Overview

overview

10

Static

static

3

Verest Client.zip

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    392s
  • max time network
    396s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    30-10-2024 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Verest Client.zip

  • Size

    1.8MB

  • MD5

    98e9704a0599365457a341aa9c7d5438

  • SHA1

    37b468aeee23dacad3342c7313efc327b54bfede

  • SHA256

    bf7cad10d965e95a4fd2f3090bdc617a7c5391e21edb7dc92451a20e89301364

  • SHA512

    2589d154244765e80dc788a847fae71edd4ffddeb64d049e8667b958a1fbad20d644764d8966c82257d5045e08ea3ba734ac058584956d4f609e3b565e4d6214

  • SSDEEP

    49152:bKcQprVnykZLsqIHM7FVSg8FxZ2jrfHYu0QHrLfQo0kAsC:bmhpDZHCg8rZ2j2yn4sC

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Verest Client.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:632
  • C:\Windows\System32\NOTEPAD.EXE
    "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FIX.bat
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:3420
  • C:\Users\Admin\Desktop\FIX.bat
    "C:\Users\Admin\Desktop\FIX.bat"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontIntobrokerperf\7iJru9HYh5L5RXPHYCUB7WFJq.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\fontIntobrokerperf\7YaNN9pSqbeFjRlTWXnKPtLSePTg0n4yWaA0efNHJ5J9sdUSpqa6C9L.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2248
        • C:\fontIntobrokerperf\containerBrowserFontsvc.exe
          "C:\fontIntobrokerperf/containerBrowserFontsvc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2400
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\srl5eb5m\srl5eb5m.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1436
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES845A.tmp" "c:\Windows\System32\CSC4CF1DEDD2E0C40329DF3998B1836FE8E.TMP"
              6⤵
                PID:4016
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pMH2HzFBRZ.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3648
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2076
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:3460
                  • C:\Program Files (x86)\Windows Mail\dwm.exe
                    "C:\Program Files (x86)\Windows Mail\dwm.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2428
        • C:\Users\Admin\Desktop\Verest Client.exe
          "C:\Users\Admin\Desktop\Verest Client.exe"
          1⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2644
        • C:\Users\Admin\Desktop\Verest Client.exe
          "C:\Users\Admin\Desktop\Verest Client.exe"
          1⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3224
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1728
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\fontIntobrokerperf\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3400
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\fontIntobrokerperf\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3172
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\fontIntobrokerperf\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\fontIntobrokerperf\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\fontIntobrokerperf\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\fontIntobrokerperf\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1284
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "containerBrowserFontsvcc" /sc MINUTE /mo 11 /tr "'C:\fontIntobrokerperf\containerBrowserFontsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "containerBrowserFontsvc" /sc ONLOGON /tr "'C:\fontIntobrokerperf\containerBrowserFontsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1844
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "containerBrowserFontsvcc" /sc MINUTE /mo 8 /tr "'C:\fontIntobrokerperf\containerBrowserFontsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3016

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES845A.tmp
          Filesize

          1KB

          MD5

          e397c9d3125cb772752f8d1b9975cf97

          SHA1

          a6fe9def1e598cd912f8e0fcf1d42b8fab0d9f6d

          SHA256

          2bc0bd2c7fd448094c6b2ab416638f2f4ca217befe8854346d84afc8054c2ab3

          SHA512

          389169100e3aaa7c201a04f1f7889237039881bf1489b9694d3652f22e9d04d75b51899b216578be7d703541d000822f68637c5a9d3c2af5918704b7a785ab7d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\pMH2HzFBRZ.bat
          Filesize

          219B

          MD5

          0ed4319aeefa991ae7b29a20be6ccf3d

          SHA1

          8c2af2ea6d3b121b7e8ab8a83becbd8f3b9cb32a

          SHA256

          4ab7f1e2f9d4090cce40c1e607e24c539cda97855519da1d04c4beb8409b5f02

          SHA512

          8bc0089570d6c440ad533fc769bf782840662ee144c6228254c6d9f591cefc0a28233eb3599d738a7477c76ef9f33b0499d85de81b6462f18e6bc6c7e8bbf878

          Download Submit

        • C:\Users\Admin\Desktop\FIX.bat
          Filesize

          4.7MB

          MD5

          840b55c4deeadd584747feeacb71111b

          SHA1

          d0ab89817e7e4c9eef250d632ca035b02d06b082

          SHA256

          2e1625d3a0354db4f9eca5eb63181d75b7dd08699481604a17ab86dfd76f8ebd

          SHA512

          920ed71c2cafc21a91905a9eec9f5fa06d09a30c8d56ce0aa4b8a59d0d044670b73ecc3801c72cd64e6c788b6d299e0fdbed9b9f7b4ea06b114b82b4556cdeb7

          Download Submit

        • C:\Users\Admin\Desktop\Verest Client.exe
          Filesize

          27.9MB

          MD5

          82cdf0ca73aaa1de1b1b27750af78d56

          SHA1

          7467ee8fd369827416984c9a5c68f9350427c12c

          SHA256

          bc8234a9094fec31894863e4af5d86a988c93d679e6bf85df3a12aa1e85513c3

          SHA512

          fd3989a41e772885d6ae2b9eff6f87755677f086ab83af233d6fb38a968be84542ce99109d21ef0e26f28510b1d1b99c3870032b242f75d27d3320e22241ba93

          Download Submit

        • C:\fontIntobrokerperf\7YaNN9pSqbeFjRlTWXnKPtLSePTg0n4yWaA0efNHJ5J9sdUSpqa6C9L.bat
          Filesize

          92B

          MD5

          32ecbbe3396da57d74b40fb00c2c180e

          SHA1

          cdd6988604d727de78f063f24949728efc7947f9

          SHA256

          90326649c658566549aa5d66ae6c8641d1ec541e462f03b5809352222d5f25a2

          SHA512

          fb5a28932e6554716fad61e54287168980b1f990956dface6f37832f5f3a1f31d736f44ad21ffdf664738464668ba5d0f4b188d88d1ea801c01c538008cd0ed5

          Download Submit

        • C:\fontIntobrokerperf\7iJru9HYh5L5RXPHYCUB7WFJq.vbe
          Filesize

          252B

          MD5

          e725316f6fcc49a17a08a86303676e40

          SHA1

          0ed637be09c53458dbf9c7f0bc32dd8c6541e2b0

          SHA256

          f11ab53f1007d8aaa397401d0fb9cf408bf893aa4559fa37c7618fa319877cd4

          SHA512

          96eda143c022b23e5ff4d017943bf36f1266f8b3ad01c8ddd7f999da8be3a28d90650bce218732e9878be2f3243a683d5b42507fde13b9f871369bafd5e5dcc8

          Download Submit

        • C:\fontIntobrokerperf\containerBrowserFontsvc.exe
          Filesize

          4.4MB

          MD5

          e718e41a9c56bb781cbbfb2b4e07af25

          SHA1

          be9d69e99650567b665784fa8acf8ef253462047

          SHA256

          aaf4de1a842be1f6b361b58a46793a31d607fac7b0ba327248decf8d35f0f7b2

          SHA512

          e6eb5d6d3becc540abe01c2a39b4cdc86537d8ca8143f5349585ff108d832ae55f2e08f78b176d118ee9525be0892b07c65817dac6da37cd0147c2833d12bcee

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\srl5eb5m\srl5eb5m.0.cs
          Filesize

          375B

          MD5

          78f9df3801d304b548c313caf365fdd7

          SHA1

          25cecd3ebc4f501a22d4bf0cd7909f9622f1b9af

          SHA256

          4f0f754fd2cb9ee44edaeb16e37f5253297449f3d8b921ecc0de8ad8caaa8d68

          SHA512

          83674cf54849be3737fde11983e153ea5235d2502d31813b229fae0fdb2f3dfe267f8aed20aa1b157a35c43c6fe6b6fac68cfc262fc6ab6965761718b821ffe3

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\srl5eb5m\srl5eb5m.cmdline
          Filesize

          235B

          MD5

          63da029ea13b2daea392c10331540d82

          SHA1

          10f6ed43516686b470ef460a45c1c06619e7bb64

          SHA256

          9ddb848980964b8081119729604d8b6cd763a15a48f39bada8b0310c4afd4962

          SHA512

          33f4a7a5c27db72f9489f6b0b6cb7667ed89ddd75d9af972d38c588ee90040e06f7f6744ecbcdd58a3fcb2b53262f848a0cccc0a01307444050adb12e8c8ad4a

          Download Submit

        • \??\c:\Windows\System32\CSC4CF1DEDD2E0C40329DF3998B1836FE8E.TMP
          Filesize

          1KB

          MD5

          39771ddaaba57655428176421edca076

          SHA1

          303dbb365df31cda999f1c490ac93a1a13362e3f

          SHA256

          f075ee7c5adceb229442eb8b2ad00df495cf69a892ff54790603efd9d038bb4c

          SHA512

          15ce267d8f6d7799d5ad6f70dbcad3c1676648d7afc7b675852c163ee26b8c9d46e03d217b70630d7e3e496ab31a34a7bde587ecd6aff9541deb5c013a1096de

          Download Submit

        • memory/2400-29-0x000000001B5C0000-0x000000001B610000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2400-31-0x000000001B210000-0x000000001B228000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2400-33-0x00000000028F0000-0x00000000028FC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2400-28-0x000000001B1F0000-0x000000001B20C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2400-26-0x0000000002850000-0x000000000285E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2400-23-0x00000000003F0000-0x00000000005CA000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2428-66-0x000000001CE50000-0x000000001CF64000-memory.dmp

          Filesize

          1.1MB

          Download