Overview

overview

10

Static

static

3

2308c316e3...a9.exe

windows7-x64

10

2308c316e3...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe

  • Size

    1.9MB

  • MD5

    8fdbd9a0a9390964373271dd09b991ba

  • SHA1

    78a4d4c43b894a8227b25be8f61f7aa6b8315ab7

  • SHA256

    2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9

  • SHA512

    76a6e750adc8c888bea717bdbb74dad5fe10c1688e1e87a9cb9dfb7caf4e4c5cdd9b9f34ef5aa7577f92bf1349797b04a5edac64c772489cd316d5e71ea9291c

  • SSDEEP

    49152:IBJeP7Q9KggbDv7jsn3JzB6lR6jA+knZY5U:yQPihgvs3JzB6lR6jA+k5

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe
    "C:\Users\Admin\AppData\Local\Temp\2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\FontCommonsvc\HyAeUGe8evX8YGRPELkMfoiMVhm6j.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\FontCommonsvc\SvhwgsASCbJysKpoNvm.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\FontCommonsvc\Reviewperf.exe
          "C:\FontCommonsvc/Reviewperf.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2056
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kgcw0i2q\kgcw0i2q.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES247B.tmp" "c:\Windows\System32\CSC8E1F2A1AF7684DF6845F12B868852F7E.TMP"
              6⤵
                PID:880
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XF40ZPAh2W.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3496
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1396
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3584
                • C:\Windows\Microsoft.NET\MoUsoCoreWorker.exe
                  "C:\Windows\Microsoft.NET\MoUsoCoreWorker.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\MoUsoCoreWorker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:64
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\MoUsoCoreWorker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4196
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\MoUsoCoreWorker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\Registry.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4300
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Modules\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\sysmon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2360
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4448
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ReviewperfR" /sc MINUTE /mo 5 /tr "'C:\FontCommonsvc\Reviewperf.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Reviewperf" /sc ONLOGON /tr "'C:\FontCommonsvc\Reviewperf.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4164
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ReviewperfR" /sc MINUTE /mo 5 /tr "'C:\FontCommonsvc\Reviewperf.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4660

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\FontCommonsvc\HyAeUGe8evX8YGRPELkMfoiMVhm6j.vbe
        Filesize

        211B

        MD5

        a9a1f7a6b92fba89e3834e2c873adfc4

        SHA1

        772ef9dc691f442e7466668d82db391cdb82b21f

        SHA256

        ffdb923e18a1fb4bc92a8b470a53687b1bf2d639fca4c44ee164a61b24f62665

        SHA512

        c43befd0cd7c3e73fd4539c117819c8634c0c0dc7e89f8fc8ba657d70455aadc1cc06cdfe3a8c4277441a7d48bc260750f3ad16aaca313c09983f6b13177e365

        Download Submit

      • C:\FontCommonsvc\Reviewperf.exe
        Filesize

        1.6MB

        MD5

        571b27201bee78cb5f6adf331098cd85

        SHA1

        8dfb42a7283a61c48fdd0b8ef47e3da2a7f083c6

        SHA256

        401acf64eff7490635859451768f1fb1f2b4198825b210207e0d7b5b619fb052

        SHA512

        a3a7d3bd713b90bbda9350c71c3a08ad7e41acd943f361864a85fcd7b13165b9ccf9635a2d7fc839b2ecbd5751371edc9279f04573028f9c9b988c2cc473ccb5

        Download Submit

      • C:\FontCommonsvc\SvhwgsASCbJysKpoNvm.bat
        Filesize

        92B

        MD5

        7322619f7c34f49e39fd2100b8daaa0f

        SHA1

        de93f7e7ab723964e43a45eea808f8524351cd95

        SHA256

        9f060c6e3fd3bf28f66875ae0c59697d6eafd5b59ed86915f2da227b9177652d

        SHA512

        69b47c3d08aad08308719a215014340e4e60cde09459f8ecb5cce0e6aca7a69d23f4d438609869d317173c6db274180ebc21ccdf8f8280bd8d11a22d3991d92e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES247B.tmp
        Filesize

        1KB

        MD5

        7752bbc1a2ab269f1ecb429f78377493

        SHA1

        3764b702018940593d5c26c9d4fc43c818cbc0b6

        SHA256

        7de810f7b3a5b71aefc5f9544ac6a622f5f5e2445bcd65d18645712215565665

        SHA512

        3c419285db4e41b89ece4bf77deb208fe227244c8e7b6b483764d847449d9757d9ebc4b5a967a0e470634ef9951c21185a4807437478fa30f2ce5142233462ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XF40ZPAh2W.bat
        Filesize

        172B

        MD5

        7ddaf7ef7be5e48cccfab0196d9770ac

        SHA1

        0e513a61433c71968f9505bf9d00d513adf9ed35

        SHA256

        0e5c0abb779af1947eaf98c253c48703af4687ef8aad77602bca5da0106f0de7

        SHA512

        1ce7a39177ebd8ffae53f58631b163ae73d53ffbe1822efdb4c405a0a55e12646126e2af347991cc4c4063b0cbcb8eda59c0edce3e625d0d7de62fb12262d2c8

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\kgcw0i2q\kgcw0i2q.0.cs
        Filesize

        376B

        MD5

        1226b0d89c87063bd55c815259aae840

        SHA1

        15eb9cb6603e5ec21058eafd11c9715291f50a8e

        SHA256

        4347e1a1c76443790ea6c9b137590405a162c4f8b555775bad8453043980d5be

        SHA512

        c1f49ff5712577b773fa6d1f627451bf7479cd707eae771dc26d522341eb99dc3ceaa588adcaae7f55a9f011caafc8bb908dc2d01eab626f43659c42e5461362

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\kgcw0i2q\kgcw0i2q.cmdline
        Filesize

        235B

        MD5

        e3f1af2109ae96685e634c163c1eccf3

        SHA1

        540e60796e6dfc504a276a2bf4c48e3293688947

        SHA256

        bfeec0a4c7a4dcf8215d18b377d1cc1bdfa99b33f9a19e69c669c2171c9b9055

        SHA512

        19836ffe35f71666d3c48f68a861d4026877595e7e0bd8f3e7dd375f343a05c593011058e35cd158122458d24aab34de3adcdfc0c3599cb26f8fbaa1280bb834

        Download Submit

      • \??\c:\Windows\System32\CSC8E1F2A1AF7684DF6845F12B868852F7E.TMP
        Filesize

        1KB

        MD5

        ad61927912f86c7c9f1e72720f4ef0ef

        SHA1

        dbb61d9d5c7310c85716fe9f445fee2151cef437

        SHA256

        bf2696fc2183af293d74c988add5772c1c7257c2e85ae754e43cbe0e1d105a1e

        SHA512

        33b6f9f93672bd0ecb68e553de0ce92dd6b773c62da7721c9544171df7de8b8588e9ba42e13836db5d5ffc078ca656993f8d06a857dda5a27e1d639d5a6fb3ee

        Download Submit

      • memory/2056-12-0x00007FF8464F3000-0x00007FF8464F5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2056-13-0x0000000000AA0000-0x0000000000C42000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2056-15-0x0000000002CD0000-0x0000000002CDE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2056-44-0x000000001C2D0000-0x000000001C479000-memory.dmp

        Filesize

        1.7MB

        Download