Analysis

  • max time kernel
    50s
  • max time network
    72s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-06-2024 17:16

General

  • Target

    дсрат.exe

  • Size

    1.8MB

  • MD5

    545889c3d894821e69924ca2a1acf5eb

  • SHA1

    34c7bec63e692b96d793a8047275be6af779c021

  • SHA256

    0f6b00ebfc4324cf4feb87bad29724c3f2c9723c84af4bf4d086352925bf06b7

  • SHA512

    6e28f070734ac8d44e917e86394c991e6db5a6389195b5204ccea47a95eb946b505f696f0f8c68b62dddd883f3dbe4ced2bd8a7d152bdc91a5132f686a633618

  • SSDEEP

    49152:1Djlabwz9fig9rohmN0qEKX8uSgRHqNGiS:ZqwdRV0fgEiKYiS

Malware Config

Extracted

Family

lumma

C2

https://backcreammykiel.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Windows security bypass 2 TTPs 1 IoCs
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\дсрат.exe
    "C:\Users\Admin\AppData\Local\Temp\дсрат.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Loader\error.vbs"
      2⤵
      • Suspicious use of FindShellTrayWindow
      PID:1392
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader\KHRnsPaHq6wt4rRYII1q2.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
        Loader.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
            PID:4452
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
              PID:5044
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              4⤵
                PID:3580
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v С:/Users /t REG_DWORD /d 0
              3⤵
              • Windows security bypass
              PID:1952
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\WINDOWS\system32\userinit.exe, C:\Users\Admin\AppData\Local\Temp/Loader/Bypass.exe
              3⤵
                PID:3596
              • C:\Windows\system32\reg.exe
                reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\Bypass.exe
                3⤵
                  PID:5068
              • C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe
                "C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3604
                • C:\ProgramData\SoftwareDistribution\Bypass.exe
                  "C:\ProgramData\SoftwareDistribution\Bypass.exe"
                  3⤵
                  • Deletes itself
                  • Executes dropped EXE
                  • Drops autorun.inf file
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5080
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0 /state0:0xa3aed855 /state1:0x41c64e6d
              1⤵
                PID:4564

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\SoftwareDistribution\Bypass.exe
                Filesize

                1.7MB

                MD5

                d5089008582efc34df9cfe5e48550d21

                SHA1

                4105575343659919dff89cc18d1d8fbc7bd60289

                SHA256

                c3a15ab0b9e3ebf966ff7fae15c9309c5a739ab755aa706c14c437ed01e3b13c

                SHA512

                7ab28e1e9150f2585c0e20ddc3260aed9b3d8922eabaf05a7bfd88c1c2fe1c4f586cac368a4bae9fdce9093ded2ef6ead9505d28779bcf448e196e29b5a5050b

              • C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe
                Filesize

                1.2MB

                MD5

                e569faac3b8f8d70b0c2ed38ab26019b

                SHA1

                91adf9b4f18146374a957360f232f61c56595bab

                SHA256

                9f2267e35d5030990fa4d516e45289163aa236a934f8d45546a543db4bf10e40

                SHA512

                d0681e04801b6ce7933f0438c87527e41cd73cb3f7039048cf2d60f85b30bb5f5235145428a6f77e57fcc1600539e336fa433b33bd4e45a50c1aa7ae214f2478

              • C:\Users\Admin\AppData\Local\Temp\Loader\KHRnsPaHq6wt4rRYII1q2.bat
                Filesize

                503B

                MD5

                3217ead6df07978acaaa5c47812959b4

                SHA1

                00b535427aafd0aaa9cbdbd308c42d085af6ff25

                SHA256

                3d70ee828b984f3d71eb9e6bcd902c5d25f8cbb935c0419b6deb9e7707581b3d

                SHA512

                e521688b73e7c87699671864da9badf51fed1ea4afacac17f6656ac37b484b91157b10ed5ebb57348c09ce65cdadf183cc1be326c24716ee2f71867d0231b159

              • C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
                Filesize

                594KB

                MD5

                b6c3c00d7cf6d8d13f20dbc590a675ad

                SHA1

                a36e5c3c94f7abe3cbdfd3418e3ae03e66aa5323

                SHA256

                0021b20ecb3a2d562118bae38f00d1bdffc8facda49c8e1d1995966e1cd7957c

                SHA512

                e6f5165b9678cc6818d0213e84a6fdfb606af69dd6be67ea3db12dbb4a8b3503afcb9dc729a727691bef2374a355ea3ab7d8f8864adcab87d0cfee892c660eba

              • C:\Users\Admin\AppData\Local\Temp\Loader\error.vbs
                Filesize

                91B

                MD5

                3e9e1d51930b0f7dd74cf0a85279abb7

                SHA1

                344f901c9070611eaa6077bbebfc1b63c28857bf

                SHA256

                2db9bf60266d735cbb49eec9c394c03071e2a3c7763367baeb60c2d60b0c461f

                SHA512

                f056abd5030a1e71e11d06608ebaab38585f8d5f8a14f20e9949d296cd3037fee67ae459a1ad9a8d86bbb117e46957fa4091cbaf9b877b45664e4d9284a3acbf

              • memory/3580-32-0x0000000000400000-0x0000000000455000-memory.dmp
                Filesize

                340KB

              • memory/3580-31-0x0000000000400000-0x0000000000455000-memory.dmp
                Filesize

                340KB

              • memory/5080-33-0x0000000000F80000-0x0000000001136000-memory.dmp
                Filesize

                1.7MB

              • memory/5080-34-0x0000000001950000-0x000000000196C000-memory.dmp
                Filesize

                112KB

              • memory/5080-37-0x0000000003290000-0x00000000032E6000-memory.dmp
                Filesize

                344KB

              • memory/5080-36-0x00000000019C0000-0x00000000019D6000-memory.dmp
                Filesize

                88KB

              • memory/5080-35-0x000000001C400000-0x000000001C450000-memory.dmp
                Filesize

                320KB

              • memory/5080-39-0x00000000032E0000-0x00000000032E8000-memory.dmp
                Filesize

                32KB

              • memory/5080-38-0x0000000001930000-0x000000000193E000-memory.dmp
                Filesize

                56KB