Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
Total order confirmation April 10 2017.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Total order confirmation April 10 2017.exe
Resource
win10v2004-20240508-en
General
-
Target
Total order confirmation April 10 2017.exe
-
Size
1.5MB
-
MD5
d31daa3adb9285b7024438799d3a7fc8
-
SHA1
3a4a3684c7a475bae5b47aad1ad750996add764b
-
SHA256
ebdb910c35ce8b21168a4bda0dae16b3a64f66670763be89a81e322d8ddab431
-
SHA512
9d3febe2e0603e0f6d040dff42b194fa2be309260724f9bfc879fd72990718145a239a6817b8fbcf1fd1c2e3209896c94282fc88e9bc61d064b393f0b271d8dc
-
SSDEEP
49152:41wV28FzbXmsC/C2d4A7k5r3HN2i54kZW:VVvFzisC/r4UkJ3HN2i54mW
Malware Config
Extracted
pony
http://tcoolonline.mobi/wp-includes/css/Panel/gate.php
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
description ioc pid Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\SystemCertificates\CA Total order confirmation April 10 2017.exe 2304 schtasks.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Total order confirmation April 10 2017.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 2056 datalog.exe 1624 svchost.exe 2424 datalog.exe 1656 svchost.exe 3980 client.exe 1340 client.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1656-42-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/1656-44-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/1656-45-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svchost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1624 set thread context of 1656 1624 svchost.exe 98 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Client\client.exe datalog.exe File opened for modification C:\Program Files (x86)\Client\client.exe datalog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2304 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 1624 svchost.exe 1624 svchost.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 4276 cmd.exe 4276 cmd.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 3980 client.exe 3980 client.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe 2056 datalog.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 4856 Total order confirmation April 10 2017.exe Token: SeDebugPrivilege 1624 svchost.exe Token: SeImpersonatePrivilege 1656 svchost.exe Token: SeTcbPrivilege 1656 svchost.exe Token: SeChangeNotifyPrivilege 1656 svchost.exe Token: SeCreateTokenPrivilege 1656 svchost.exe Token: SeBackupPrivilege 1656 svchost.exe Token: SeRestorePrivilege 1656 svchost.exe Token: SeIncreaseQuotaPrivilege 1656 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1656 svchost.exe Token: SeImpersonatePrivilege 1656 svchost.exe Token: SeTcbPrivilege 1656 svchost.exe Token: SeChangeNotifyPrivilege 1656 svchost.exe Token: SeCreateTokenPrivilege 1656 svchost.exe Token: SeBackupPrivilege 1656 svchost.exe Token: SeRestorePrivilege 1656 svchost.exe Token: SeIncreaseQuotaPrivilege 1656 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1656 svchost.exe Token: SeImpersonatePrivilege 1656 svchost.exe Token: SeTcbPrivilege 1656 svchost.exe Token: SeChangeNotifyPrivilege 1656 svchost.exe Token: SeCreateTokenPrivilege 1656 svchost.exe Token: SeBackupPrivilege 1656 svchost.exe Token: SeRestorePrivilege 1656 svchost.exe Token: SeIncreaseQuotaPrivilege 1656 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1656 svchost.exe Token: SeImpersonatePrivilege 1656 svchost.exe Token: SeTcbPrivilege 1656 svchost.exe Token: SeChangeNotifyPrivilege 1656 svchost.exe Token: SeCreateTokenPrivilege 1656 svchost.exe Token: SeBackupPrivilege 1656 svchost.exe Token: SeRestorePrivilege 1656 svchost.exe Token: SeIncreaseQuotaPrivilege 1656 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1656 svchost.exe Token: SeImpersonatePrivilege 1656 svchost.exe Token: SeTcbPrivilege 1656 svchost.exe Token: SeChangeNotifyPrivilege 1656 svchost.exe Token: SeCreateTokenPrivilege 1656 svchost.exe Token: SeBackupPrivilege 1656 svchost.exe Token: SeRestorePrivilege 1656 svchost.exe Token: SeIncreaseQuotaPrivilege 1656 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1656 svchost.exe Token: SeImpersonatePrivilege 1656 svchost.exe Token: SeTcbPrivilege 1656 svchost.exe Token: SeChangeNotifyPrivilege 1656 svchost.exe Token: SeCreateTokenPrivilege 1656 svchost.exe Token: SeBackupPrivilege 1656 svchost.exe Token: SeRestorePrivilege 1656 svchost.exe Token: SeIncreaseQuotaPrivilege 1656 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1656 svchost.exe Token: SeDebugPrivilege 2056 datalog.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2056 datalog.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 4856 wrote to memory of 2056 4856 Total order confirmation April 10 2017.exe 92 PID 4856 wrote to memory of 2056 4856 Total order confirmation April 10 2017.exe 92 PID 4856 wrote to memory of 2056 4856 Total order confirmation April 10 2017.exe 92 PID 4856 wrote to memory of 1624 4856 Total order confirmation April 10 2017.exe 93 PID 4856 wrote to memory of 1624 4856 Total order confirmation April 10 2017.exe 93 PID 4856 wrote to memory of 1624 4856 Total order confirmation April 10 2017.exe 93 PID 1624 wrote to memory of 2424 1624 svchost.exe 97 PID 1624 wrote to memory of 2424 1624 svchost.exe 97 PID 1624 wrote to memory of 2424 1624 svchost.exe 97 PID 1624 wrote to memory of 1656 1624 svchost.exe 98 PID 1624 wrote to memory of 1656 1624 svchost.exe 98 PID 1624 wrote to memory of 1656 1624 svchost.exe 98 PID 1624 wrote to memory of 1656 1624 svchost.exe 98 PID 1624 wrote to memory of 1656 1624 svchost.exe 98 PID 1624 wrote to memory of 1656 1624 svchost.exe 98 PID 1624 wrote to memory of 1656 1624 svchost.exe 98 PID 1624 wrote to memory of 1656 1624 svchost.exe 98 PID 1656 wrote to memory of 4276 1656 svchost.exe 99 PID 1656 wrote to memory of 4276 1656 svchost.exe 99 PID 1656 wrote to memory of 4276 1656 svchost.exe 99 PID 2056 wrote to memory of 2304 2056 datalog.exe 101 PID 2056 wrote to memory of 2304 2056 datalog.exe 101 PID 2056 wrote to memory of 2304 2056 datalog.exe 101 PID 2056 wrote to memory of 1624 2056 datalog.exe 93 PID 2056 wrote to memory of 1624 2056 datalog.exe 93 PID 2056 wrote to memory of 1624 2056 datalog.exe 93 PID 2056 wrote to memory of 1624 2056 datalog.exe 93 PID 2056 wrote to memory of 1624 2056 datalog.exe 93 PID 2056 wrote to memory of 4276 2056 datalog.exe 99 PID 2056 wrote to memory of 4276 2056 datalog.exe 99 PID 2056 wrote to memory of 4276 2056 datalog.exe 99 PID 2056 wrote to memory of 4276 2056 datalog.exe 99 PID 2056 wrote to memory of 4276 2056 datalog.exe 99 PID 2056 wrote to memory of 3980 2056 datalog.exe 105 PID 2056 wrote to memory of 3980 2056 datalog.exe 105 PID 2056 wrote to memory of 3980 2056 datalog.exe 105 PID 2056 wrote to memory of 3980 2056 datalog.exe 105 PID 2056 wrote to memory of 3980 2056 datalog.exe 105 PID 2056 wrote to memory of 848 2056 datalog.exe 106 PID 2056 wrote to memory of 848 2056 datalog.exe 106 PID 2056 wrote to memory of 848 2056 datalog.exe 106 PID 2056 wrote to memory of 1340 2056 datalog.exe 111 PID 2056 wrote to memory of 1340 2056 datalog.exe 111 PID 2056 wrote to memory of 1340 2056 datalog.exe 111 PID 2056 wrote to memory of 1340 2056 datalog.exe 111 PID 2056 wrote to memory of 1340 2056 datalog.exe 111 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Total order confirmation April 10 2017.exe"C:\Users\Admin\AppData\Local\Temp\Total order confirmation April 10 2017.exe"1⤵
- Luminosity
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Roaming\datalog.exe"C:\Users\Admin\AppData\Roaming\datalog.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest3⤵
- Luminosity
- Creates scheduled task(s)
PID:2304
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
PID:848
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Roaming\datalog.exe"C:\Users\Admin\AppData\Roaming\datalog.exe"3⤵
- Executes dropped EXE
PID:2424
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe "3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240615109.bat" "C:\Users\Admin\AppData\Roaming\svchost.exe" "4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4276
-
-
-
-
C:\Program Files (x86)\Client\client.exe"C:\Program Files (x86)\Client\client.exe" /startup1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3980
-
C:\Program Files (x86)\Client\client.exe"C:\Program Files (x86)\Client\client.exe" /startup1⤵
- Executes dropped EXE
PID:1340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize471B
MD5c9dde86d6bfb98eb2d25af219d46850b
SHA1bc3564b7c2bc11cef1f7aafcb91f973e26fea135
SHA256e26cf32e2cc2bfb472aeea14b1428b760f95fc17117204f146187bf3b8fa4144
SHA51243e3b7b52493bd161b3d30719e1c0838b1f8b14c1b5e4ad51c5f113cbe4d4c470c2e0e81ed1abe32a006e029c1479aae483f0d7b81d8a50c11e3077edf0c5d52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_502BB733848926DD3139F2342144B39C
Filesize471B
MD5c1bc7e4db392d902cd4b515212ff9be0
SHA198f5a2248d77fe52f276bfe1c6108ef957b11667
SHA256c53628b25e94add0515b21957043d73f9d80bf0a6ac6c96149c3e6c7abd1e1f6
SHA51275294a9aff66e69adf6abbcde303e1fc6034f23999dee152ed6775a57934b128424f47e979d0d7e32f61873560208f6662c6f93f59f069727731b7d914251b60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize404B
MD5e394315139581f56a4d4b3baccdd0082
SHA19d34a3c277f4cf7136b2e77442d4c638bbcac0fa
SHA256fbc69e7cf4c5c99cf0e0291237df02872580b4c522db0fd465a615e53c7fa9a8
SHA5128554d771d2a1c1b38f6ce0db382ed37535e14dc5c51cc9f14f68ef9b3e7a3b0df632cca2159595c24bbbe685ad07b8f26373cf01a26cbf89c1d164886f925314
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_502BB733848926DD3139F2342144B39C
Filesize404B
MD59695f93cc02d5385ab98d31709cf9b2b
SHA1b53e477ce648aa72550356e9796d9fc294e7b668
SHA256251c9c307caba67e70b88d57643d1afedb9f121c0e16e6c4946228144187d497
SHA512647f82e273e69e71f446688f9913ba347a90cdea03230cc0b4bab96e4743f5c57949baaf3912d67b49ef942a9d0ea504ad66852b2a13df7aae97a24845c5d06b
-
Filesize
588B
MD5bbc3cfe1a58732a0477f72ea3d36c7bf
SHA1fb801263330aa243f63270138ab467a627dffc2e
SHA2569269d4383b8effa928b7b4a7b38ffa07587b23851f9430fbfe8e7284f845e722
SHA5125bfdc6520a7a0884e3ccdf26ab0fe536327c9f3330f7f78bed2ed4c89fc31b04ad0c4b4bd6f8f1bca08ef04e46b833b798726dca7f40ccc27c871847ec041be4
-
Filesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
Filesize
856KB
MD56f354cc37a8d6f4c0f2a252ca5830275
SHA1f4f42bccbb5f3ae12e807fae97986e138d1b405d
SHA256c76034635528117e1b8b59c9c549a58c17b2f63f13b0d92b015f462c38317942
SHA51219f1ca7a911acd944f985c1b043cd9914633bf97d420064a5ed5baa9efff8cbb4721797ed27b4354e5912d2be2bfde690d2fa2faf28e4181bf0612c41446dc3f
-
Filesize
1.5MB
MD5d31daa3adb9285b7024438799d3a7fc8
SHA13a4a3684c7a475bae5b47aad1ad750996add764b
SHA256ebdb910c35ce8b21168a4bda0dae16b3a64f66670763be89a81e322d8ddab431
SHA5129d3febe2e0603e0f6d040dff42b194fa2be309260724f9bfc879fd72990718145a239a6817b8fbcf1fd1c2e3209896c94282fc88e9bc61d064b393f0b271d8dc