Overview

overview

10

Static

static

3

caad395aef...b4.exe

windows7-x64

10

caad395aef...b4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe

  • Size

    3.2MB

  • MD5

    b49ab1057d8a84fcfab28e98cfbf7330

  • SHA1

    b5740a5eeef81280e7b7c9556487d3d5e21725f0

  • SHA256

    caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4

  • SHA512

    d2ba08fee9f409d9b994fa66ac2db1b28f87590ced2461bde6f776bb0289fc2dbdea1ff725bdfca12dd4caadfc15560b2dc5a5fb60578dbe517e60de7d2d6149

  • SSDEEP

    98304:+9ckJgZJBx32c8a3TiHPBeZRuyO7AqY3UkWcT:+mRDiHPBeZBOc

Score
10/10
dcratredlinesectopratmadaspackv2discoveryinfostealerpersistencerattrojan

Malware Config

Extracted

Family

redline

Botnet

MAD

C2

185.189.14.66:4090

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 4 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
    "C:\Users\Admin\AppData\Local\Temp\caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Users\Admin\AppData\Local\Temp\RXwVhS.exe
      C:\Users\Admin\AppData\Local\Temp\RXwVhS.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\20875cc9.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3880
    • C:\Users\Admin\AppData\Roaming\Stealer.exe
      "C:\Users\Admin\AppData\Roaming\Stealer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4132
    • C:\Users\Admin\AppData\Roaming\Rater.exe
      "C:\Users\Admin\AppData\Roaming\Rater.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4616
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\fontreviewdriverRuntimeCrt\aUIG46NqqfwTd5cOGgGlZ.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\fontreviewdriverRuntimeCrt\QZXIUNz.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4264
          • C:\fontreviewdriverRuntimeCrt\fontreviewdriverRuntimeCrtwinSessionNet.exe
            "C:\fontreviewdriverRuntimeCrt\fontreviewdriverRuntimeCrtwinSessionNet.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1408
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RemFwb7QGw.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4896
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2908
                • C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\explorer.exe
                  "C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\explorer.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\html\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Documents and Settings\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\zipcontainer\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\mfc110jpn\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\fontreviewdriverRuntimeCrt\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\normaliz\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5HI12B12\k2[1].rar
      Filesize

      4B

      MD5

      d3b07384d113edec49eaa6238ad5ff00

      SHA1

      f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

      SHA256

      b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

      SHA512

      0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\20875cc9.bat
      Filesize

      187B

      MD5

      f06acca3139790942eb03b44dd06d42b

      SHA1

      d2ae6a940d7fe4a07f642d9c522b5e87f887510e

      SHA256

      200e89ece4f8a7fa91055fd9f2b3a8defc791190fe279dc6296d490da8c3628f

      SHA512

      e6edcad3dbcd61b795137f6487e4987480b82fd6ca7ebb18802373281b5621910631032b42ea7e0b9506bf0a5fa1f9cda554dfd19ea4ad6500197f217a43af1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\40882793.exe
      Filesize

      4B

      MD5

      20879c987e2f9a916e578386d499f629

      SHA1

      c7b33ddcc42361fdb847036fc07e880b81935d5d

      SHA256

      9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

      SHA512

      bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RXwVhS.exe
      Filesize

      15KB

      MD5

      f7d21de5c4e81341eccd280c11ddcc9a

      SHA1

      d4e9ef10d7685d491583c6fa93ae5d9105d815bd

      SHA256

      4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

      SHA512

      e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RemFwb7QGw.bat
      Filesize

      267B

      MD5

      6515e47d39a70cbcc1f52fe5325d3c84

      SHA1

      60eaf5a9f451bbe4a5939d14025a39aee9ae21a4

      SHA256

      ae89eb7fd879cb38a00647c1cbc6854d30ef0bd0e26572f5a688bd3d63b0fe14

      SHA512

      b4748e23766ca4be7e3cb6db55d656a5fe8d4da0b718d3f72f2d1ab5ee92ba17c43e125297d566b1a92e153b30e6c8006c3cd93dc776f43b6733b7c522754bf7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Rater.exe
      Filesize

      1.5MB

      MD5

      bcd17a8616855eb0c5a78f71fca10ba7

      SHA1

      a5eca5659dee5e5349b437640500acd197d8079e

      SHA256

      2fd0b5b2b36e993fb73c6788e7bd7a0e3d5576094c098cd7ae56fa0790668f3e

      SHA512

      24e8521a5c757cbd06d6d3789fe04eea0ba7c97b70bc1ac0da7cc56350e1bc721f470544ff51865ae556c3dedfa662bb76c75fa03a22e467c1380fe7e4e3a834

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Stealer.exe
      Filesize

      95KB

      MD5

      8cec900f08763b810c3e4133bc0dc834

      SHA1

      c547853fc95d46b46bd16dcb8e9cc555eb9a20ab

      SHA256

      abd30ac692e2bfb96036bdd9ed4b230418fe1e291c9cc57b2391992f38094592

      SHA512

      e8dd2a87f46ac67daf8175f344006a0efd14b6e9f09d36deeb5738b5a41de0c6cd39db1f41a2c3812f6cae7b0e50df44c86f9fc25a373b02a92131f7e3183897

      Download Submit

    • C:\fontreviewdriverRuntimeCrt\QZXIUNz.bat
      Filesize

      75B

      MD5

      a4a6baa7c5632664c21cba413b8be602

      SHA1

      93f5b688cdd19ea0d6f0435fe290db46064b3a84

      SHA256

      9b67a341b4e4bd174717ddc01e03016ddf57d04e31f9468ba262e3325021b013

      SHA512

      9dd387acb8efec40199434de03d31b92bfc3e0ece6712819c3ecebe9bcad18597164cb8c56f1b28be48d156ee5620ac984f49c9f0ec901b259aedb3068814192

      Download Submit

    • C:\fontreviewdriverRuntimeCrt\aUIG46NqqfwTd5cOGgGlZ.vbe
      Filesize

      210B

      MD5

      dffd872be659b76b5e8d2998f40338d8

      SHA1

      194fa1edcdf6dc8b589a95deb35a8ceb9055036e

      SHA256

      a49a72b1e8cc6b7ab9b30d564c757064b11184f10d305c7b5f6e66f558a32e0e

      SHA512

      33b7979274be7be149ce210a0e65938ec9ce30d5b5bd09f80d80dc3c62d09b174644898ecb06c763f71ab5ab09e299bba05e9f25a4f1792b1503c04187dfd7a7

      Download Submit

    • C:\fontreviewdriverRuntimeCrt\fontreviewdriverRuntimeCrtwinSessionNet.exe
      Filesize

      1.2MB

      MD5

      e86e6dcddab6bf719197f12c99247b19

      SHA1

      7c9ad558e0484a57f2e4f81a9f91a34ca9d3926c

      SHA256

      eaafe8afd63c54fb58e983191998713a9417e74066a6aa89c08790ef9e824daa

      SHA512

      2e702d46610d7dc6f35097b1337d631aeab1d674d5aa120b70be68c54d1a984d2094ae0fd535cbfa161573b6fa9795650f4da6d8584d5ceef971606ffb27e9da

      Download Submit

    • memory/1408-159-0x00000000022A0000-0x00000000022BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1408-158-0x0000000000060000-0x000000000018E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1408-164-0x000000001BA90000-0x000000001BFB8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1408-163-0x00000000022F0000-0x0000000002302000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1408-161-0x00000000022C0000-0x00000000022D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1408-162-0x00000000022D0000-0x00000000022DC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1408-160-0x000000001B350000-0x000000001B3A0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2372-5-0x0000000000C70000-0x0000000000C79000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2372-152-0x0000000000C70000-0x0000000000C79000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4132-148-0x0000000005440000-0x000000000554A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4132-120-0x0000000000770000-0x000000000078E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4132-129-0x0000000005140000-0x0000000005152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4132-147-0x00000000051E0000-0x000000000522C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4132-122-0x00000000056D0000-0x0000000005CE8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4132-131-0x00000000051A0000-0x00000000051DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4192-7-0x0000000000400000-0x00000000009C1000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/4192-0-0x0000000000400000-0x00000000009C1000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/4192-119-0x0000000000400000-0x00000000009C1000-memory.dmp

      Filesize

      5.8MB

      Download