Overview

overview

10

Static

static

3

2308c316e3...a9.exe

windows7-x64

10

2308c316e3...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe

  • Size

    1.9MB

  • MD5

    8fdbd9a0a9390964373271dd09b991ba

  • SHA1

    78a4d4c43b894a8227b25be8f61f7aa6b8315ab7

  • SHA256

    2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9

  • SHA512

    76a6e750adc8c888bea717bdbb74dad5fe10c1688e1e87a9cb9dfb7caf4e4c5cdd9b9f34ef5aa7577f92bf1349797b04a5edac64c772489cd316d5e71ea9291c

  • SSDEEP

    49152:IBJeP7Q9KggbDv7jsn3JzB6lR6jA+knZY5U:yQPihgvs3JzB6lR6jA+k5

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe
    "C:\Users\Admin\AppData\Local\Temp\2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\FontCommonsvc\HyAeUGe8evX8YGRPELkMfoiMVhm6j.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3420
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\FontCommonsvc\SvhwgsASCbJysKpoNvm.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\FontCommonsvc\Reviewperf.exe
          "C:\FontCommonsvc/Reviewperf.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1t4oovjt\1t4oovjt.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:936
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26AD.tmp" "c:\Windows\System32\CSC56D44F7A5D294DF09912DACC2A3281B0.TMP"
              6⤵
                PID:2052
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dQDKDOmC6G.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4108
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4292
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4384
                • C:\Recovery\WindowsRE\unsecapp.exe
                  "C:\Recovery\WindowsRE\unsecapp.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4244
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2692
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4352
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3236
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\FontCommonsvc\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\FontCommonsvc\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2188
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\FontCommonsvc\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1756
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ReviewperfR" /sc MINUTE /mo 5 /tr "'C:\FontCommonsvc\Reviewperf.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Reviewperf" /sc ONLOGON /tr "'C:\FontCommonsvc\Reviewperf.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2096
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ReviewperfR" /sc MINUTE /mo 10 /tr "'C:\FontCommonsvc\Reviewperf.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4428

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\FontCommonsvc\HyAeUGe8evX8YGRPELkMfoiMVhm6j.vbe
        Filesize

        211B

        MD5

        a9a1f7a6b92fba89e3834e2c873adfc4

        SHA1

        772ef9dc691f442e7466668d82db391cdb82b21f

        SHA256

        ffdb923e18a1fb4bc92a8b470a53687b1bf2d639fca4c44ee164a61b24f62665

        SHA512

        c43befd0cd7c3e73fd4539c117819c8634c0c0dc7e89f8fc8ba657d70455aadc1cc06cdfe3a8c4277441a7d48bc260750f3ad16aaca313c09983f6b13177e365

        Download Submit

      • C:\FontCommonsvc\Reviewperf.exe
        Filesize

        1.6MB

        MD5

        571b27201bee78cb5f6adf331098cd85

        SHA1

        8dfb42a7283a61c48fdd0b8ef47e3da2a7f083c6

        SHA256

        401acf64eff7490635859451768f1fb1f2b4198825b210207e0d7b5b619fb052

        SHA512

        a3a7d3bd713b90bbda9350c71c3a08ad7e41acd943f361864a85fcd7b13165b9ccf9635a2d7fc839b2ecbd5751371edc9279f04573028f9c9b988c2cc473ccb5

        Download Submit

      • C:\FontCommonsvc\SvhwgsASCbJysKpoNvm.bat
        Filesize

        92B

        MD5

        7322619f7c34f49e39fd2100b8daaa0f

        SHA1

        de93f7e7ab723964e43a45eea808f8524351cd95

        SHA256

        9f060c6e3fd3bf28f66875ae0c59697d6eafd5b59ed86915f2da227b9177652d

        SHA512

        69b47c3d08aad08308719a215014340e4e60cde09459f8ecb5cce0e6aca7a69d23f4d438609869d317173c6db274180ebc21ccdf8f8280bd8d11a22d3991d92e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES26AD.tmp
        Filesize

        1KB

        MD5

        010e0d976a11de1a7826f1b9e076fd49

        SHA1

        dddc696c0327c84e7faccf629a6b0a37ab14f04e

        SHA256

        4eba65078d1ec38c06643402e0393e36824aa309d8fe853508c75a1d3cec18fa

        SHA512

        340bf3e1fa950fa8be0694c7ec79882ae453bdf19c047936ea7a47b64850ec9c0e06af7926455281e2186ca36b78eb8a707cf55b6212e85be11533cdbcc3e9f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\dQDKDOmC6G.bat
        Filesize

        162B

        MD5

        087e5c44c83d6f9c902e873301c1a006

        SHA1

        cf4389aab6b41474d0253f073c0aa9252700cf12

        SHA256

        a3ab6b229059eda929e692f8122ed1c9e085a47de58e93e91801cda240913ebb

        SHA512

        597f4124fcca084520a85b6e66c90c5b47ff88f13c9d6ca62327d3ff6a7c92d194911f678f3bfcf47b584f7961c52d28b48dd78b7739e61709bd43945afb2918

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\1t4oovjt\1t4oovjt.0.cs
        Filesize

        370B

        MD5

        2fe43c07bc8025cbcd61f34babd3fc3b

        SHA1

        6092fa1690a65953a3d297938241373e1f06300f

        SHA256

        db52059984cd8d2b36f3783f70021b328f9e609db8625375fe5fec6320ad5b00

        SHA512

        f42ff2381d565e771523749b52e1558ce29f41c091aec819ace44f9fc34cf7ac95963a845f4b11b8f4f741f8452fcaf1a66fef2666945892df92427537813312

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\1t4oovjt\1t4oovjt.cmdline
        Filesize

        235B

        MD5

        76176d562faeaf613db05d23c495cd43

        SHA1

        d37993fd98bedd4667e3dd15a040f95c5201882b

        SHA256

        fc2d75c75ad8cd5725080a3926578101d7cb909d5f5ecab0bb0a756b1bdf89e3

        SHA512

        223a3a06b26226246515070f141d5be6b833b90232fe94ce786017dec3bcb97d67057499af1f4aa2814569a446e09ae47696ad120547c8c17eefcfec72c82e4e

        Download Submit

      • \??\c:\Windows\System32\CSC56D44F7A5D294DF09912DACC2A3281B0.TMP
        Filesize

        1KB

        MD5

        ad61927912f86c7c9f1e72720f4ef0ef

        SHA1

        dbb61d9d5c7310c85716fe9f445fee2151cef437

        SHA256

        bf2696fc2183af293d74c988add5772c1c7257c2e85ae754e43cbe0e1d105a1e

        SHA512

        33b6f9f93672bd0ecb68e553de0ce92dd6b773c62da7721c9544171df7de8b8588e9ba42e13836db5d5ffc078ca656993f8d06a857dda5a27e1d639d5a6fb3ee

        Download Submit

      • memory/2760-12-0x00007FFD8C5D3000-0x00007FFD8C5D5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2760-13-0x0000000000A60000-0x0000000000C02000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2760-15-0x0000000002CD0000-0x0000000002CDE000-memory.dmp

        Filesize

        56KB

        Download