Overview

overview

10

Static

static

3

Winver.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    12s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 04:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Winver.exe

  • Size

    1.8MB

  • MD5

    7e1cbd229ae163375fc55065690e27b4

  • SHA1

    f1cecafde4f843b03f3defffcac7fd6950b582a6

  • SHA256

    4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559

  • SHA512

    545c246f2d0159f5c2f7631b891c19166505c525b0a6d66f2338460dfda94679da283aa3e8dffa7fc6fec5752cedbce753f731a7064cff8754970d8968d3c882

  • SSDEEP

    24576:7Sgle/EPZ5XpxBeonQxcYHgC+aviVZZmQ5NnL+MIWRbtHU4aClCbs8HF7Kz9jxG:7AsZWHgReoP7nyWtHPaB37S9jx

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Winver.exe
    "C:\Users\Admin\AppData\Local\Temp\Winver.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w362lfqpe8.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2016
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:5064
          • C:\Program Files (x86)\Windows NT\backgroundTaskHost.exe
            "C:\Program Files (x86)\Windows NT\backgroundTaskHost.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2504
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft OneDrive\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4300
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft OneDrive\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1152
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1756
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5104
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3404
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\Winver.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:344
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Winver" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Winver.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1364
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\Winver.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:376

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft OneDrive\RuntimeBroker.exe
        Filesize

        1.8MB

        MD5

        7e1cbd229ae163375fc55065690e27b4

        SHA1

        f1cecafde4f843b03f3defffcac7fd6950b582a6

        SHA256

        4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559

        SHA512

        545c246f2d0159f5c2f7631b891c19166505c525b0a6d66f2338460dfda94679da283aa3e8dffa7fc6fec5752cedbce753f731a7064cff8754970d8968d3c882

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\w362lfqpe8.bat
        Filesize

        232B

        MD5

        70e1cefb11f3f55595b5b98b1eb7d82c

        SHA1

        d7c0dfe709abc2aa1594c45233c0f342dd6e020e

        SHA256

        945e221a400b18223edc3a83e0309b75595bf92b0e4d1711d2c0fe224273797a

        SHA512

        33c07f78f57c586056aa8743da4c1d101fcd6a35bc518dc3a4af4a2a4d746cd3b7bbfdf91a4e2142585a2b35a7bc4be3d54cbb7f3191960bc1da09e61e17fc7c

        Download Submit

      • memory/4368-4-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-14-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-0-0x00007FFEEB9B3000-0x00007FFEEB9B5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4368-7-0x0000000002510000-0x000000000251E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4368-5-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-8-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-10-0x000000001B0C0000-0x000000001B0DC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4368-3-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-13-0x000000001B0E0000-0x000000001B0F8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4368-11-0x000000001B250000-0x000000001B2A0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4368-2-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-26-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-27-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-33-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-1-0x00000000002B0000-0x0000000000482000-memory.dmp

        Filesize

        1.8MB

        Download