Overview

overview

10

Static

static

10

Cs2SteamEmul.exe

windows10-1703-x64

10

Cs2SteamEmul.exe

windows7-x64

10

Cs2SteamEmul.exe

windows10-1703-x64

10

Cs2SteamEmul.exe

windows10-2004-x64

10

Cs2SteamEmul.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    32s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-07-2024 04:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cs2SteamEmul.exe

  • Size

    2.8MB

  • MD5

    d48669a634489ed4baf9e84aedd9d2bd

  • SHA1

    e7b7bdf6e10584eb07547e7237bd654b42abcf84

  • SHA256

    4415d417dd1b3ccd3c86fa55cf3add99e493218cb0c1405efaf8e55ac7b5c666

  • SHA512

    d902e3d77f7cc33f806b1e298fb51905636bb9ea83cf5a030c18ed33400e656edf3223a0ff4f6e7fcef20b427413cbf5a5132b914d37f476cd4ad6d90db46a90

  • SSDEEP

    49152:8bA3W4Dw1beHhL/rBnVQzQ2Bq5U+0HE26wyiK4Csx7aPNUmTk:8b6PHhXB6e2dHfxJ1xu/k

Score
10/10
dcratevasioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat 20 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cs2SteamEmul.exe
    "C:\Users\Admin\AppData\Local\Temp\Cs2SteamEmul.exe"
    1⤵
    • DcRat
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainSurrogateref\s70leb7kkd32CLdRUKa.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ChainSurrogateref\xpD7eJ.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\ChainSurrogateref\hyperBrowser.exe
          "C:\ChainSurrogateref\hyperBrowser.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:428
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bCLjvGEUzj.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4876
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4208
              • C:\Windows\debug\fontdrvhost.exe
                "C:\Windows\debug\fontdrvhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4816
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:1212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4660
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\debug\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\InstallAgent.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Windows\Panther\InstallAgent.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\InstallAgent.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\Cosa\sppsvc.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\Cosa\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\ChainSurrogateref\taskhostw.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\ChainSurrogateref\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\ChainSurrogateref\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1088
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:4624

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ChainSurrogateref\hyperBrowser.exe
        Filesize

        2.5MB

        MD5

        fb9e236436cde0a5a4eed038eaddcba0

        SHA1

        b952200d5fc543b905081e871d0f17cd86fe614f

        SHA256

        cbc2a097f5d12d79a5b79af092afba8eee19305a82e3663bcdf7a312bf3b6d49

        SHA512

        22c83c980a1df703d66f10ea11caaf187c9081c5b85039e4206f4a34418bc030af3baee128873e7bb6f45bd59132cc6191fd9fba3c8818d94c81105ec11a130c

        Download Submit

      • C:\ChainSurrogateref\s70leb7kkd32CLdRUKa.vbe
        Filesize

        211B

        MD5

        4410becb8d48b0f40a82e8d65460e611

        SHA1

        23971351f410149ee5f076de87985cd6b4ab49dc

        SHA256

        ce4270f5351b45f9a102cb09b20dec64956cb4ab81a36fb6efa0689ab8755ce5

        SHA512

        539bfef68779f8c70a82346bb2410fe335a79cecba2c17f4d4f8d83e74ed85a6cd1d36ad4a55945b7283e73de65cec7aa45280c9f19e49a4d0f316857d42a3ed

        Download Submit

      • C:\ChainSurrogateref\xpD7eJ.bat
        Filesize

        162B

        MD5

        eaa1aa25e323d5ea76d80a5ddbfeca3c

        SHA1

        a9ce156083afb97e63800dda5ee1e99d845b3a18

        SHA256

        7bd09663e812891268d97ecf21ea8d6669252fdcb2d3e24c9834252cadc21263

        SHA512

        f8d204db10ac0b32ebcd9266c4022d342fd2a7a520428eb585dbda826d79ed8744ed6dfd196821bb8bca6a786eabf77af2acbf0080db488e54b07abe1cf78aa7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bCLjvGEUzj.bat
        Filesize

        197B

        MD5

        f81db1c7037f55abeb5d49e62ef46608

        SHA1

        6c4448274ce15f507b1e55de74e3aebe30d3b3ac

        SHA256

        4da6b5cd80df25d2b6c70dc4294550bdd4c5dcc27c744a662db6efc5a582400b

        SHA512

        6f84e440cb31b83422e99ea4bae1396248876a0c64357f8162389017d6f6aecdeed7460fcf4c8fa5f8be551077fdff768512dbefb88a96cdef25a8685af2748e

        Download Submit

      • memory/428-21-0x000000001B940000-0x000000001B94C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/428-24-0x000000001B9E0000-0x000000001B9EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/428-19-0x0000000002EC0000-0x0000000002EC8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/428-20-0x000000001B8F0000-0x000000001B946000-memory.dmp

        Filesize

        344KB

        Download

      • memory/428-18-0x000000001B8D0000-0x000000001B8E6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/428-17-0x0000000002E60000-0x0000000002E68000-memory.dmp

        Filesize

        32KB

        Download

      • memory/428-15-0x000000001B8B0000-0x000000001B8CC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/428-22-0x000000001B950000-0x000000001B962000-memory.dmp

        Filesize

        72KB

        Download

      • memory/428-23-0x000000001C9E0000-0x000000001CF06000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/428-16-0x000000001B970000-0x000000001B9C0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/428-25-0x000000001C000000-0x000000001C00C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/428-26-0x000000001C010000-0x000000001C01E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/428-27-0x000000001C020000-0x000000001C02E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/428-28-0x000000001C1D0000-0x000000001C1DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/428-14-0x0000000000B30000-0x0000000000DC2000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/4816-50-0x000000001B7A0000-0x000000001B7B2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-51-0x000000001D260000-0x000000001D422000-memory.dmp

        Filesize

        1.8MB

        Download