Overview

overview

10

Static

static

10

94620a7635...c7.exe

windows7-x64

10

94620a7635...c7.exe

windows10-2004-x64

10

Discordrat.exe

windows7-x64

10

Discordrat.exe

windows10-2004-x64

10

F4620C0AFA...F5.exe

windows7-x64

10

F4620C0AFA...F5.exe

windows10-2004-x64

10

a2bc9b467f...23.exe

windows7-x64

10

a2bc9b467f...23.exe

windows10-2004-x64

10

unturnedHack.exe

windows7-x64

10

unturnedHack.exe

windows10-2004-x64

10

Resubmissions

24-11-2024 19:42

241124-yexs5s1rgq 10

24-11-2024 09:24

241124-lc6xtatmay 10

Analysis

  • max time kernel
    300s
  • max time network
    298s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F4620C0AFA8E21897509B2E7215097F5.exe

  • Size

    2.1MB

  • MD5

    f4620c0afa8e21897509b2e7215097f5

  • SHA1

    af216ca6105e271a3fb45a23c10ee7cf3158b7e1

  • SHA256

    8daf7dcdf256d7de40d33e5550dc5e8bbf887b8c4b7f49c79a15c96dad867f82

  • SHA512

    68b875acc06d9c3796f49377b5b25a5e8b9a380221eea59e4274249ca7d2bff10c3fc5edf50eae5da726afea882e0e777af86af25be7b57c8fbfd70448d8d7dd

  • SSDEEP

    49152:IBJz3c6UY0hj8eu32ILwfhNE5I6OrLCXLdsN6:yh3cvY0Z8pGWwfhyxOrUsN6

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\F4620C0AFA8E21897509B2E7215097F5.exe
    "C:\Users\Admin\AppData\Local\Temp\F4620C0AFA8E21897509B2E7215097F5.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Medal\Medal.exe
          "C:\Medal/Medal.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1136
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2jmdNfjHc3.bat"
            5⤵
              PID:5016
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:452
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4656
                • C:\Recovery\WindowsRE\WmiPrvSE.exe
                  "C:\Recovery\WindowsRE\WmiPrvSE.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellExperiences\MoUsoCoreWorker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4508
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\MoUsoCoreWorker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellExperiences\MoUsoCoreWorker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4168
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3568
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\SettingSync\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1264
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\SettingSync\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4300
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2144
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 6 /tr "'C:\Medal\Medal.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 13 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3908
      • C:\Windows\Logs\SettingSync\Idle.exe
        C:\Windows\Logs\SettingSync\Idle.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat
        Filesize

        63B

        MD5

        e24619181276af563705f4b1bed29490

        SHA1

        fddac27290319f69543f5330fe97c122a8a01376

        SHA256

        eee937e02edcd36de3ed7658c9ad9d79844502c8553a7c244b2b154aa9ffec05

        SHA512

        1898a5e2a52f2f34466dfd9e1b1149b36052874b6be432dd9301ecfa6bc3a964dca6980b8db54ddcf8ef24a95792efcaffeb09aceb7a04304a0d18f4d0ce0591

        Download Submit

      • C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe
        Filesize

        224B

        MD5

        96d43070e1e39d421c53a2f8dca13fc6

        SHA1

        07417cccceddbf8d5f5b48dec0b2e08d53a4754f

        SHA256

        0dab986e5c533631946e27cdbb5147e68b9eb3008c1add60d21a59cd7d964314

        SHA512

        9fc0ee5ac42bca7c7ee7584baa5be6907fc750378d037d56e075a21c4fe8eaeb3efac3e9fb6087a70a6ad01dcebf05d2462f2463daa8063b4047c11e5364d398

        Download Submit

      • C:\Medal\Medal.exe
        Filesize

        1.8MB

        MD5

        4f66bbfed3a524398bd0267ed974ccbc

        SHA1

        b2567397dc823412d87a23428c7833ff74586b7d

        SHA256

        fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

        SHA512

        bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f

        Download Submit

      • memory/1136-13-0x0000000000DF0000-0x0000000000FCE000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1136-12-0x00007FFE57413000-0x00007FFE57415000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1136-15-0x00000000032B0000-0x00000000032BE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1136-17-0x000000001BD10000-0x000000001BD2C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1136-20-0x000000001C040000-0x000000001C058000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1136-22-0x00000000032C0000-0x00000000032CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1136-18-0x000000001C090000-0x000000001C0E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1136-39-0x000000001C720000-0x000000001C8C9000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2924-46-0x0000000001050000-0x0000000001058000-memory.dmp

        Filesize

        32KB

        Download