Overview

overview

10

Static

static

3

FATALITY/loader.exe

windows7-x64

10

FATALITY/loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FATALITY/loader.exe

  • Size

    3.2MB

  • MD5

    8faa9e2bbcb1f98cb3971b94f9feda41

  • SHA1

    ab03732cdbc58c752057f2dd3c39e164e222476f

  • SHA256

    026825e9ca81fe52b1833a5e2c838336bc645778da89ff5c266c65c9d750a490

  • SHA512

    5a660bddaf58c15503861663d018e3444c40fc9a62cc2953a60e41c78561014db4911d4f1da80f70a492d6ff912765d93e08c3c39fce921580b034dfcc47d358

  • SSDEEP

    98304:fP8sZQDJ8Apc4VDuZc3PT9ejwigyEgKSkzd1kl86:cs6lrDlT9ej7UgKBLy

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\bridgeHypercomComponentHost\mscontainerWindll.exe
          "C:\bridgeHypercomComponentHost/mscontainerWindll.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cnh051za\cnh051za.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1084
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFAE.tmp" "c:\Windows\System32\CSCAE7BD4EFF6F648CE9E21A255FEF10F9.TMP"
              6⤵
                PID:2332
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5gX03xxwF7.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:560
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:820
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2000
                • C:\bridgeHypercomComponentHost\mscontainerWindll.exe
                  "C:\bridgeHypercomComponentHost\mscontainerWindll.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1364
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2580
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 14 /tr "'C:\Windows\system\mscontainerWindll.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindll" /sc ONLOGON /tr "'C:\Windows\system\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 13 /tr "'C:\Windows\system\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1152
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2232
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 7 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindll" /sc ONLOGON /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 5 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:972

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\5gX03xxwF7.bat
        Filesize

        180B

        MD5

        c2037147cee66982bad427165f3c6600

        SHA1

        24f6bc863642b15dec1f90794023022cc5a9860a

        SHA256

        7587c5da721ed749f651489724265a80db150d1245948a12e41ca1e299d3cf37

        SHA512

        03b50d01b6ac98bf8963004de59e94cb662edbe1bfc8ba6fb14431d488bb4c423ccb04866f80d2d222cb03c77082ff9b0fa10cab95b48c707f2ed460e8694f5f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESCFAE.tmp
        Filesize

        1KB

        MD5

        1719d0588b0edeec04c9d0383909f062

        SHA1

        1fefba8a3f6a845d24727b6cbca2804a97d2a9b8

        SHA256

        6d358efa81fb6395e7c219f654415b2689f010b1fc20c06bafb74c8e1e720a3b

        SHA512

        c50f990ae5291ddce341a6face196d81268e009b8d8f7cf871ac7d8293c5a189fe808c113a2c83e881bc5c9dc1c050a6d9b9848c0e18f30dc67fcb772d260825

        Download Submit

      • C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat
        Filesize

        108B

        MD5

        836fc705ac99bb9e9c32457cd334e13e

        SHA1

        ebbb2cfd6a3260e482447d1c7871391ea8c75551

        SHA256

        e0446f377405745b3712c210adeda645441bc9f6b987756b53aa05ed167fbf9c

        SHA512

        ae2915671fee13ce19947eed0733d3de5b462ca8ef55b422259814004cc51df54a1ea58a6659a36a886103e84191f93fee5d7a134a50439a81c856645f88cc90

        Download Submit

      • C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe
        Filesize

        246B

        MD5

        a672021e4678a1cee46a924baa63411c

        SHA1

        c4c27bf73768a3cc97d070e3d560e4f45affe9b4

        SHA256

        65a576bed74898f83fd527be9a715aaac80609066d01e8b16a691c5287bd15b5

        SHA512

        ea08511f0859767abdbc080e7dcbad20bced260cfb2b58ba51cc8d48d544fb36256f56887c25763f25d799fa225674d487d6f5826f835fb8462c0c6441c64b67

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\cnh051za\cnh051za.0.cs
        Filesize

        409B

        MD5

        aa89f26cd8e9e7798db611f28c798c62

        SHA1

        96eef146f2e5089053295a7bd74bf95cd3b3c4ce

        SHA256

        ba5e994ea49c714b8965ec512747ffe7dd212fff756938bc4f789438ce4bedb9

        SHA512

        a6896749a589bf5b70599cd69940e6833f9c2beb8df856dc845e94e5a0c75d9705731090d39205aeee2fe9f25b5a71fc4f9033236fb76c5b7bf176f1274b2fa2

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\cnh051za\cnh051za.cmdline
        Filesize

        235B

        MD5

        d2504f85dda85f2ac2d9bd2452dc4f7e

        SHA1

        42c51d5ca55575a060644a0d8f5566cf017a141d

        SHA256

        ed9fcd9f2df66394488f2da285752e72adbd69f0957ec09a124e461cb87a3498

        SHA512

        d331e17771952e961597085fb64435bb3a8d93eb56dd639bef5c6d4cc6687eacd4e4e8f5d219db49926b3d7e2ace251b95993316b5f1084e4a7a81ca70db0a41

        Download Submit

      • \??\c:\Windows\System32\CSCAE7BD4EFF6F648CE9E21A255FEF10F9.TMP
        Filesize

        1KB

        MD5

        60a1ebb8f840aad127346a607d80fc19

        SHA1

        c8b7e9ad601ac19ab90b3e36f811960e8badf354

        SHA256

        9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

        SHA512

        44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

        Download Submit

      • \bridgeHypercomComponentHost\mscontainerWindll.exe
        Filesize

        1.9MB

        MD5

        5a7bf976e09d1835a65809093075a1bc

        SHA1

        d2de32c02c3d6e79f185b6b5f91e95144ae5a033

        SHA256

        20ea6e36a40896c99a0549118ac01b9508dd72b484050c9b2ce4fb5ac805a950

        SHA512

        60c6f582e29415186d2fef58a469a6bd87e84daf084d8705f09605f331d015abb1a825d06343a797532561915e754015692e745de21c55ed6e52cb5ba47129c6

        Download Submit

      • memory/1364-56-0x0000000000050000-0x0000000000236000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1688-0-0x0000000000DD0000-0x00000000011C6000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1688-9-0x0000000000DD0000-0x00000000011C6000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3068-22-0x0000000000C00000-0x0000000000C18000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3068-24-0x0000000000490000-0x000000000049E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3068-26-0x0000000000620000-0x000000000062C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3068-20-0x0000000000640000-0x000000000065C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3068-18-0x0000000000480000-0x000000000048E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3068-16-0x0000000000E10000-0x0000000000FF6000-memory.dmp

        Filesize

        1.9MB

        Download