Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-07-2024 10:14

General

  • Target

    SandeLLoCHECKER_Installer (2).exe

  • Size

    1.5MB

  • MD5

    4c52459e292810c1197ed6f2e6486375

  • SHA1

    12f8ef89e298d758b61b8104aca610ddce9b5b4e

  • SHA256

    513bdf8d578fc535a41943fb900c32dc29de645bb9327ab3497b13632e04c6fc

  • SHA512

    47bf5deb7661948f84aa8319921ab19dd70e4751475d1682578960d30420c14842f3784f1e416472c252efd3411278711d85ec103664601062606da5a18debe7

  • SSDEEP

    24576:62G/nvxW3WvwD4cm7HZi6ABOSJcv9c3B8Z3Mnge2RxpA2UQXN58xTY6+2e:6bA3JDDmk6ocv9c3PiixiU+Z

Malware Config

Signatures

  • DcRat 28 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 18 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe
    "C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"
    1⤵
    • DcRat
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\chainproviderBrowsersvc\1L1To0L.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\chainproviderBrowsersvc\surrogateweb.exe
          "C:\chainproviderBrowsersvc\surrogateweb.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:124
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TnEi4NPhyI.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1752
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2616
              • C:\chainproviderBrowsersvc\surrogateweb.exe
                "C:\chainproviderBrowsersvc\surrogateweb.exe"
                6⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1480
                • C:\Recovery\WindowsRE\dllhost.exe
                  "C:\Recovery\WindowsRE\dllhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\chainproviderBrowsersvc\Idle.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\chainproviderBrowsersvc\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Corporate\lsass.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Corporate\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3192

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\WindowsRE\5940a34987c991

      Filesize

      674B

      MD5

      7aec6e6e19a6fb0644eb1a61a0f4c93c

      SHA1

      41c959960392b230f6847103c37ac2f036eeb19c

      SHA256

      140deb36dc3a8992d06dec12aa957f4ee3be2dbd58e527c584c10dad622d9127

      SHA512

      0ad2305c523f73544481af87521b6f396bb1d86b5d7d0ef3665ce701a75290edc275e88b556db3dd289091884cb5777056ff2f24bc66db8e2e8c618314984ad2

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\surrogateweb.exe.log

      Filesize

      1KB

      MD5

      4a154b138b22d8614bea6d4aa8bffecf

      SHA1

      e234d740d83d68c2233e8bf3ffd65406d5ca9563

      SHA256

      0c84f439b774b18f2f98ff2bd65b31a7540a064ec20aed0b5cd5fdd7546d56f6

      SHA512

      c3f7dabc72ddc377d50843b5e3a2bdc1600cee7d5dcdc52b7db9c675fbc5cb510be01ffe911462fd4e5af95737108ae1b19d006c00be5217f489c3772b7a68ec

    • C:\Users\Admin\AppData\Local\Temp\TnEi4NPhyI.bat

      Filesize

      208B

      MD5

      e6599965e278cd8488e0676d831f846c

      SHA1

      c24b006b68d5ad3c4ca79695ae8be988bef90875

      SHA256

      34e95b40e612405e1c445878b8e783a277beba77c2582029e3f2f01f5ef44cae

      SHA512

      0dcf1eefc2e2d5e416eb831e8fd49667012c5db56ef690a05bf4f6967e228ed4ce1bf761278c2db120358b82ab82d363517396cd0dbf05414a8e45f7ec6a055b

    • C:\chainproviderBrowsersvc\1L1To0L.bat

      Filesize

      45B

      MD5

      3c8ed674ffedfe6b8d0c064cab60006d

      SHA1

      7080e2cf3d63412726841df13a193e1e56576d7f

      SHA256

      0a743db445078b3285505edde00ff06568dc9276d50450cb23e93dc2d13ff1fc

      SHA512

      26678921909b08733f2bf1e921109775b5b4d45b3be2fa7169b3a413ebe78853023a4927f2f26fc63b78a6d6dc21ed603edce39ee8cb7a703bd247a8d6aad7da

    • C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe

      Filesize

      207B

      MD5

      899f8aaacb8d91de21a507edf16520e2

      SHA1

      2e81832c3da7c117b96e87a3891ca41aba7b819d

      SHA256

      3a8e29e95179d9794c2e3367cb170717682087650ee33b70905c4deb7fbab762

      SHA512

      7d19a730e8dcc78e265b19fb9c901ccd8456bbaf6d8702c25377f86fe8427c82a918b1a96a50b83ddc6363a169739106bc2e4218097d31cad8e0c0a139bf9f3e

    • C:\chainproviderBrowsersvc\surrogateweb.exe

      Filesize

      1.2MB

      MD5

      263dca09ac216848fa0ce9aea1f1aa04

      SHA1

      da162b0daf02ee8cf89a011f4a2876efb4694552

      SHA256

      2bb6c2c2394ec60767a70db1d9098af76e1142de9e9ad9e94c52207c121088a8

      SHA512

      3d7fd55d1dd95d998b14985aa9bdc6e3d152b6f9e7b52153bdedddd21514805fb3dd339cf6e712a428c329744c263cb945037c82f19c111d6ddbdc7e8d96359d

    • memory/124-15-0x000000001C480000-0x000000001C4D0000-memory.dmp

      Filesize

      320KB

    • memory/124-16-0x0000000001950000-0x0000000001966000-memory.dmp

      Filesize

      88KB

    • memory/124-17-0x0000000003280000-0x000000000328C000-memory.dmp

      Filesize

      48KB

    • memory/124-14-0x0000000001920000-0x000000000193C000-memory.dmp

      Filesize

      112KB

    • memory/124-13-0x0000000000FB0000-0x00000000010E2000-memory.dmp

      Filesize

      1.2MB

    • memory/124-12-0x00007FF9FE7D3000-0x00007FF9FE7D5000-memory.dmp

      Filesize

      8KB

    • memory/4544-96-0x000000001B2D0000-0x000000001B2DD000-memory.dmp

      Filesize

      52KB

    • memory/4544-94-0x000000001C2D0000-0x000000001C316000-memory.dmp

      Filesize

      280KB

    • memory/4544-98-0x000000001B810000-0x000000001B81B000-memory.dmp

      Filesize

      44KB

    • memory/4544-97-0x000000001B7F0000-0x000000001B80E000-memory.dmp

      Filesize

      120KB

    • memory/4544-95-0x000000001B190000-0x000000001B199000-memory.dmp

      Filesize

      36KB