Overview

overview

10

Static

static

3

9615f26aef...62.exe

windows7-x64

10

9615f26aef...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 16:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe

  • Size

    1.8MB

  • MD5

    8fe4d765052f33ee206babd50ecebff4

  • SHA1

    626ed36cc72ed374334c868a5d2471cd1d70e9ef

  • SHA256

    9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462

  • SHA512

    5a41dbc6ead37caa5de7c3110378fc1357954a6b02b50eea6d82ff2685962536090e2e6e75a83ab321aa14a04a50f31c92290ace854bd45bc4c5913a1e1a7210

  • SSDEEP

    49152:IBJS5y9ltNK+s0am17m5uSTRhNCYX1xoUQ/Ui5zbf2qmOK:ywGls0amCyN5zbf7jK

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
    "C:\Users\Admin\AppData\Local\Temp\9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe
          "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf/MsRefHost.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4440
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g4kfv5a2\g4kfv5a2.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:4816
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C13.tmp" "c:\Windows\System32\CSCDE4A03805D114A91BC6339356CCDB199.TMP"
              6⤵
                PID:4460
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OSxPLZ1m83.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1100
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3320
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:3288
                  • C:\Recovery\WindowsRE\OfficeClickToRun.exe
                    "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3148
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3728
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2764
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2576
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Install\backgroundTaskHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Install\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4548
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4500
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4424
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4380
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1880
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2588
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MsRefHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4704
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5008

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\OSxPLZ1m83.bat
          Filesize

          218B

          MD5

          969ea231025c500cf38327d26320cc5b

          SHA1

          5cd5a59ed715e182cd3822f8df2405bf72c2d2ea

          SHA256

          231285b1e9cb369c85695720544fa1d6184b1af289b2804fa1f1639296af8e59

          SHA512

          624e79bb1f4f210107016631d2ffce304f7c4fb8e4c64e4783bf23b4bda06966ff031d133803380757483393dfab2f83fd56d97797ff1c8e34529d07804740c6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES8C13.tmp
          Filesize

          1KB

          MD5

          71a7a3b918bc53761b70a30e0afc4d9e

          SHA1

          ae6781a46b9090d4c5a114d94663241a05df4383

          SHA256

          920a757f63e4d318dd50a2f8db4f7520ca08b4712a886fe7178b6fe87f237e50

          SHA512

          e19f65f32bbaff25e7bd5056cd25ccd904cb55a82965329963ef3c1a2ef2644d67783a183f55fd04a234a92245ceaaf5a74596dbf8a97662f71cccebc7442b9e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe
          Filesize

          1.9MB

          MD5

          8f4b5051db276e30641cd63fac01a982

          SHA1

          2da38a070be557014c57d314211f6236470aca37

          SHA256

          5864cdafd1e3c62524dd7ec715b055e11a3ace3f586d575a2c2f5f9c4f096553

          SHA512

          db77eb1df5aa539bb55ae9c6936c40f7e6d5b9b53e2c7e0c84c2d6df91f541cbdfef92675b45e5e7bb804b8998482970ff92f793e63ad2f9754d43bfab60bfa2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe
          Filesize

          247B

          MD5

          299cb1e8030c59ea61c25d77663d93ce

          SHA1

          47ed6fb489f8e725a2a25ff2de2f769f8c010ca9

          SHA256

          c21646d405045a3684859964fb3a6bab60be39d07ef509902baa267fb3735d60

          SHA512

          121da7ee97dbc5ea1aed2b95acd2b9869783851bf1f267e97dd9ae25d0ad2819eccb8618108d8adb745a4baed59de9eb5da4c2c132659219f5689f03302bcb08

          Download Submit

        • C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat
          Filesize

          111B

          MD5

          7570b030d6165dbe5710aea256bc5fb0

          SHA1

          f748ac754c02cebb69b874e6c2b7c8dd51bfa43c

          SHA256

          5a7151908f5167f6be21b2518d8d825dc3f13e4fcc0e1b7ea4931669d28ef3e7

          SHA512

          64ba0ebacbc47fa0a7dc3efd361e89d24d7df343548ad337da0d2f4333e37a5ff208fc0d6f3c197d8e944d38cd4029f13f34b01e8a2adb63baea16dcedcd3ade

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\g4kfv5a2\g4kfv5a2.0.cs
          Filesize

          367B

          MD5

          4b60049fe5d4e6b13c3d58847b450751

          SHA1

          412254ecdcd77095cb8588a745e1cb7005151bdc

          SHA256

          1f01bd73e6b2e9636771e6f04b8d7e452a976eacd19846360d7755a8320aa283

          SHA512

          02d6f3ff0361e1db6509db5e292f60d0fce08198fa0c22e56b10762f20fe2289c484f684457abe54a40b79024aa5a2ae3440d0aa0264520c0b04a4e047f61e3a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\g4kfv5a2\g4kfv5a2.cmdline
          Filesize

          235B

          MD5

          6dd0526889114aa42ee5f7c2affd0483

          SHA1

          c36d7aee0ddcd6d67ba9434598fe6df152f19c33

          SHA256

          d2fb8d446c0a393557dc20933038ed9110bea7e8631a4e23cd63dced95abe330

          SHA512

          c203c160b150606765edd48623ec94ff45adbb0f5e15482bc548dad6086ccd67a95913638fa1662ccd9129461bde761fe78507174b6e45f09960a6ba9cde2935

          Download Submit

        • \??\c:\Windows\System32\CSCDE4A03805D114A91BC6339356CCDB199.TMP
          Filesize

          1KB

          MD5

          75e32610d8ef6143201c7c28465fcda9

          SHA1

          b2bae99fade2dda07aecbe1659d184be0fc4e7a6

          SHA256

          97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

          SHA512

          b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

          Download Submit

        • memory/3148-66-0x000000001D4F0000-0x000000001D605000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4440-20-0x0000000002B00000-0x0000000002B18000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4440-23-0x000000001CAD0000-0x000000001CFF8000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4440-25-0x0000000002AC0000-0x0000000002ACE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4440-27-0x0000000002AD0000-0x0000000002ADC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4440-22-0x0000000002B20000-0x0000000002B32000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4440-18-0x000000001B690000-0x000000001B6E0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4440-17-0x0000000002AE0000-0x0000000002AFC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4440-15-0x0000000002A60000-0x0000000002A6E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4440-13-0x00000000007B0000-0x00000000009A4000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4440-12-0x00007FFA4A933000-0x00007FFA4A935000-memory.dmp

          Filesize

          8KB

          Download