Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
07-12-2024 18:53
General
-
Target
FATALITY/loader.exe
-
Size
3.2MB
-
MD5
2307ca04c2633d28345fb0580c77c2ec
-
SHA1
edbd1f092ed03cb2674877aba6e874722ee07814
-
SHA256
168637ea64d64afefd1f88b91ffecb74715ccb6a98acf73d4a16175511628276
-
SHA512
c2646c5bf3dcd6ef4679af80ae6424c1f88e3f29a40beff729b59bebd8fd3d9b0d45392d2e11f4e1b69ada0f4ec20cfc45430d184cdf0238f2845b7deaff7e9b
-
SSDEEP
98304:ups+iZyomWShz+6WumEq5GGxLnIlP2NgQKGfxx:ndZOhNWumEqxLIB21K6H
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 4 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe"C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"C:\ServerWinRuntimeBroker/chainPorthostCommon.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ad4etupr\ad4etupr.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES784.tmp" "c:\Windows\System32\CSCCCDE93559DBD4AB8951AF729B7A31A17.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KUV4wBQq00.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RNhQwN31dW.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1aRjLYSwTB.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Templates\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\ServerWinRuntimeBroker\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\ServerWinRuntimeBroker\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\ServerWinRuntimeBroker\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 9 /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainPorthostCommon" /sc ONLOGON /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 11 /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD53569aec6289503482c7877ad3f205301
SHA1cf016699d614c9f2e9a899c646cd24aca6b75fcf
SHA256a2bb38c2d2eafac2d73af9247252de8cfac9a4f9522b4f66ad73d9a003fc7754
SHA512d8df28cd229e31eb97a705d02aac38f836b5b05741bdb7c97f4a8d9d3eec183a3883e39b30c2141e9c8b650c98edfb51a8cb7fce1c87d67b15bd9dc52a1b1ef5
-
Filesize
1.9MB
MD5cf5b49706562ba2047cda4a451dd573a
SHA1d7d66016b5ea4215581f208c7972b2ff49cbeed1
SHA25674547e5b862bd3691947b78eabbdab88c468e26144bd03911be68941376dc89b
SHA5120dc54fc8afe4a1b8ce0d72e215cf617dbc657f4e02cabe7be694b0d20be385f63848e49717bd4856547dbb52f8a762e54c63323b53188cc1d8127c54b6a10f1e
-
Filesize
96B
MD5ca78c31c7fad40ca729ce40659dd91fa
SHA1b649a3669cffe53122ad50f62f769faa45b96a92
SHA25688b4be83a053855858771fda50d7f6fe0cd5f5fd0cd33b3299c28aab5eb40e2b
SHA512b606a335ac5f28030e60a00f99e519240bc3d47d7d88e84eb8de1f34ef19ae6df56f01f5f6d83fa215f445732596f0865d630675706626545b15e0c64b0a21ec
-
Filesize
1KB
MD53472240ba9018b36cebbb3fa4d9ecde2
SHA1fa7d94af70df8bd1719c25cc1485c093354e3cb6
SHA2564ff5eaa183765d37205065b36b4212117fe7cc93216a5cdc88649d8943b4f449
SHA5124ac5bedcf0e686dd86e82ca4dc02f6ec0b5a3a5dd06056856dee7ef230f3abbf37e8237a08f3d9d31e24bf9c8a21eca04a824846a2f5bd50d6defd470a53db3a
-
Filesize
177B
MD593a217faa41a590b6238753e685a1850
SHA1e153f3732376570466f32dc0e986c7e6feed56a0
SHA256148459d4baa2fb52af92e9223b1bcee5f30889163358c4c478ae95eeee300ffc
SHA512ec728f69c157710123844fcf5c95c6ec0c15ec1b1b2d51b0030553e5d07dbf96d5bd15d23fa3929239234536f5805b448db37d614ea3d04bb392386a65ff5d4c
-
Filesize
225B
MD5945cf9a22c71a9a27067702c64da07bf
SHA194a7a6289bb4f7b5dea907049bf9c6333ca52506
SHA256dce3cdc4d2a80ea3a12f7874be7639b5221babf1bf2a4d4e958dfea78fe55321
SHA5126a47752fe0d4bd2c0c227e15e226da298e1853cd33dd226561aa3a1040d204029dcd96767efff12830bf7812115017d6c4a8d24b3d9714d67078a5260fbfdb6c
-
Filesize
1KB
MD59a30fde8ad6d4d411420273b3852c243
SHA157ac2f3f7f5192d322987b940e1338ca393eff4f
SHA2567239ba68e0a8ff8ff1ba961a51cc89494ab3dc6e64d392e2d3a10ca51bd4a64e
SHA512caa7f2cd3a53c0970eb6993a9f0dd6a9cc2f8a45578be03b859e8e17f2b8574dbccdc1d45023b79890194f00f216846a24217784a943ab03b234ee50c6d4ce68
-
Filesize
225B
MD521cf545ccead8e6232f217b2e78ea0b3
SHA11bf18311f72cd562d950254285e418cae2732a02
SHA256ee66f9c098a64cd406262d5adb4e1af67e87d7e834a777e9d49cff0541a1ec64
SHA512556bf2f5f6721e1c0fd6f341f2bca8675b6ecc63eb1bd09598782b3b8cb5f3d3da434117f6b8bc999e1abf91e1b3abcd796f0acdae46aa85bf76c4ab137efb2a
-
Filesize
393B
MD5a218695c247e1d5a9706a185d250b3c3
SHA1157efb02d944fe07b8653f91670b3ceeb6509e59
SHA256f601a745e84e6b716145cde3013c03678dd9a4ac5b95e9804c09da8bcc9ff56c
SHA512c2cb17732e7f5c715f9d72089379dd097d23e2832f499e25a5df7e4a8309c7415c4c90574ec25746250efbb35de165f04dc2d48a55f5ca9a981c7262e0442627
-
Filesize
235B
MD583492bb1369c60b3c4c1828bf56bfc4c
SHA184cdafed4dd977f5054fac358898d33ef932516d
SHA25652b8318e81b3b31f1e291bed32551783bbacc9ff64de5c9ade4320ecc02e1fc4
SHA512d7f4e4c637c12802aae586c5ad01d4824269ad77252725918ceebc03278c4a91276f1230722386ae44e8e5da73e36f1fd4b8c6732553160f0487a83f2c234099
-
Filesize
1KB
MD55b58fb8248746f1db04ad2d8f13d15ec
SHA1dc2fd69ae3111e0dce9034a2fed53dce5873cd14
SHA256475f13f3048c83e93b4fd63d0c3977711855ab2d81d2854e4f8de99d8952d18e
SHA5126f2e3f4fd2b5bc365c5e7cc14331167ebb29a20970ce582d2b9386b05abe219bba29109b005f5c7aad5a0e2f3bfe3375811753c8a70b5c872fb9ff8481a40d0c
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.9MB