Overview

overview

10

Static

static

3

FIX.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    34s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    30-10-2024 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FIX.exe

  • Size

    4.7MB

  • MD5

    840b55c4deeadd584747feeacb71111b

  • SHA1

    d0ab89817e7e4c9eef250d632ca035b02d06b082

  • SHA256

    2e1625d3a0354db4f9eca5eb63181d75b7dd08699481604a17ab86dfd76f8ebd

  • SHA512

    920ed71c2cafc21a91905a9eec9f5fa06d09a30c8d56ce0aa4b8a59d0d044670b73ecc3801c72cd64e6c788b6d299e0fdbed9b9f7b4ea06b114b82b4556cdeb7

  • SSDEEP

    49152:IBJNcIJz/f3SvXSRl5mHRbKdGm4C2oeacqu:yXcIJzQ2ylwtbeaK

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\FIX.exe
    "C:\Users\Admin\AppData\Local\Temp\FIX.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontIntobrokerperf\7iJru9HYh5L5RXPHYCUB7WFJq.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\fontIntobrokerperf\7YaNN9pSqbeFjRlTWXnKPtLSePTg0n4yWaA0efNHJ5J9sdUSpqa6C9L.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\fontIntobrokerperf\containerBrowserFontsvc.exe
          "C:\fontIntobrokerperf/containerBrowserFontsvc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:772
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2s1qmkg5\2s1qmkg5.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2484
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD65B.tmp" "c:\Windows\System32\CSCF16AB9687B2849DE89217846777AF738.TMP"
              6⤵
                PID:4284
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ll82beSMlW.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1140
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2528
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:3412
                  • C:\Users\Public\Downloads\unsecapp.exe
                    "C:\Users\Public\Downloads\unsecapp.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4160
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4556
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4492
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3852
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1548
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2656
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1952
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\unsecapp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:924
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\Downloads\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4352
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4280
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "containerBrowserFontsvcc" /sc MINUTE /mo 6 /tr "'C:\fontIntobrokerperf\containerBrowserFontsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "containerBrowserFontsvc" /sc ONLOGON /tr "'C:\fontIntobrokerperf\containerBrowserFontsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "containerBrowserFontsvcc" /sc MINUTE /mo 14 /tr "'C:\fontIntobrokerperf\containerBrowserFontsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3876

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Ll82beSMlW.bat
          Filesize

          214B

          MD5

          c1c77427b33f2f630270a2bd799c568c

          SHA1

          5b706355abcb84f77902c61d12f1066e38f15837

          SHA256

          18d045d29f278871263e1113b8a59c2d0f9833142a22475247e4a33bdade7c9f

          SHA512

          c49e1fa620ad399abc13e1357491628f9650aa7739d2f6b4c7cb029a11eec795bb94c044584cfbf8c4e2ad35ec66b459bc245bd799c06483b72197816d0586ad

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESD65B.tmp
          Filesize

          1KB

          MD5

          d50116d32737348b0ab2c2b0bf3cb132

          SHA1

          fc55128883d0a6ab8debd2c3ad4a9cbdc3df1a9e

          SHA256

          18ee570d46514028cc6caa13af82069a2324b54903d458a735debc94734b1cd1

          SHA512

          d969768ee7e893ef0fa08159d239e1efd33623510650214dae198c727cc1218d864196d46ff51d6bad129e4ab91465bcffa25cbc246500701145b7a73e4d881b

          Download Submit

        • C:\fontIntobrokerperf\7YaNN9pSqbeFjRlTWXnKPtLSePTg0n4yWaA0efNHJ5J9sdUSpqa6C9L.bat
          Filesize

          92B

          MD5

          32ecbbe3396da57d74b40fb00c2c180e

          SHA1

          cdd6988604d727de78f063f24949728efc7947f9

          SHA256

          90326649c658566549aa5d66ae6c8641d1ec541e462f03b5809352222d5f25a2

          SHA512

          fb5a28932e6554716fad61e54287168980b1f990956dface6f37832f5f3a1f31d736f44ad21ffdf664738464668ba5d0f4b188d88d1ea801c01c538008cd0ed5

          Download Submit

        • C:\fontIntobrokerperf\7iJru9HYh5L5RXPHYCUB7WFJq.vbe
          Filesize

          252B

          MD5

          e725316f6fcc49a17a08a86303676e40

          SHA1

          0ed637be09c53458dbf9c7f0bc32dd8c6541e2b0

          SHA256

          f11ab53f1007d8aaa397401d0fb9cf408bf893aa4559fa37c7618fa319877cd4

          SHA512

          96eda143c022b23e5ff4d017943bf36f1266f8b3ad01c8ddd7f999da8be3a28d90650bce218732e9878be2f3243a683d5b42507fde13b9f871369bafd5e5dcc8

          Download Submit

        • C:\fontIntobrokerperf\containerBrowserFontsvc.exe
          Filesize

          4.4MB

          MD5

          e718e41a9c56bb781cbbfb2b4e07af25

          SHA1

          be9d69e99650567b665784fa8acf8ef253462047

          SHA256

          aaf4de1a842be1f6b361b58a46793a31d607fac7b0ba327248decf8d35f0f7b2

          SHA512

          e6eb5d6d3becc540abe01c2a39b4cdc86537d8ca8143f5349585ff108d832ae55f2e08f78b176d118ee9525be0892b07c65817dac6da37cd0147c2833d12bcee

          Download Submit

        • C:\windows\system32\bvvos7.exe
          Filesize

          4KB

          MD5

          ccbb61969684287a9b22d81d84950e84

          SHA1

          dc2c4016acf9dd61d540c960ad09153cf3eed1c1

          SHA256

          e1c83326cfa39683612de84a6e5e5b6e52aaebc080a7ef277d88900a1eb4332b

          SHA512

          3cf1c46027d478cdc57656469ec86fe0d9133a1ee8bc72c98b1593ef0d292346871c10331837c832fee239fc918b5452e83f2f120e6e83de2a4a00eed43e1924

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\2s1qmkg5\2s1qmkg5.0.cs
          Filesize

          382B

          MD5

          77b4a10e4603cdd1aa4b63b76423730a

          SHA1

          dd31ea5f6cf22e965c161e9ba8756fd8af20cd2c

          SHA256

          76f8ab471a9415837f7fb9f1fe3f1db67891d5cd78fddcacf89b9f0d41b73a91

          SHA512

          9c0cd28d01952892c69b6abe18d12f0205513936702b6a0a0697c7b802f54c7c91a5cf3c974adf274659f3425cfd4aef46766c287847df00afacbba65c8cb40a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\2s1qmkg5\2s1qmkg5.cmdline
          Filesize

          235B

          MD5

          8c16b2ca9665954eef11129f8232d0b5

          SHA1

          ded0e412343c5d1bb78d1a052ab229f280681aa9

          SHA256

          6076437a8ea1574eed7a8e1fc6dcd02d56b03f19374707c8144c7c6cfbc78f6d

          SHA512

          c5eb35a785e554cff5ae4608a8eabdec50661f29bd0a82f1e09d86b2b094f6c91c7541be7691ababc93ab17e5386b489d0823bd3477bfff9709ae7836c7f989a

          Download Submit

        • \??\c:\Windows\System32\CSCF16AB9687B2849DE89217846777AF738.TMP
          Filesize

          1KB

          MD5

          39771ddaaba57655428176421edca076

          SHA1

          303dbb365df31cda999f1c490ac93a1a13362e3f

          SHA256

          f075ee7c5adceb229442eb8b2ad00df495cf69a892ff54790603efd9d038bb4c

          SHA512

          15ce267d8f6d7799d5ad6f70dbcad3c1676648d7afc7b675852c163ee26b8c9d46e03d217b70630d7e3e496ab31a34a7bde587ecd6aff9541deb5c013a1096de

          Download Submit

        • memory/772-37-0x0000000003390000-0x000000000339C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/772-33-0x000000001BE50000-0x000000001BEA0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/772-35-0x000000001BE00000-0x000000001BE18000-memory.dmp

          Filesize

          96KB

          Download

        • memory/772-32-0x0000000003400000-0x000000000341C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/772-28-0x0000000000FF0000-0x00000000011CA000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/772-30-0x0000000001990000-0x000000000199E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4556-19-0x000002CB0D960000-0x000002CB0D961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4556-17-0x000002CB0D960000-0x000002CB0D961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4556-18-0x000002CB0D960000-0x000002CB0D961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4556-20-0x000002CB0D960000-0x000002CB0D961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4556-21-0x000002CB0D960000-0x000002CB0D961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4556-22-0x000002CB0D960000-0x000002CB0D961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4556-23-0x000002CB0D960000-0x000002CB0D961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4556-11-0x000002CB0D960000-0x000002CB0D961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4556-13-0x000002CB0D960000-0x000002CB0D961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4556-12-0x000002CB0D960000-0x000002CB0D961000-memory.dmp

          Filesize

          4KB

          Download