Overview

overview

10

Static

static

3

FATALITY/loader.exe

windows7-x64

10

FATALITY/loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FATALITY/loader.exe

  • Size

    3.2MB

  • MD5

    2307ca04c2633d28345fb0580c77c2ec

  • SHA1

    edbd1f092ed03cb2674877aba6e874722ee07814

  • SHA256

    168637ea64d64afefd1f88b91ffecb74715ccb6a98acf73d4a16175511628276

  • SHA512

    c2646c5bf3dcd6ef4679af80ae6424c1f88e3f29a40beff729b59bebd8fd3d9b0d45392d2e11f4e1b69ada0f4ec20cfc45430d184cdf0238f2845b7deaff7e9b

  • SSDEEP

    98304:ups+iZyomWShz+6WumEq5GGxLnIlP2NgQKGfxx:ndZOhNWumEqxLIB21K6H

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
          "C:\ServerWinRuntimeBroker/chainPorthostCommon.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t5ma4hxh\t5ma4hxh.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1868
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5004.tmp" "c:\Windows\System32\CSCFF26C7DCB234A57AB3DDF6B4DC7C6F.TMP"
              6⤵
                PID:540
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u3DL05dsfB.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2092
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1148
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:940
                  • C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                    "C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\audiodg.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1580
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\ServerWinRuntimeBroker\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1652
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ServerWinRuntimeBroker\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\ServerWinRuntimeBroker\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:448
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2364
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2852
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\ServerWinRuntimeBroker\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ServerWinRuntimeBroker\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\ServerWinRuntimeBroker\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2200
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:324
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1192
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 8 /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommon" /sc ONLOGON /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2144
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 5 /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2076

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe
          Filesize

          223B

          MD5

          3569aec6289503482c7877ad3f205301

          SHA1

          cf016699d614c9f2e9a899c646cd24aca6b75fcf

          SHA256

          a2bb38c2d2eafac2d73af9247252de8cfac9a4f9522b4f66ad73d9a003fc7754

          SHA512

          d8df28cd229e31eb97a705d02aac38f836b5b05741bdb7c97f4a8d9d3eec183a3883e39b30c2141e9c8b650c98edfb51a8cb7fce1c87d67b15bd9dc52a1b1ef5

          Download Submit

        • C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat
          Filesize

          96B

          MD5

          ca78c31c7fad40ca729ce40659dd91fa

          SHA1

          b649a3669cffe53122ad50f62f769faa45b96a92

          SHA256

          88b4be83a053855858771fda50d7f6fe0cd5f5fd0cd33b3299c28aab5eb40e2b

          SHA512

          b606a335ac5f28030e60a00f99e519240bc3d47d7d88e84eb8de1f34ef19ae6df56f01f5f6d83fa215f445732596f0865d630675706626545b15e0c64b0a21ec

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES5004.tmp
          Filesize

          1KB

          MD5

          039bc43eb2cdc172956ccb1e28c6943c

          SHA1

          97e0267162524a4dfa35dbf18eb48e6dbc8c7c84

          SHA256

          e2d99651aa99876d070973363eaf7d188b86d73cf24d7d53520fbe3921b15b39

          SHA512

          866aba3872ebbccea4dd31529483645e4dd79c85b6c49ce687ecb90d46cdedda3c2c0659919865bb1ef73614c31f5050e3980c88b7f5ab2920f2520a50d6adb7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\u3DL05dsfB.bat
          Filesize

          225B

          MD5

          fb6004946bff6f112f19edd3ff7fa760

          SHA1

          c313107e7ab0aa1ce84d4918a0e3d27ed23f9cf3

          SHA256

          0247d0449f136ff6fd039689a54d978cf9955456cb6f070d2ec3fc4b7c8f63db

          SHA512

          170a00c16c40cb5f6bfa8daa07dd68956b903cf0b10e1aa8f3448a990135de576efd354080e481a9e1c095cac85a61b93ecc8c54485b4d45271cd9efdd2e75dd

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\t5ma4hxh\t5ma4hxh.0.cs
          Filesize

          365B

          MD5

          4692bc0269195bbddd4ea97fe9677da1

          SHA1

          a00e599840e3675efc8a8ed8227b8d8eed0d88a0

          SHA256

          504b7e87434ee93edbf90886f6ad6a6669b257750a7c3bcd4465e18961b3a6ac

          SHA512

          aa26bb9fb149d431a069c92460abc358c2afed9c7a73ccfc739221f6fc87a2e688edc111943cd4ea4e3294e1309a4d4b36bab5823deef3d8b7cc1fdc33dfdc4c

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\t5ma4hxh\t5ma4hxh.cmdline
          Filesize

          235B

          MD5

          ed2f53ea1923baa5d8def269a7ffedf5

          SHA1

          dcc870cb615582d7a69301c29ead272632cb38d0

          SHA256

          8844079f7a86ecd1503eeedaf3128df9f438e1d06cc52a8e1cb0aafdde1ee750

          SHA512

          bcb2fb50313aac069b49256380f1e79280897971fbf8bbd4b46f850693d26080cccdb767b15783aa72a4b1a69d44289c57c3e680120d0647bfbbdb16ef3351cc

          Download Submit

        • \??\c:\Windows\System32\CSCFF26C7DCB234A57AB3DDF6B4DC7C6F.TMP
          Filesize

          1KB

          MD5

          332eb1c3dc41d312a6495d9ea0a81166

          SHA1

          1d5c1b68be781b14620d9e98183506f8651f4afd

          SHA256

          bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2

          SHA512

          2c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440

          Download Submit

        • \ServerWinRuntimeBroker\chainPorthostCommon.exe
          Filesize

          1.9MB

          MD5

          cf5b49706562ba2047cda4a451dd573a

          SHA1

          d7d66016b5ea4215581f208c7972b2ff49cbeed1

          SHA256

          74547e5b862bd3691947b78eabbdab88c468e26144bd03911be68941376dc89b

          SHA512

          0dc54fc8afe4a1b8ce0d72e215cf617dbc657f4e02cabe7be694b0d20be385f63848e49717bd4856547dbb52f8a762e54c63323b53188cc1d8127c54b6a10f1e

          Download Submit

        • memory/2604-22-0x0000000000600000-0x0000000000618000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2604-24-0x00000000002A0000-0x00000000002AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2604-26-0x00000000002B0000-0x00000000002BC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2604-20-0x0000000000350000-0x000000000036C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2604-18-0x0000000000290000-0x000000000029E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2604-16-0x00000000012B0000-0x0000000001496000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2672-0-0x0000000000C10000-0x0000000001005000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2672-9-0x0000000000C10000-0x0000000001005000-memory.dmp

          Filesize

          4.0MB

          Download