Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 10:16
Behavioral task
behavioral1
Sample
SandeLLoCHECKER_Installer (2).exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SandeLLoCHECKER_Installer (2).exe
Resource
win10v2004-20240709-en
General
-
Target
SandeLLoCHECKER_Installer (2).exe
-
Size
1.5MB
-
MD5
4c52459e292810c1197ed6f2e6486375
-
SHA1
12f8ef89e298d758b61b8104aca610ddce9b5b4e
-
SHA256
513bdf8d578fc535a41943fb900c32dc29de645bb9327ab3497b13632e04c6fc
-
SHA512
47bf5deb7661948f84aa8319921ab19dd70e4751475d1682578960d30420c14842f3784f1e416472c252efd3411278711d85ec103664601062606da5a18debe7
-
SSDEEP
24576:62G/nvxW3WvwD4cm7HZi6ABOSJcv9c3B8Z3Mnge2RxpA2UQXN58xTY6+2e:6bA3JDDmk6ocv9c3PiixiU+Z
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
surrogateweb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\chainproviderBrowsersvc\\conhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\chainproviderBrowsersvc\\conhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\chainproviderBrowsersvc\\conhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\unsecapp.exe\"" surrogateweb.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3848 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 4836 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 4836 schtasks.exe -
Processes:
resource yara_rule C:\chainproviderBrowsersvc\surrogateweb.exe dcrat behavioral2/memory/3880-13-0x0000000000530000-0x0000000000662000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
surrogateweb.exeSandeLLoCHECKER_Installer (2).exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation surrogateweb.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SandeLLoCHECKER_Installer (2).exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
surrogateweb.exeunsecapp.exepid process 3880 surrogateweb.exe 1544 unsecapp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
surrogateweb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\chainproviderBrowsersvc\\conhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\chainproviderBrowsersvc\\conhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\WindowsPowerShell\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\WindowsPowerShell\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\unsecapp.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\unsecapp.exe\"" surrogateweb.exe -
Drops file in Program Files directory 4 IoCs
Processes:
surrogateweb.exedescription ioc process File created C:\Program Files\WindowsPowerShell\smss.exe surrogateweb.exe File created C:\Program Files\WindowsPowerShell\69ddcba757bf72 surrogateweb.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe surrogateweb.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\29c1c3cc0f7685 surrogateweb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
SandeLLoCHECKER_Installer (2).exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SandeLLoCHECKER_Installer (2).exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3556 schtasks.exe 2652 schtasks.exe 4932 schtasks.exe 2220 schtasks.exe 3208 schtasks.exe 4252 schtasks.exe 2976 schtasks.exe 4152 schtasks.exe 3848 schtasks.exe 1416 schtasks.exe 3964 schtasks.exe 3020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
surrogateweb.exeunsecapp.exepid process 3880 surrogateweb.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe 1544 unsecapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
unsecapp.exepid process 1544 unsecapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
surrogateweb.exeunsecapp.exedescription pid process Token: SeDebugPrivilege 3880 surrogateweb.exe Token: SeDebugPrivilege 1544 unsecapp.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SandeLLoCHECKER_Installer (2).exeWScript.execmd.exesurrogateweb.exedescription pid process target process PID 2472 wrote to memory of 4276 2472 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 2472 wrote to memory of 4276 2472 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 2472 wrote to memory of 4276 2472 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 4276 wrote to memory of 2432 4276 WScript.exe cmd.exe PID 4276 wrote to memory of 2432 4276 WScript.exe cmd.exe PID 4276 wrote to memory of 2432 4276 WScript.exe cmd.exe PID 2432 wrote to memory of 3880 2432 cmd.exe surrogateweb.exe PID 2432 wrote to memory of 3880 2432 cmd.exe surrogateweb.exe PID 3880 wrote to memory of 1544 3880 surrogateweb.exe unsecapp.exe PID 3880 wrote to memory of 1544 3880 surrogateweb.exe unsecapp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\chainproviderBrowsersvc\1L1To0L.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\chainproviderBrowsersvc\surrogateweb.exe"C:\chainproviderBrowsersvc\surrogateweb.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\chainproviderBrowsersvc\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\chainproviderBrowsersvc\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45B
MD53c8ed674ffedfe6b8d0c064cab60006d
SHA17080e2cf3d63412726841df13a193e1e56576d7f
SHA2560a743db445078b3285505edde00ff06568dc9276d50450cb23e93dc2d13ff1fc
SHA51226678921909b08733f2bf1e921109775b5b4d45b3be2fa7169b3a413ebe78853023a4927f2f26fc63b78a6d6dc21ed603edce39ee8cb7a703bd247a8d6aad7da
-
Filesize
207B
MD5899f8aaacb8d91de21a507edf16520e2
SHA12e81832c3da7c117b96e87a3891ca41aba7b819d
SHA2563a8e29e95179d9794c2e3367cb170717682087650ee33b70905c4deb7fbab762
SHA5127d19a730e8dcc78e265b19fb9c901ccd8456bbaf6d8702c25377f86fe8427c82a918b1a96a50b83ddc6363a169739106bc2e4218097d31cad8e0c0a139bf9f3e
-
Filesize
1.2MB
MD5263dca09ac216848fa0ce9aea1f1aa04
SHA1da162b0daf02ee8cf89a011f4a2876efb4694552
SHA2562bb6c2c2394ec60767a70db1d9098af76e1142de9e9ad9e94c52207c121088a8
SHA5123d7fd55d1dd95d998b14985aa9bdc6e3d152b6f9e7b52153bdedddd21514805fb3dd339cf6e712a428c329744c263cb945037c82f19c111d6ddbdc7e8d96359d