Overview

overview

10

Static

static

10

Cs2SteamEmul.exe

windows10-1703-x64

10

Cs2SteamEmul.exe

windows7-x64

10

Cs2SteamEmul.exe

windows10-1703-x64

10

Cs2SteamEmul.exe

windows10-2004-x64

10

Cs2SteamEmul.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    31s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-07-2024 04:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cs2SteamEmul.exe

  • Size

    2.8MB

  • MD5

    d48669a634489ed4baf9e84aedd9d2bd

  • SHA1

    e7b7bdf6e10584eb07547e7237bd654b42abcf84

  • SHA256

    4415d417dd1b3ccd3c86fa55cf3add99e493218cb0c1405efaf8e55ac7b5c666

  • SHA512

    d902e3d77f7cc33f806b1e298fb51905636bb9ea83cf5a030c18ed33400e656edf3223a0ff4f6e7fcef20b427413cbf5a5132b914d37f476cd4ad6d90db46a90

  • SSDEEP

    49152:8bA3W4Dw1beHhL/rBnVQzQ2Bq5U+0HE26wyiK4Csx7aPNUmTk:8b6PHhXB6e2dHfxJ1xu/k

Score
10/10
dcratevasioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat 38 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cs2SteamEmul.exe
    "C:\Users\Admin\AppData\Local\Temp\Cs2SteamEmul.exe"
    1⤵
    • DcRat
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainSurrogateref\s70leb7kkd32CLdRUKa.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ChainSurrogateref\xpD7eJ.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\ChainSurrogateref\hyperBrowser.exe
          "C:\ChainSurrogateref\hyperBrowser.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4564
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BIbGy9hvi4.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1472
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4068
              • C:\Program Files\Windows Mail\en-US\csrss.exe
                "C:\Program Files\Windows Mail\en-US\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2052
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:3152
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\uk-UA\ShellExperienceHost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\uk-UA\ShellExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\uk-UA\ShellExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\ShellExperienceHost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2128
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Recent\ShellExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2248
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\ShellExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\en-US\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\en-US\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\en-US\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\ShellExperienceHost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\Resources\ShellExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\ShellExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\dwm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ja-JP\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4388
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\en-US\lsass.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\en-US\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3128
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:952
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2420

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ChainSurrogateref\hyperBrowser.exe
        Filesize

        2.5MB

        MD5

        fb9e236436cde0a5a4eed038eaddcba0

        SHA1

        b952200d5fc543b905081e871d0f17cd86fe614f

        SHA256

        cbc2a097f5d12d79a5b79af092afba8eee19305a82e3663bcdf7a312bf3b6d49

        SHA512

        22c83c980a1df703d66f10ea11caaf187c9081c5b85039e4206f4a34418bc030af3baee128873e7bb6f45bd59132cc6191fd9fba3c8818d94c81105ec11a130c

        Download Submit

      • C:\ChainSurrogateref\s70leb7kkd32CLdRUKa.vbe
        Filesize

        211B

        MD5

        4410becb8d48b0f40a82e8d65460e611

        SHA1

        23971351f410149ee5f076de87985cd6b4ab49dc

        SHA256

        ce4270f5351b45f9a102cb09b20dec64956cb4ab81a36fb6efa0689ab8755ce5

        SHA512

        539bfef68779f8c70a82346bb2410fe335a79cecba2c17f4d4f8d83e74ed85a6cd1d36ad4a55945b7283e73de65cec7aa45280c9f19e49a4d0f316857d42a3ed

        Download Submit

      • C:\ChainSurrogateref\xpD7eJ.bat
        Filesize

        162B

        MD5

        eaa1aa25e323d5ea76d80a5ddbfeca3c

        SHA1

        a9ce156083afb97e63800dda5ee1e99d845b3a18

        SHA256

        7bd09663e812891268d97ecf21ea8d6669252fdcb2d3e24c9834252cadc21263

        SHA512

        f8d204db10ac0b32ebcd9266c4022d342fd2a7a520428eb585dbda826d79ed8744ed6dfd196821bb8bca6a786eabf77af2acbf0080db488e54b07abe1cf78aa7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\BIbGy9hvi4.bat
        Filesize

        210B

        MD5

        5f465a38a29b3b014fe98137dd0b44cb

        SHA1

        6658b252f0f7a88949944226fb9fe41829cb1d9b

        SHA256

        2e079c81f33be490df3336ec2a9d3e2c1dae053d6321c1db4683988feda33883

        SHA512

        c8653121298d9371caa684e297c78852814cfcdfdfed6a74d4988b8e7c3ecae522778c4f405a3d73a2b0801e9ca7fc08538f4f1b8c225140b0570017af52f9e0

        Download Submit

      • memory/2052-63-0x000000001E310000-0x000000001E4D2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2052-62-0x00000000033D0000-0x00000000033E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4564-21-0x000000001B080000-0x000000001B08C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4564-24-0x000000001B110000-0x000000001B11C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4564-20-0x000000001B140000-0x000000001B196000-memory.dmp

        Filesize

        344KB

        Download

      • memory/4564-17-0x0000000000E90000-0x0000000000E98000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4564-19-0x000000001B070000-0x000000001B078000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4564-22-0x000000001B090000-0x000000001B0A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4564-23-0x000000001C2B0000-0x000000001C7D6000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/4564-18-0x000000001B050000-0x000000001B066000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4564-25-0x000000001B120000-0x000000001B12C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4564-26-0x000000001B190000-0x000000001B19E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4564-27-0x000000001B1A0000-0x000000001B1AE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4564-28-0x000000001B960000-0x000000001B96A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4564-16-0x000000001B0A0000-0x000000001B0F0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4564-15-0x0000000002750000-0x000000000276C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4564-14-0x00000000002C0000-0x0000000000552000-memory.dmp

        Filesize

        2.6MB

        Download