Overview

overview

10

Static

static

3

FATALITY/loader.exe

windows7-x64

10

FATALITY/loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    26s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FATALITY/loader.exe

  • Size

    3.2MB

  • MD5

    8faa9e2bbcb1f98cb3971b94f9feda41

  • SHA1

    ab03732cdbc58c752057f2dd3c39e164e222476f

  • SHA256

    026825e9ca81fe52b1833a5e2c838336bc645778da89ff5c266c65c9d750a490

  • SHA512

    5a660bddaf58c15503861663d018e3444c40fc9a62cc2953a60e41c78561014db4911d4f1da80f70a492d6ff912765d93e08c3c39fce921580b034dfcc47d358

  • SSDEEP

    98304:fP8sZQDJ8Apc4VDuZc3PT9ejwigyEgKSkzd1kl86:cs6lrDlT9ej7UgKBLy

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\bridgeHypercomComponentHost\mscontainerWindll.exe
          "C:\bridgeHypercomComponentHost/mscontainerWindll.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5bonstol\5bonstol.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2468
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC796.tmp" "c:\Windows\System32\CSCEC7957771D274767BF33649D3E59E2B.TMP"
              6⤵
                PID:928
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPCORZ9Awj.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:5040
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:920
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:992
                • C:\Recovery\WindowsRE\spoolsv.exe
                  "C:\Recovery\WindowsRE\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2220
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4200
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Pictures\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2096
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 5 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindll" /sc ONLOGON /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 5 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4612

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESC796.tmp
        Filesize

        1KB

        MD5

        674e89707322736d2d608ddf031cf470

        SHA1

        1dc639ddbd943a5811f134099dbc4a4a1d0ad1ba

        SHA256

        40ed3e7032d626409ebeb5070285550f8eca17f60bbcb21857873a4fcd39cf9f

        SHA512

        22ec28d9e31b51a8fab285edee896a52b723f12e5fa93d242d12131bcb633fcd6b162cb2cabdb9356c3a6d23feb7ec6cb44a85f61a1759f923a021802226f3b2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gPCORZ9Awj.bat
        Filesize

        161B

        MD5

        02147e3e6e7adaa2b1eef17a98724ba4

        SHA1

        5fa48aff627bb286a7ba3d52c09da7150b253823

        SHA256

        533f0c7aba221f03710b24ac667f0c267676df6181b61f0ccdf47b6e7a8ada5a

        SHA512

        88ba076b778058537c7e12b9fada50b34bb4221124d4a1c58580395dde6cd0a236b887e7e558bea9b5863bdbc5225f1ade29c1f8cede106f18ec494f82cd450b

        Download Submit

      • C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat
        Filesize

        108B

        MD5

        836fc705ac99bb9e9c32457cd334e13e

        SHA1

        ebbb2cfd6a3260e482447d1c7871391ea8c75551

        SHA256

        e0446f377405745b3712c210adeda645441bc9f6b987756b53aa05ed167fbf9c

        SHA512

        ae2915671fee13ce19947eed0733d3de5b462ca8ef55b422259814004cc51df54a1ea58a6659a36a886103e84191f93fee5d7a134a50439a81c856645f88cc90

        Download Submit

      • C:\bridgeHypercomComponentHost\mscontainerWindll.exe
        Filesize

        1.9MB

        MD5

        5a7bf976e09d1835a65809093075a1bc

        SHA1

        d2de32c02c3d6e79f185b6b5f91e95144ae5a033

        SHA256

        20ea6e36a40896c99a0549118ac01b9508dd72b484050c9b2ce4fb5ac805a950

        SHA512

        60c6f582e29415186d2fef58a469a6bd87e84daf084d8705f09605f331d015abb1a825d06343a797532561915e754015692e745de21c55ed6e52cb5ba47129c6

        Download Submit

      • C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe
        Filesize

        246B

        MD5

        a672021e4678a1cee46a924baa63411c

        SHA1

        c4c27bf73768a3cc97d070e3d560e4f45affe9b4

        SHA256

        65a576bed74898f83fd527be9a715aaac80609066d01e8b16a691c5287bd15b5

        SHA512

        ea08511f0859767abdbc080e7dcbad20bced260cfb2b58ba51cc8d48d544fb36256f56887c25763f25d799fa225674d487d6f5826f835fb8462c0c6441c64b67

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\5bonstol\5bonstol.0.cs
        Filesize

        365B

        MD5

        e6c3263e9ef34545b0f4b6062c294536

        SHA1

        b30b36bb6c731c76cc2298c387f65335cacc8a3f

        SHA256

        523e8df12e16162a11fbc829c72cb2cd274570e3543fca906ffb39010628c355

        SHA512

        0510904e7c08e3a82ace1a882e7981c9f28d08412a9f41885139dee24030088861ff15a00caf166f86c93036cdffb3fff47bc7be012961dc55130f5e74e73ee6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\5bonstol\5bonstol.cmdline
        Filesize

        235B

        MD5

        328d140e41f9174801550bd48f282741

        SHA1

        290978c6149215ff3a84c6154a647975ddd13b66

        SHA256

        55a0b5878076ec14c058f553f4d4778906089294eece805c1017548e94158453

        SHA512

        2b992dd74f55441f8564037114c95779e63e6bf5f4bb8cdfc7a5b68532e69a742e798b276029675801deda0062e32cf5b65ab389c57500abbd84fb40191995ba

        Download Submit

      • \??\c:\Windows\System32\CSCEC7957771D274767BF33649D3E59E2B.TMP
        Filesize

        1KB

        MD5

        5984679060d0fc54eba47cead995f65a

        SHA1

        f72bbbba060ac80ac6abedc7b8679e8963f63ebf

        SHA256

        4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

        SHA512

        bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

        Download Submit

      • memory/1588-20-0x00000000024A0000-0x00000000024BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1588-21-0x000000001B000000-0x000000001B050000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1588-23-0x00000000024C0000-0x00000000024D8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1588-25-0x0000000000C70000-0x0000000000C7E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1588-27-0x0000000000C80000-0x0000000000C8C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1588-18-0x0000000000C50000-0x0000000000C5E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1588-16-0x0000000000150000-0x0000000000336000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1588-15-0x00007FFD37573000-0x00007FFD37575000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2652-0-0x0000000001000000-0x00000000013F6000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2652-10-0x0000000001000000-0x00000000013F6000-memory.dmp

        Filesize

        4.0MB

        Download