Overview

overview

10

Static

static

3

Sirius.exe

windows10-ltsc 2021-x64

10

Sirius.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    35s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06-12-2024 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sirius.exe

  • Size

    2.4MB

  • MD5

    e88e9ba128b0f902f05a24fc524b6642

  • SHA1

    aead6538e5762c1dce5aa5a823e6a897395dfab9

  • SHA256

    741f406af0d9813380255250f41bb4b5202575b0a95a5405b67520f5840393b1

  • SHA512

    276a779d33dcd77c6222c98b5cc3fcbd095216213eb77d4d4b898320b0805729561a7f45d279d54bc7abb16f2f816e531e6dbddf3f95401f0f39d9458b4fc942

  • SSDEEP

    24576:zTbBv5rUFz0sjTfN29w3R97qQqGv53D0pOuAw1sNv2pbP6inu0lPP1Y7QzqF:tBeHYiUm53D0mtv2pZFPPqUzs

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sirius.exe
    "C:\Users\Admin\AppData\Local\Temp\Sirius.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainBlockportcomnet\NjC268YrIE3.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ChainBlockportcomnet\cz7Hmt9rVGQXaOiUvs0kcu0Nht.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1864
        • C:\ChainBlockportcomnet\HyperFontReview.exe
          "C:\ChainBlockportcomnet/HyperFontReview.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\knott40b\knott40b.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD169.tmp" "c:\Windows\System32\CSCBA80EBD8603946F3AEE25B237CB33F2.TMP"
              6⤵
                PID:2332
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Edp1qaNiWO.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4016
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2276
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:1824
                  • C:\ChainBlockportcomnet\HyperFontReview.exe
                    "C:\ChainBlockportcomnet\HyperFontReview.exe"
                    6⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:708
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat"
                      7⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2892
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        8⤵
                          PID:2660
                        • C:\Windows\system32\PING.EXE
                          ping -n 10 localhost
                          8⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:3192
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\ChainBlockportcomnet\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ChainBlockportcomnet\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4752
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\ChainBlockportcomnet\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1584
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\en-US\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3476
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2336
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\en-US\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\ChainBlockportcomnet\sysmon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1208
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\ChainBlockportcomnet\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\ChainBlockportcomnet\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4380
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3436
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4360
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3424
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2820
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "HyperFontReviewH" /sc MINUTE /mo 5 /tr "'C:\ChainBlockportcomnet\HyperFontReview.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1544
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "HyperFontReview" /sc ONLOGON /tr "'C:\ChainBlockportcomnet\HyperFontReview.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3592
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "HyperFontReviewH" /sc MINUTE /mo 5 /tr "'C:\ChainBlockportcomnet\HyperFontReview.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2480

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ChainBlockportcomnet\HyperFontReview.exe
            Filesize

            1.8MB

            MD5

            567cd508bc0600d5b2e390422d5801b7

            SHA1

            093d100e41e9d24b6b72e0f3d8b00ab7efcdb201

            SHA256

            4e180cc9f48bcc3ab5532dbc7b0a6ce389d5dda4c6a91aa078fc717ff9bddfef

            SHA512

            eb8ceabbf6c7518c76c2027533fea4c4a405c5f106edffea228e16e9fd0fa5d0365f5b480cb16f10129cf022ca1fdf1e102bb99c3e1fc8805f4a7a00bd57613e

            Download Submit

          • C:\ChainBlockportcomnet\NjC268YrIE3.vbe
            Filesize

            225B

            MD5

            c116b7f56f9a648b221b2eb1738cc725

            SHA1

            fa990cef96e5a8566e0ebec696b30ef06beb96b0

            SHA256

            b3fe07c8d460ec9392585cabac43a635c5022cc58cc805b46ce66fed18736571

            SHA512

            68f07f604a0cea97cedaac041c61aa4eabf4f41b5901a3affc2a94c1678bc11cc4c6115d7afe3c31cc821053ef0d65562760c0214e720c7ad0f6ec6461673a1e

            Download Submit

          • C:\ChainBlockportcomnet\cz7Hmt9rVGQXaOiUvs0kcu0Nht.bat
            Filesize

            77B

            MD5

            2ed11b1529600db8518888a8d4f1990e

            SHA1

            21961a59c7f22c04d0704f1a29c1e7720156f942

            SHA256

            eb402b7e0d0145ca49d3c43df2b134fd9a8f2ae3a07319a9cb0e70fba6e7d06b

            SHA512

            e40fa81fceb25ff396fb6bcdba1a15f3ce437ed4fda6754f4ff41d60a852cdc6aa25ab622652ccb0ab94e14ab9e56829cdfc4aaec233ca2307efa142ed34ce5e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HyperFontReview.exe.log
            Filesize

            1KB

            MD5

            3472240ba9018b36cebbb3fa4d9ecde2

            SHA1

            fa7d94af70df8bd1719c25cc1485c093354e3cb6

            SHA256

            4ff5eaa183765d37205065b36b4212117fe7cc93216a5cdc88649d8943b4f449

            SHA512

            4ac5bedcf0e686dd86e82ca4dc02f6ec0b5a3a5dd06056856dee7ef230f3abbf37e8237a08f3d9d31e24bf9c8a21eca04a824846a2f5bd50d6defd470a53db3a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Edp1qaNiWO.bat
            Filesize

            219B

            MD5

            73dbdb90100141715aa279afaf314d20

            SHA1

            69468eebfaef26c26f958cc9fc6628577fa2944c

            SHA256

            b3102d98410f9723a6e3bc6c52292ad95a1fa951f1f2d1ff497b4252a4e21c16

            SHA512

            3870b449ea0b86595b6c02d72c7fc399c631a831a6e1a9e655474f1180926e31e740ef8238caa70db856f05f949406cd25c7014603e802e1a350de40b7417fad

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RESD169.tmp
            Filesize

            1KB

            MD5

            7201d7521488644b0d50065db87e294f

            SHA1

            ef4dd61488b736a693574507112edf8f26f4e423

            SHA256

            f9cd6f204eb8fdfdf194c36fb07a7ad063ad9bc44e9577d8127225dffaa59673

            SHA512

            3a72f168731e83ab04e63b7461dc2883401f932c5f6387ed3daae569bc128cb3796d0e0f07ce1962187398c22c77230883cefb5c647c0c03bcf1be0e8285d0f2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat
            Filesize

            171B

            MD5

            dc13cd0ed71ce3dbee51e15ba4d330b4

            SHA1

            09a7a386d4c5b5328d4cd52b4ba8060a09250eb5

            SHA256

            9765c8f10d571629cce123275493aca7d48358489caf90842685a72dff975865

            SHA512

            a663047edae49320188781f9d7ec0e0892bcd1a8bc2c4639b4934f584a9e3b538cf8dfb7338c8d8dbc12b70ea47e8acac95490a8a259023ebcceb34aad1d9728

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\knott40b\knott40b.0.cs
            Filesize

            373B

            MD5

            fc040204e623b3d4079c3b0f4736e76c

            SHA1

            97b3a60bdde664214daa2b7c69ab294e2f9dd5fe

            SHA256

            4015c0f69777d0fe577d411e4ca3f1614b334637f7000529ebe7d890f2a634b0

            SHA512

            f83b32a2346d7e4669b538a2e67fe49431dcf1e10e5d36b3a024e3881537ae1f0de80f12061a156b766860d32637458e1e8add063e43ce622d28189ca7af6e29

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\knott40b\knott40b.cmdline
            Filesize

            235B

            MD5

            547a31f42aac68485f43bb97215f90b2

            SHA1

            24a8c436437b6a47d7c76d1b8caf0bcd030b9e8b

            SHA256

            af423ff2e4030cc05cc01ea42e711c9060ae95f5baeeb1ec831861058b07b600

            SHA512

            3cce975e0a3c4743b086f2f14043550c6a3ca030e2078cf8404791bb03ebd82f4d25e44d1ba87c75322c42fd3352c6c7e0c300817912b8add3fdb057dcffcab0

            Download Submit

          • \??\c:\Windows\System32\CSCBA80EBD8603946F3AEE25B237CB33F2.TMP
            Filesize

            1KB

            MD5

            b7890074c0676df846c8d319664a263c

            SHA1

            282b65c3ece5648ff1e2bca3fd63c81976f50578

            SHA256

            6f8f38bce1f63faeddbdf63cac6f27c360964fb4ab63aa611acc1e3ba9a55853

            SHA512

            5bee1cf30abb475f9170399688191287b598d51eeb5905fb6a6930d49ae9c1fe831a68d3679747c47efc8cd363bda6ec9330dbdece4de5b77acd4d53fa9f980a

            Download Submit

          • memory/708-67-0x000000001C7F0000-0x000000001C95A000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/708-66-0x000000001C0B0000-0x000000001C1AF000-memory.dmp

            Filesize

            1020KB

            Download

          • memory/2052-16-0x0000000000ED0000-0x00000000010AA000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2052-25-0x000000001BC30000-0x000000001BC3C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2052-23-0x000000001C030000-0x000000001C048000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2052-21-0x000000001C080000-0x000000001C0D0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2052-20-0x000000001C010000-0x000000001C02C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2052-18-0x000000001BC20000-0x000000001BC2E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2052-15-0x00007FFBB0C33000-0x00007FFBB0C35000-memory.dmp

            Filesize

            8KB

            Download