000000242000-memory.dmpFilesize
1.5MB
-
memory/3616-13-0x00007FF900F20000-0x00007FF9019E1000-memory.dmpFilesize
10.8MB
-
memory/3616-14-0x000000001AEA0000-0x000000001AEB0000-memory.dmpFilesize
64KB
-
memory/3616-33-0x00007FF900F20000-0x00007FF9019E1000-memory.dmpFilesize
10.8MB