Overview

overview

10

Static

static

3

cheeto.exe

windows10-ltsc 2021-x64

10

Resubmissions

01-12-2024 22:52

241201-2tegws1lcl 10

01-12-2024 22:34

241201-2hapkavpfv 10

Analysis

  • max time kernel
    12s
  • max time network
    14s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01-12-2024 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cheeto.exe

  • Size

    1.8MB

  • MD5

    42b89874d3138f40f32285be945f2ceb

  • SHA1

    1766b4c4a040ba19afc4318e9b2eab775fee88d7

  • SHA256

    619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

  • SHA512

    df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

  • SSDEEP

    49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cheeto.exe
    "C:\Users\Admin\AppData\Local\Temp\cheeto.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IRkZifsV0Y.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3944
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2176
        • C:\Program Files (x86)\Google\Update\sysmon.exe
          "C:\Program Files (x86)\Google\Update\sysmon.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4456
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\ja-JP\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\apppatch\ja-JP\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\apppatch\ja-JP\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cheetoc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\cheeto.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cheeto" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\cheeto.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cheetoc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\cheeto.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\sysmon.exe
      Filesize

      1.8MB

      MD5

      42b89874d3138f40f32285be945f2ceb

      SHA1

      1766b4c4a040ba19afc4318e9b2eab775fee88d7

      SHA256

      619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

      SHA512

      df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IRkZifsV0Y.bat
      Filesize

      175B

      MD5

      ce848ecfae7b192f54a8d8e04183aec3

      SHA1

      9a87837d657e70601d48dc71a0b0b43b4ea3c371

      SHA256

      19a9f0851a8c75bcb17f7653e8e644cfbe285ee296f8bf868f317b8fcd8e31a1

      SHA512

      6411cce9c65204dc4c391a426ed20063151765e342bb7748c70ef93da38e5540e4fb42e99ae6ca227bc6ee1c60e8792702594dd28e5be03270b53914ea2afee8

      Download Submit

    • memory/3456-10-0x00007FFD53A50000-0x00007FFD54512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3456-11-0x000000001C040000-0x000000001C090000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3456-4-0x00007FFD53A50000-0x00007FFD54512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3456-6-0x00000000019B0000-0x00000000019BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3456-7-0x00007FFD53A50000-0x00007FFD54512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3456-9-0x000000001BFD0000-0x000000001BFEC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3456-0-0x00007FFD53A53000-0x00007FFD53A55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3456-3-0x00007FFD53A50000-0x00007FFD54512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3456-13-0x000000001BFF0000-0x000000001C008000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3456-14-0x00007FFD53A50000-0x00007FFD54512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3456-21-0x00007FFD53A50000-0x00007FFD54512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3456-2-0x00007FFD53A50000-0x00007FFD54512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3456-30-0x00007FFD53A50000-0x00007FFD54512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3456-1-0x0000000000EC0000-0x0000000001092000-memory.dmp

      Filesize

      1.8MB

      Download