Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-12-2024 18:55
General
-
Target
FATALITY/loader.exe
-
Size
3.2MB
-
MD5
2307ca04c2633d28345fb0580c77c2ec
-
SHA1
edbd1f092ed03cb2674877aba6e874722ee07814
-
SHA256
168637ea64d64afefd1f88b91ffecb74715ccb6a98acf73d4a16175511628276
-
SHA512
c2646c5bf3dcd6ef4679af80ae6424c1f88e3f29a40beff729b59bebd8fd3d9b0d45392d2e11f4e1b69ada0f4ec20cfc45430d184cdf0238f2845b7deaff7e9b
-
SSDEEP
98304:ups+iZyomWShz+6WumEq5GGxLnIlP2NgQKGfxx:ndZOhNWumEqxLIB21K6H
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe"C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"C:\ServerWinRuntimeBroker/chainPorthostCommon.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fju4ku5b\fju4ku5b.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3F1.tmp" "c:\Windows\System32\CSC392B862D76E84A3EBC708FAC6AC2550.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BASt1yHq1g.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Windows\SysWOW64\sr-Latn-RS\Registry.exe"C:\Windows\SysWOW64\sr-Latn-RS\Registry.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\sr-Latn-RS\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sr-Latn-RS\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\sr-Latn-RS\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 11 /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainPorthostCommon" /sc ONLOGON /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 9 /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD53569aec6289503482c7877ad3f205301
SHA1cf016699d614c9f2e9a899c646cd24aca6b75fcf
SHA256a2bb38c2d2eafac2d73af9247252de8cfac9a4f9522b4f66ad73d9a003fc7754
SHA512d8df28cd229e31eb97a705d02aac38f836b5b05741bdb7c97f4a8d9d3eec183a3883e39b30c2141e9c8b650c98edfb51a8cb7fce1c87d67b15bd9dc52a1b1ef5
-
Filesize
1.9MB
MD5cf5b49706562ba2047cda4a451dd573a
SHA1d7d66016b5ea4215581f208c7972b2ff49cbeed1
SHA25674547e5b862bd3691947b78eabbdab88c468e26144bd03911be68941376dc89b
SHA5120dc54fc8afe4a1b8ce0d72e215cf617dbc657f4e02cabe7be694b0d20be385f63848e49717bd4856547dbb52f8a762e54c63323b53188cc1d8127c54b6a10f1e
-
Filesize
96B
MD5ca78c31c7fad40ca729ce40659dd91fa
SHA1b649a3669cffe53122ad50f62f769faa45b96a92
SHA25688b4be83a053855858771fda50d7f6fe0cd5f5fd0cd33b3299c28aab5eb40e2b
SHA512b606a335ac5f28030e60a00f99e519240bc3d47d7d88e84eb8de1f34ef19ae6df56f01f5f6d83fa215f445732596f0865d630675706626545b15e0c64b0a21ec
-
Filesize
219B
MD5fb7e7536e5f20986f513d5c810d178b4
SHA10c888d1b860f7c66a6ba7e7524e34e5cdfa8dec1
SHA256004414074266e2225a01a2fcb190c54e01c9c224e0dcdcf7ba2333d498932b3b
SHA512ba7c171b3ccf8ff21b6c66826a4d213d7c7ab6663854a017c8968dc1e2020c34effbf86ba81d09cc0fd4a524a2f78c4a4fab53e651036cbc44cae97559457590
-
Filesize
1KB
MD5001c2475bfa3d04f6257ddbe0d9a6d7c
SHA11f170c7d068b10a7d9fe2523c3fe00ef4dd2c1b5
SHA2560dee3d4be745c7356f558453e77e255c980dd7e39e3d385cd1ba9f7e393ab13f
SHA51234b0743eef9a572e6ac8f9210966a4993931e020c3a486edc861479e38dbd53b432cb439802ed40c1fb2b6c0f91ab45abcb2818404a37a244dcd5d2d9c3a63c3
-
Filesize
397B
MD5b0c44acbd1c843e6cde8e6f32354f648
SHA13043a3e67fb35501ef40924126efdb50e38241e8
SHA25679d1e37c3a99faec272741e89fc07296dce2c48889de926e9f6f8713843d189e
SHA512892db59892c305e125aebb87bb74497cd23f1d09fc970b544051de932a3e326ef9e94346561e1cae60496bbb0d83472e849d2256de4edac7779d8405bee57d8b
-
Filesize
235B
MD52d6a9d69214b7b592112da5be2387d76
SHA1fb71ab84b726bef4325e1cc2e996d5def3c5b685
SHA25638e89d299ac0c410e640fce175ba323caa89811e748a9d2bd75216fcfca10c80
SHA512478e227c8e4efcedb2f6d513ab7f12d184a9e39c33bdb75c4c5834a9421669b65aa160d70644d18731fb6c1960ca3ea6549df79df70b3d296dca86a20afebd4e
-
Filesize
1KB
MD5634e281a00b7b9f516c3048badfa1530
SHA1af6369715ce2fe9b99609e470d4f66698880a35a
SHA2560d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8
SHA5121cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b
-
Filesize
8KB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
820KB
-
Filesize
32KB
-
Filesize
820KB
-
Filesize
4.0MB
-
Filesize
4.0MB