Overview

overview

10

Static

static

10

NeverLose ...0_.exe

windows7-x64

10

NeverLose ...0_.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NeverLose Crack by Lick0_.exe

  • Size

    2.8MB

  • MD5

    3687f8b8c673eb5541ed071b708dc5a5

  • SHA1

    e019bc82b0fd67875615673c0ac07013962077af

  • SHA256

    d7917a55c255297286aacb020baf7e7fcd6acb4a0d380e4cb3d50e50e90593b0

  • SHA512

    510c3298b7dfaa02657dcec9ab63ef3eac6d15a9b946daff7d07ab840ef8331531a90b1873fe37f9c694c6d5ff88216c5d4e81b9b7db08eb51fd8da1aae7931f

  • SSDEEP

    49152:MbA3Q4etyON8AHfj+roH3t1Um1K7gAV2Oinx8WL8+oGidW6:MbXnyBroXts7NyxlZD6

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NeverLose Crack by Lick0_.exe
    "C:\Users\Admin\AppData\Local\Temp\NeverLose Crack by Lick0_.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\serversvc\sIICU.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\serversvc\298xPTUK2eRUsguC.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\serversvc\ComSurrogateDriver.exe
          "C:\serversvc\ComSurrogateDriver.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oCGmLpTxeQ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3292
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4460
              • C:\Windows\schemas\fontdrvhost.exe
                "C:\Windows\schemas\fontdrvhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4772
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\serversvc\file.vbs"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1572
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\serversvc\6fZxXCAdox3DydUlVNG.bat" "
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4580
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "taskkill steam.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill steam.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:4160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\schemas\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\schemas\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\oCGmLpTxeQ.bat
      Filesize

      199B

      MD5

      f83eec0399775326db4bb857493858ee

      SHA1

      d6fe363ed14bb530e5fdaebb36360aad6a0a9293

      SHA256

      c3c98ea499e161ff06b738f5efb77346206d8258ead7830d95636f2b0d67ba32

      SHA512

      b26a9c911034e53e5c46de07b53f6300c7377fd650e1f9a92946bb7d104ac248c40c492038e50789a33c693b92f714d5430f070818b1913ee25d4a8699cf9abe

      Download Submit

    • C:\serversvc\298xPTUK2eRUsguC.bat
      Filesize

      37B

      MD5

      a70ef85524a8291a64f86473a3613666

      SHA1

      9e2180e5f09e71abd13437f8e63a74185ed20499

      SHA256

      ccfa63116a2ee95a473c3ca843c343bdd87cfdeae691f7e12a0938a1fc09f042

      SHA512

      b07dea6d2cb1acc057dddacf1e573d9f585ae72750ffd828e2b381f63896976f2803ea641a6ef63fe24c7e8279eb345fe03699a88a646796082899f6fa928d70

      Download Submit

    • C:\serversvc\6fZxXCAdox3DydUlVNG.bat
      Filesize

      31B

      MD5

      f1eb57101ab533a9731d52e4debfad4d

      SHA1

      b80cc75fb2cf7753b6f7c5eaa6b3dc2eaf0148b5

      SHA256

      bea282aa18f6fcd9bfc765cb251970ff97d8e41b816b37c2b987c2c98f28faf4

      SHA512

      bb5658658e6dfad7b7a0b94db207e516301c37f44c8fd5d2578bda49147e15fe5e147cb10733a37fb5e7f4c1cad9cfd9faadae97665e26f19c29b36be68efe1d

      Download Submit

    • C:\serversvc\ComSurrogateDriver.exe
      Filesize

      2.5MB

      MD5

      8514467d2a5a3ae542fe6eecb6348d37

      SHA1

      81c9ba0dc68733af3bee7fae15a8eaca611d7fda

      SHA256

      b09d9c56ffffde85a3bb698240009cb131081b5333b6cfc3259e2b4279b7d61e

      SHA512

      ad91fc9289b3f598e3d68b797352deca4cb127f4c067d8154664d59037ba95a04928c7d18b22829a0b882ed50f3be5d43b51ca481a646e106db2ee847f0f0b63

      Download Submit

    • C:\serversvc\file.vbs
      Filesize

      68B

      MD5

      e4b3857b04ed328ff4d2dd8b3b2382b5

      SHA1

      f30ee596d1210f776c8090425c95489a460befe1

      SHA256

      b198539bee398529b541f7b3f4f1d6d5f93103ca222f86e6c89941404a8fb780

      SHA512

      c2337323196722f645150eecaeb37ccf982632bf92863f9f24d6360d6315845883eacef0aeb30daa361a6379ec915bfc4526e7a6516176900450110da3a4895a

      Download Submit

    • C:\serversvc\sIICU.vbe
      Filesize

      202B

      MD5

      6046e28a669b5a57f93afa3094762ecd

      SHA1

      56e4ee7ce81fbf9a89fa0416623fca553714bbfa

      SHA256

      7a2ac0e099cf62742abcd928cdb904851546ceebab077a9f5004e735d53a27a9

      SHA512

      55d0a0c691dd0d09c19b78cd4b966b33aaefdb382e8f9c40375e95774cd36edc65bc810585a68276739c2ba100e2123c704bbb794ef0c5a9b61ffaff573f5ffb

      Download Submit

    • memory/1788-22-0x0000000000DA0000-0x000000000101E000-memory.dmp

      Filesize

      2.5MB

      Download