Overview

overview

10

Static

static

10

-pril-main...th.exe

windows10-2004-x64

10

-pril-main...aw.exe

windows10-2004-x64

10

-pril-main...wd.exe

windows10-2004-x64

7

-pril-main...gh.exe

windows10-2004-x64

10

-pril-main...se.exe

windows10-2004-x64

10

-pril-main...ed.exe

windows10-2004-x64

10

Installer/CapCut.exe

windows10-2004-x64

10

start-main...on.exe

windows10-2004-x64

8

start-main/Sushi.exe

windows10-2004-x64

10

start-main...wd.exe

windows10-2004-x64

1

start-main...sd.exe

windows10-2004-x64

10

start-main...fd.exe

windows10-2004-x64

10

start-main...we.exe

windows10-2004-x64

5

start-main...wd.exe

windows10-2004-x64

10

start-main...pu.exe

windows10-2004-x64

10

start-main...th.exe

windows10-2004-x64

5

start-main...ed.exe

windows10-2004-x64

10

start-main...fk.exe

windows10-2004-x64

5

start-main...ha.exe

windows10-2004-x64

10

start-main...ha.exe

windows10-2004-x64

10

start-main...ea.exe

windows10-2004-x64

10

start-main...as.exe

windows10-2004-x64

7

start-main...dw.exe

windows10-2004-x64

8

start-main...ha.exe

windows10-2004-x64

1

start-main...wt.exe

windows10-2004-x64

10

start-main...wd.exe

windows10-2004-x64

10

start-main...gh.exe

windows10-2004-x64

3

start-main/pdf.exe

windows10-2004-x64

10

start-main...dh.exe

windows10-2004-x64

10

start-main...as.exe

windows10-2004-x64

7

start-main...tj.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    start-main/hnfsefawd.exe

  • Size

    933KB

  • MD5

    7842a71a8910e4e39077f7b7e9c08eb6

  • SHA1

    1446760ee849308d7ed97b4e215f96db54681a5f

  • SHA256

    9cc4afb19c3702ceb41940a0261c7bdc8dafb347aa9aea1b6c84a88e62669e84

  • SHA512

    ae90232ecdc9ca11eb768fe579b356699ecf25829b38a83b0ff57b74278d250adf96f96c083115c87a1346e5192a1f721141f42f1719b30e5251871f1b1b56d2

  • SSDEEP

    12288:Zj71U9TGD8RPSSDoioHTDN3UpW3Ari4VVyZC0+1cw2jINofdiBZRwsCM9hsJeY60:ZP+QMZD9oHTW3iE0nHmd9Y61+

Score
10/10
dcratdiscoveryexecutioninfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\start-main\hnfsefawd.exe
    "C:\Users\Admin\AppData\Local\Temp\start-main\hnfsefawd.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\SppExtComObj.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\Registry.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\OfficeClickToRun.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4072
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nhAGd2WV34.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:5032
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:780
        • C:\Users\Public\Videos\OfficeClickToRun.exe
          "C:\Users\Public\Videos\OfficeClickToRun.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\PrintHood\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4460
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\Application\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1120
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Videos\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\WindowsRE\RuntimeBroker.exe
      Filesize

      933KB

      MD5

      7842a71a8910e4e39077f7b7e9c08eb6

      SHA1

      1446760ee849308d7ed97b4e215f96db54681a5f

      SHA256

      9cc4afb19c3702ceb41940a0261c7bdc8dafb347aa9aea1b6c84a88e62669e84

      SHA512

      ae90232ecdc9ca11eb768fe579b356699ecf25829b38a83b0ff57b74278d250adf96f96c083115c87a1346e5192a1f721141f42f1719b30e5251871f1b1b56d2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2e907f77659a6601fcc408274894da2e

      SHA1

      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

      SHA256

      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

      SHA512

      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      bd5940f08d0be56e65e5f2aaf47c538e

      SHA1

      d7e31b87866e5e383ab5499da64aba50f03e8443

      SHA256

      2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

      SHA512

      c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ncznho2.1it.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nhAGd2WV34.bat
      Filesize

      171B

      MD5

      1305f923cb47bca23bcefd83f1c4bdc5

      SHA1

      3fe4bc6a1e9944daf9c89e81b4a496f25052ed93

      SHA256

      f51d8f9fca786f1f4c96d32c13eaf0d9f3362da54e27e0fc362136dbe1496b77

      SHA512

      e81c4be1069fd8eda05d242c6622086ba172b0c26921bc7ebc187a2efb3bebbc5e8bfdea5016f25f01a97d3af30ef46766fe54bd5d9e00c772dd85d3331cbcfc

      Download Submit

    • memory/684-23-0x00000000012B0000-0x00000000012BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/684-20-0x000000001C5C0000-0x000000001CAE8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/684-11-0x0000000001290000-0x00000000012A8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/684-13-0x0000000001250000-0x000000000125E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/684-15-0x0000000001260000-0x000000000126C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/684-16-0x00007FF954C20000-0x00007FF9556E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/684-18-0x00000000012D0000-0x00000000012E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/684-19-0x00007FF954C20000-0x00007FF9556E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/684-0-0x00007FF954C23000-0x00007FF954C25000-memory.dmp

      Filesize

      8KB

      Download

    • memory/684-25-0x00000000012C0000-0x00000000012CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/684-21-0x00007FF954C20000-0x00007FF9556E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/684-9-0x0000000002CD0000-0x0000000002D20000-memory.dmp

      Filesize

      320KB

      Download

    • memory/684-26-0x00007FF954C20000-0x00007FF9556E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/684-27-0x00007FF954C20000-0x00007FF9556E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/684-8-0x00007FF954C20000-0x00007FF9556E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/684-1-0x0000000000990000-0x0000000000A80000-memory.dmp

      Filesize

      960KB

      Download

    • memory/684-5-0x00007FF954C20000-0x00007FF9556E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/684-80-0x00007FF954C20000-0x00007FF9556E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/684-7-0x0000000001270000-0x000000000128C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/684-4-0x0000000001230000-0x000000000123E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/684-2-0x00007FF954C20000-0x00007FF9556E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4072-41-0x0000015556140000-0x0000015556162000-memory.dmp

      Filesize

      136KB

      Download