Overview

overview

10

Static

static

3

FATALITY/loader.exe

windows7-x64

10

FATALITY/loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FATALITY/loader.exe

  • Size

    3.2MB

  • MD5

    8faa9e2bbcb1f98cb3971b94f9feda41

  • SHA1

    ab03732cdbc58c752057f2dd3c39e164e222476f

  • SHA256

    026825e9ca81fe52b1833a5e2c838336bc645778da89ff5c266c65c9d750a490

  • SHA512

    5a660bddaf58c15503861663d018e3444c40fc9a62cc2953a60e41c78561014db4911d4f1da80f70a492d6ff912765d93e08c3c39fce921580b034dfcc47d358

  • SSDEEP

    98304:fP8sZQDJ8Apc4VDuZc3PT9ejwigyEgKSkzd1kl86:cs6lrDlT9ej7UgKBLy

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\bridgeHypercomComponentHost\mscontainerWindll.exe
          "C:\bridgeHypercomComponentHost/mscontainerWindll.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2988
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xsqo1j3d\xsqo1j3d.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3BE.tmp" "c:\Windows\System32\CSC7F29F9F5B0D7419F8FD23292E38EA30.TMP"
              6⤵
                PID:320
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v7shrX5kZY.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1760
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2428
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2228
                • C:\Program Files (x86)\Mozilla Maintenance Service\lsm.exe
                  "C:\Program Files (x86)\Mozilla Maintenance Service\lsm.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\mscontainerWindll.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2020
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindll" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2256
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\bridgeHypercomComponentHost\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\bridgeHypercomComponentHost\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\bridgeHypercomComponentHost\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\mscontainerWindll.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindll" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2936
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1100
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1328
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:580
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 9 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindll" /sc ONLOGON /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2244
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 12 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2492

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESA3BE.tmp
        Filesize

        1KB

        MD5

        a756ffb421f52124348ce10d6ee05054

        SHA1

        5ccfa6c23c2d2c67df9cdb2db6db9802939ac1fd

        SHA256

        afc88530560710fa33df62363b4d05ef0400814cdedbf7cd5e13cdee3b5edeed

        SHA512

        8cccd4e92f70b6b3835dec2faf0ba7bcf2457f980b70e1a14d39a5d905b97ed0eafa616ebc457bde3dcbc1d1098a19ceff9983e5d9968192c83b7823c24055dc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\v7shrX5kZY.bat
        Filesize

        186B

        MD5

        f2dbb2f3731c60c2a681f6905e94035d

        SHA1

        a0c012c272353b22abbbcd8c9b39a93beaede3ca

        SHA256

        f10916b3f4d1108678e19d28bd59b387d9cc324bd3b94791631863ddf937c5c1

        SHA512

        152cddd735b5896dc4868660d0175e6562f407cf2862d0c8ae462f108130bcdb441d06c44f347d92dc42c9cf2eac4580e82f24dee7802f49919754bc72efc79f

        Download Submit

      • C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat
        Filesize

        108B

        MD5

        836fc705ac99bb9e9c32457cd334e13e

        SHA1

        ebbb2cfd6a3260e482447d1c7871391ea8c75551

        SHA256

        e0446f377405745b3712c210adeda645441bc9f6b987756b53aa05ed167fbf9c

        SHA512

        ae2915671fee13ce19947eed0733d3de5b462ca8ef55b422259814004cc51df54a1ea58a6659a36a886103e84191f93fee5d7a134a50439a81c856645f88cc90

        Download Submit

      • C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe
        Filesize

        246B

        MD5

        a672021e4678a1cee46a924baa63411c

        SHA1

        c4c27bf73768a3cc97d070e3d560e4f45affe9b4

        SHA256

        65a576bed74898f83fd527be9a715aaac80609066d01e8b16a691c5287bd15b5

        SHA512

        ea08511f0859767abdbc080e7dcbad20bced260cfb2b58ba51cc8d48d544fb36256f56887c25763f25d799fa225674d487d6f5826f835fb8462c0c6441c64b67

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xsqo1j3d\xsqo1j3d.0.cs
        Filesize

        413B

        MD5

        87548f1f12a73897424895b5e6d455a7

        SHA1

        60cad55f416c30a9061660cb1f3e4212fcf3d048

        SHA256

        8490199f20f5274bec95c39316bd66143d4cadf4c2afaafcc29235ab75dcaa18

        SHA512

        a147d9476a4098a62302a371084c84839c7766a774af96ab4167f8d72c06dd521aa67b65560fe60ee6c976c5ba82777b07e51bf18dd1eb051fdb932c728bddf2

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xsqo1j3d\xsqo1j3d.cmdline
        Filesize

        235B

        MD5

        31b77df4be36652925f874a1dca6ae7b

        SHA1

        5a8270d469603d6748cb361a3de55534a98f2830

        SHA256

        594f583f923c01116bfdc134dc32f855aa9abe407f777d7f24d49d0924f61d83

        SHA512

        939cfc0e8305822597a904a11c4ede4763cb4ae68abe61499e00acd5b269253a572231b10035d8155816df3e73ef4f3ba4b10af0298385a2e8e080f265ba5fbc

        Download Submit

      • \??\c:\Windows\System32\CSC7F29F9F5B0D7419F8FD23292E38EA30.TMP
        Filesize

        1KB

        MD5

        167c870490dc33ec13a83ebb533b1bf6

        SHA1

        182378ebfa7c8372a988dee50a7dd6f8cda6a367

        SHA256

        3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

        SHA512

        1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

        Download Submit

      • \bridgeHypercomComponentHost\mscontainerWindll.exe
        Filesize

        1.9MB

        MD5

        5a7bf976e09d1835a65809093075a1bc

        SHA1

        d2de32c02c3d6e79f185b6b5f91e95144ae5a033

        SHA256

        20ea6e36a40896c99a0549118ac01b9508dd72b484050c9b2ce4fb5ac805a950

        SHA512

        60c6f582e29415186d2fef58a469a6bd87e84daf084d8705f09605f331d015abb1a825d06343a797532561915e754015692e745de21c55ed6e52cb5ba47129c6

        Download Submit

      • memory/2008-56-0x0000000000AB0000-0x0000000000C96000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2088-0-0x0000000001030000-0x0000000001426000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2088-8-0x0000000001030000-0x0000000001426000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2988-21-0x00000000002F0000-0x0000000000308000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2988-23-0x00000000002A0000-0x00000000002AE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2988-25-0x00000000002B0000-0x00000000002BC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2988-19-0x00000000002C0000-0x00000000002DC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2988-17-0x0000000000280000-0x000000000028E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2988-15-0x0000000000C90000-0x0000000000E76000-memory.dmp

        Filesize

        1.9MB

        Download