Overview

overview

10

Static

static

5

nnneeeewww.exe

windows10-ltsc 2021-x64

10

nnneeeewww.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    279s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    04-12-2024 23:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nnneeeewww.exe

  • Size

    5.2MB

  • MD5

    360bb48ef6acca7233580b6cb8b6a3a9

  • SHA1

    baf21bee8e1ec86b4e0b99a19ff869d3be8de292

  • SHA256

    c68964901508a7967bb32907bab8e273717e01d0c3195318a0fb6b0032157632

  • SHA512

    0380b0d64c18c42123838bf40aa75c8145a9a7b44bb3578d5e8e86870fee8ff70da5f07edbd13ceb8060388b5d94a39cd12df927a138115e4c9cf2ea45da9d48

  • SSDEEP

    98304:B7ITYiOxf286tRJkCNFoPqkk9RbXUyH5/B1YIe39eyJOkyYjufmS:BkTQx/6XKyFmq7RjH5//YIeoyJOkysul

Score
10/10
dcratdiscoveryinfostealerratupx

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\nnneeeewww.exe
    "C:\Users\Admin\AppData\Local\Temp\nnneeeewww.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\commoncrt\NfKUs624zaQXoSl3DJsuBH6b5WLpx9.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\commoncrt\pAdEW6pPvjofnCUEH20v1GuR6eanGF.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4872
        • C:\commoncrt\jaQVQp40C9Rgjj5Fe8OA.exe
          jaQVQp40C9Rgjj5Fe8OA.exe -p73efbcbe560b284fb9498be6d6b28e842ea7f493
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\commoncrt\s6g1o5IBA9i15QiqUf4KpALskuHZAv.vbe"
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3712
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\commoncrt\hDIsoexVqHKUCKmxG6mzKgOgUlXLNX.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:228
              • C:\commoncrt\crtperf.exe
                "C:\commoncrt\crtperf.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4528
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\TrustedInstaller.exe'" /rl HIGHEST /f
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:3124
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'" /rl HIGHEST /f
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4052
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\OEM\smss.exe'" /rl HIGHEST /f
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2680
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\ProgramData\ssh\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4748
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Recent\explorer.exe'" /rl HIGHEST /f
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:524
                • C:\Users\Admin\Recent\explorer.exe
                  "C:\Users\Admin\Recent\explorer.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\commoncrt\NfKUs624zaQXoSl3DJsuBH6b5WLpx9.vbe
    Filesize

    145B

    MD5

    804866ce16200d32a1019893b53d32d7

    SHA1

    fa77f544aaf9cfbab2ba762a1d30432217abf71d

    SHA256

    a6ed52f5e59d0af7380c5ed81255615b4106c024130769d7a36c523093baeda4

    SHA512

    8c2c9f2b91e2fbae6400725264cf1b269cd8d6f79876fcf2e0524514217e113efdea3887ea53f48d0f196d23774e8f39cf229da9f0b90f6785a76c1050599510

    Download Submit

  • C:\commoncrt\crtperf.exe
    Filesize

    364KB

    MD5

    438a5ba9f82c913cf3d1d1b92779c0eb

    SHA1

    d9261f194ac5ae67e4363f555413fc1f6be7bdba

    SHA256

    659c43df149031ed0949fededae6bd2a6160c575165961a3cb9c4d568e953ce3

    SHA512

    710f1b4aba364ec4a75bf453360dbd41a644584a911376a45bf26c0b08cd52f69e1dfb6801a18d7ff3e8cf996f64330f941298fdfae9a18a67eb1a4c7393e7a3

    Download Submit

  • C:\commoncrt\hDIsoexVqHKUCKmxG6mzKgOgUlXLNX.bat
    Filesize

    26B

    MD5

    e573d5582c49ff522d91609451481e6d

    SHA1

    640824dadcede6d72ff999dbddb13e21f8d1d8e7

    SHA256

    f82859f7c17ef4fb6639cb5427e434e6b87c92e419bc9c4548c0e7d637a0d670

    SHA512

    43c41a28474660848d1b470ab7caf10a206b8a8502d4daa8221401d3883a465c72828398237209665fa203aff886d37aa321ea54c4a332689e6bb533a6fdc949

    Download Submit

  • C:\commoncrt\jaQVQp40C9Rgjj5Fe8OA.exe
    Filesize

    670KB

    MD5

    06461bc3be1e5138def7ddb7ea68e958

    SHA1

    a234c9952d34a0db30102404d0e08e62ae2c21cf

    SHA256

    449aaa3f15d5eae3c77b03e8118b6183a7b6b163a13ab93e8ec98adde297caed

    SHA512

    6059479859b979b69ab4bd01bf9fb6c1a00331c54a66cb43d3f35a8a099b65dff1ed01158bd4e6c76bd45f9b9db3d0cd495dd5d09cd60f8c22b706541d69d955

    Download Submit

  • C:\commoncrt\pAdEW6pPvjofnCUEH20v1GuR6eanGF.bat
    Filesize

    563B

    MD5

    a8df6c84fe7ba033e7013f5827f3b6fe

    SHA1

    3cb090124280d8eb205d7d262337e145993eba30

    SHA256

    b5e68b5b417fe7062b49107fa8b1d908075a8def5dc764f71820cad9c232a121

    SHA512

    326d725ac5744efd1a63e8bcb829c332d4bc0ea158aeac10cfcbd9de0934bd5d313ef35ea66ae59cc8832f482e4376d0b21ac5afb766f226611aa3a4d469131a

    Download Submit

  • C:\commoncrt\s6g1o5IBA9i15QiqUf4KpALskuHZAv.vbe
    Filesize

    221B

    MD5

    11be5f2ee4abaccbf4ffa714494b86cc

    SHA1

    07f6fa377258c7404efdd7793c1b1637a69d3eeb

    SHA256

    a7e27661c96469ff37738b10bd4a639f0242050fe94a0efa4775b8bdb079a6b9

    SHA512

    51fd36c016df8739cdb522f3ffc2be387b8286f751b2381bef084bc99995a10b3342fd356525db76445b70bff82275c1bff9aabcfeef5f0ce15088c757efae7c

    Download Submit

  • memory/3416-0-0x00000000001A0000-0x0000000000242000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3416-13-0x00000000001A0000-0x0000000000242000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4528-34-0x000001FCD85F0000-0x000001FCD8652000-memory.dmp

    Filesize

    392KB

    Download