Overview

overview

10

Static

static

3

c642f9a142...f3.exe

windows7-x64

10

c642f9a142...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 03:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe

  • Size

    3.3MB

  • MD5

    060acdb9ab659883f1d74c40fc5d6c4b

  • SHA1

    f6ede67bf171dcc87fc8c49dadbb9c05b2f3838c

  • SHA256

    c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3

  • SHA512

    a8ef346f9cf58efb9b2bed08102e02033ce7b69b6403a9dd6044824f9a1c7723dde69453f3267b1e8395e1db0e1530c05609e2f04eb739bbc57cf376e4e638ab

  • SSDEEP

    49152:gJ4Neo2O0+nNLfCDPRRelHdti+EwbBjebd+g0Uuqhv5GWJLJV4dwpk:gJ4Pn0+nNLfuReJdtijwb5ebLSWxGg4/

Score
10/10
dcratbootkitevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Detects executables containing bas64 encoded gzip files 5 IoCs
  • Detects executables packed with SmartAssembly 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe
    "C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
      "C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tRQxi6UI1P.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\Windows\SysWOW64\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4664
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            5⤵
              PID:1292
          • C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe
            "C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Checks whether UAC is enabled
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2196
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\mntemp
      Filesize

      16B

      MD5

      b84c0451280e282821e4e91adcc121f1

      SHA1

      56b5d0333954f8b045cb8aa49c2079a794dfc6db

      SHA256

      137b13ad42331f93a66ba3b5768d098256b3411ccf5bd635ad51f6e1cd625b25

      SHA512

      6bc57805bd935677d5a62ed5e38b1c7f4b8d4891b77a39ff0bbe557c629d8dd8ed2c8d30512ca67a2c2c1113af76d65af41e6287a5a22a0539ccd9c726099dce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
      Filesize

      3.0MB

      MD5

      ed830fc9a7e101cb1199a44e89f05a6d

      SHA1

      09ecb8c22bad19d11a392fb873796cd41f4add56

      SHA256

      d03c84556f0693c7606a827797948d9f407e16dffa489b2a572be62aa20b7d03

      SHA512

      8248464f9ec60eb83ca13af0f5a6f61ac1dc5a826ed43d2432ecb56ae8fa281cfca300e37b649548cefd53fe5c96a7a949e9235efd931aa791c748513214df9a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tRQxi6UI1P.bat
      Filesize

      227B

      MD5

      2ee6cb5754f44fb8475a528f46c1845b

      SHA1

      3863398d4f6f4f35706d6ce12e6f5d9b6f32fbef

      SHA256

      c06e38335471804e892e0ef8b14342448efa93f4d1f98aed15238937642331b4

      SHA512

      02ea76e0b2f87f6efc66d491601a531a5aba9c786f589365b77aa99e7920aaf0deabfed176046b204bd01d1aae13bac92e39b5f956d2f46da578efcbc5bcd161

      Download Submit

    • memory/3436-101-0x0000000000FB0000-0x0000000001748000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3436-60-0x000000000AB30000-0x000000000B05C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3436-59-0x00000000094D0000-0x00000000094DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3436-58-0x0000000009B50000-0x0000000009D12000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3436-57-0x0000000006F80000-0x0000000006F92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3436-56-0x0000000000FB0000-0x0000000001748000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3436-55-0x0000000000FB0000-0x0000000001748000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3436-53-0x0000000000FB0000-0x0000000001748000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/4192-18-0x0000000006400000-0x0000000006492000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4192-20-0x0000000006230000-0x0000000006280000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4192-26-0x0000000006BD0000-0x0000000006BDC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4192-25-0x0000000006BB0000-0x0000000006BBC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4192-29-0x0000000006C60000-0x0000000006CC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4192-24-0x0000000006B80000-0x0000000006B8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4192-49-0x00000000000B0000-0x0000000000848000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/4192-23-0x00000000065A0000-0x00000000065AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4192-22-0x0000000006220000-0x0000000006232000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4192-21-0x00000000061E0000-0x00000000061F6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4192-19-0x00000000061A0000-0x00000000061BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4192-17-0x0000000006170000-0x000000000617E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4192-16-0x00000000065D0000-0x0000000006B74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4192-14-0x00000000000B0000-0x0000000000848000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/4192-15-0x00000000000B0000-0x0000000000848000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/4192-12-0x00000000000B0000-0x0000000000848000-memory.dmp

      Filesize

      7.6MB

      Download