Overview

overview

10

Static

static

3

4128341009...f0.exe

windows7-x64

10

4128341009...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4128341009cc3f617bf5612d7c933bc99c00eea63dfce6f24bbe0ba16f1bb1f0.exe

  • Size

    2.1MB

  • MD5

    0e0afa05a99d26d55a9df6876eee479f

  • SHA1

    652fe26e32763a493f04e61c5a5d36c628217ef8

  • SHA256

    4128341009cc3f617bf5612d7c933bc99c00eea63dfce6f24bbe0ba16f1bb1f0

  • SHA512

    bc2b23ed0307f7cd81514ff8bfe83316e1b27b6dbd69a08ca0d4618e6363dd3de5d91b1d4f38b059c73c487867c5980b7e7c49c920672589273a140728510cfc

  • SSDEEP

    24576:2TbBv5rUyXVpz/IPMofzXxgF5X1u1seTK44vmrUcSgjBYsRX8TGxj4fY3D5K7TqD:IBJp0PbsCk44v0y4BYgAGxrNKvdVTK

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4128341009cc3f617bf5612d7c933bc99c00eea63dfce6f24bbe0ba16f1bb1f0.exe
    "C:\Users\Admin\AppData\Local\Temp\4128341009cc3f617bf5612d7c933bc99c00eea63dfce6f24bbe0ba16f1bb1f0.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ESD\UST9UxLQoHNIIFaYLHo0xhIRlgCNcLzoLb106m2nL.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ESD\bQzfgHSGdt2kLcLlkun74cHPltHDXr5Sp886hMeTP.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\ESD\Winver.exe
          "C:\ESD/Winver.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1404
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QXQBc8FYJD.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3260
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2752
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:4564
                • C:\ESD\Winver.exe
                  "C:\ESD\Winver.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4360
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\ESD\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4300
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ESD\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\ESD\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2224
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\ESD\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ESD\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\ESD\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\ESD\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ESD\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\ESD\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2192
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4504
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 7 /tr "'C:\ESD\Winver.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Winver" /sc ONLOGON /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 12 /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2936

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ESD\UST9UxLQoHNIIFaYLHo0xhIRlgCNcLzoLb106m2nL.vbe
        Filesize

        222B

        MD5

        8decf43a92645d8ba4b81696c5e7b1ae

        SHA1

        dcc9ca8b24e3adf7568eb0f6b7f5cd27f039faf6

        SHA256

        6ad34bd4e803fad802052423aeab64f4c60dd3ee55a3167425b9640ae24bfea1

        SHA512

        72e44773f484d2e69ebd41cc555d9a57c833b3930e1f3b0326c90882035e0dc5fb54e8d4ded22cf9f2d28fb502b37b133b7c1c9f9d89b8c21857b569c51ebc17

        Download Submit

      • C:\ESD\Winver.exe
        Filesize

        1.8MB

        MD5

        d9ce1032fee5365065a78bbff7267883

        SHA1

        4c7471b47d4151908dd204303421d7c64cf4c5c6

        SHA256

        65d26e7c0b856832e88efefe5c2a9e767fb2a7345715bbd0a6e10f9ac2afb520

        SHA512

        0455364fa91c07da6fecbfb3e3fdbbbcb909e3176b5b151e3653f8b8ebffc02e14fb3471245df479b83f90cd2e1142bcff82b80555cfb3df113696b2925d9435

        Download Submit

      • C:\ESD\bQzfgHSGdt2kLcLlkun74cHPltHDXr5Sp886hMeTP.bat
        Filesize

        57B

        MD5

        d1a4f1e326e7dfca62327ea69446dc7c

        SHA1

        253e264c90cbd15836d8c3a1eab3c26756d94047

        SHA256

        ea091556a5dbab314a6029817a9db64f9b8adc7afb476bbbb11aec0c227f0de2

        SHA512

        3d4624c169297b50329a4e13f3f559a7a1f02112f6482e45cfba747dad11c6e6642f1411cec5e92d7890f86fb38702f48c75fec4d24332d43484ad7b9dbf29c8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Winver.exe.log
        Filesize

        1KB

        MD5

        af6acd95d59de87c04642509c30e81c1

        SHA1

        f9549ae93fdb0a5861a79a08f60aa81c4b32377b

        SHA256

        7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

        SHA512

        93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\QXQBc8FYJD.bat
        Filesize

        193B

        MD5

        10d98b37f07519f397acd6d439c4b63f

        SHA1

        7bfef0a1e7c93bafc79e67d9ec23986c7fba65ca

        SHA256

        7ae9767117d6a3bbb1c3f839a3298a45dedd60fe4b4113a8432d64fa58e1721e

        SHA512

        6fda622d76a94145220902c45c9257ba11fdc7f68ba8ee3f56670f561fbc0b566868da1292842f3711a8960727f0cb1c3f68a8ec70967048b287eb10bec235ef

        Download Submit

      • memory/1404-17-0x0000000002D40000-0x0000000002D5C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1404-15-0x0000000002CC0000-0x0000000002CCE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1404-18-0x000000001BBE0000-0x000000001BC30000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1404-20-0x0000000002D60000-0x0000000002D78000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1404-37-0x000000001BE70000-0x000000001BF19000-memory.dmp

        Filesize

        676KB

        Download

      • memory/1404-38-0x000000001C320000-0x000000001C4C9000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1404-13-0x0000000000A10000-0x0000000000BE4000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1404-12-0x00007FFFE0333000-0x00007FFFE0335000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4360-45-0x000000001C3B0000-0x000000001C459000-memory.dmp

        Filesize

        676KB

        Download