Overview

overview

10

Static

static

3

ccd01051f9...24.exe

windows7-x64

10

ccd01051f9...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccd01051f9e8bf3301b3bdd406f0bc24.exe

  • Size

    14.0MB

  • MD5

    ccd01051f9e8bf3301b3bdd406f0bc24

  • SHA1

    4e9f71953bd348261e9342f7dd230f274d808e4a

  • SHA256

    4fa025632546c9a5c346cde16c86c5d129d8381ace82e1a7d59ca865f948c533

  • SHA512

    93839aad8a1c533c48c9ef9cfa87c6b5e3abefe0054be20d7a0f1bd8affa2e1787b529ed4fc0371a6874ba7670b50270b554add56436540d4b197d14337455de

  • SSDEEP

    24576:2TbBv5rUyXVnAkClP6KrD3UGYB2Ue9L35+2WcESjvGMJoIlT1sMNAje+Iv4dr6/n:IBJAhMsccEmgIT1sJjdIvqr4tI5E

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccd01051f9e8bf3301b3bdd406f0bc24.exe
    "C:\Users\Admin\AppData\Local\Temp\ccd01051f9e8bf3301b3bdd406f0bc24.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainBroker\WiJ0Q2cIafyWfcOMJ8mrmlFuDvVbi9nZIDl7gyLiG4eFyDELulT2kNl2MWww.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ChainBroker\IrbV6YakyWCvQIuALcoa2IhBwWZ19ItpwUlqov7vyFBfFx5s16nM.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\ChainBroker\bridgeServerFontSavesMonitor.exe
          "C:\ChainBroker/bridgeServerFontSavesMonitor.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:968
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kfbgyrmt\kfbgyrmt.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2788
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C64.tmp" "c:\Windows\System32\CSC6955DC34AB7D4127A66120BBEA71506A.TMP"
              6⤵
                PID:3944
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j0fH05LO6V.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1760
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3492
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:432
                • C:\Windows\Fonts\conhost.exe
                  "C:\Windows\Fonts\conhost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2164
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Fonts\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1088
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1936
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\ChainBroker\sysmon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\ChainBroker\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\ChainBroker\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4492
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\sysmon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2464
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3756
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4872
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "bridgeServerFontSavesMonitorb" /sc MINUTE /mo 7 /tr "'C:\ChainBroker\bridgeServerFontSavesMonitor.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "bridgeServerFontSavesMonitor" /sc ONLOGON /tr "'C:\ChainBroker\bridgeServerFontSavesMonitor.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "bridgeServerFontSavesMonitorb" /sc MINUTE /mo 7 /tr "'C:\ChainBroker\bridgeServerFontSavesMonitor.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2560

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ChainBroker\IrbV6YakyWCvQIuALcoa2IhBwWZ19ItpwUlqov7vyFBfFx5s16nM.bat
        Filesize

        101B

        MD5

        746d44098ab92e627cebe72cfa9c560d

        SHA1

        b51342547c4b9227df75ed19d60c462827f83204

        SHA256

        7ca477b6f171461fa1b2ae2350a938b518d4323a03d4acc95ded7b4f518d1147

        SHA512

        b5f3daa4bee7a3317c1bf23b0c0d12861742328478c31b7714798b5be7ecd7ac6cc799532103db9a8a2a0d90a347b553b92f9cbfad43b2e19e57a16029449b03

        Download Submit

      • C:\ChainBroker\WiJ0Q2cIafyWfcOMJ8mrmlFuDvVbi9nZIDl7gyLiG4eFyDELulT2kNl2MWww.vbe
        Filesize

        241B

        MD5

        ee1d4dd46a1cb9b8dcf5841dae6bbc93

        SHA1

        7b5f9134a578673858b826c698dc0360db7d565f

        SHA256

        d2c34e5da842bf7ecb384880d6dbf05dffd1e59775961e017a281e3958f0b434

        SHA512

        9d1db891b0589e02812632d92ec297ae526abdeb7d37367728c0b6cfdeb0ff34acd9f5d8833654984fcec124c328eb41e4ac805fb1f6d9477e2933731eed02b3

        Download Submit

      • C:\ChainBroker\bridgeServerFontSavesMonitor.exe
        Filesize

        13.7MB

        MD5

        39953acd4fd32884e6cad0d1e4688051

        SHA1

        31579801f012118285f1fd48ccf63b07ebe1594a

        SHA256

        5773e581ce59418ee4c3f205d4fa16ad74718d16d1d8e4dd37332bb4ecb850bf

        SHA512

        3823ad17c90ef4454a774e59d9b5e37b11abf451d6485c4bf7f54cf04738d01a3b6020346fc7817cb48b32cfcefbce46667b3b185baf44c0ff00ecb4e027df35

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES7C64.tmp
        Filesize

        1KB

        MD5

        7380c69bcf23c26109335aff4c5f8dc7

        SHA1

        695c963495f1d271fc9f09c00dbc399206078322

        SHA256

        36b5843a7c1899bb880f11ca5fad2d14f7af476e9126f9f8b8c8bd3b32a565f7

        SHA512

        92dc37a69a523fcd71357e0335d6ce21549f13a3727eea8483094dbeea3e7dd22de9d82f63dcf39257ffc1212b4c0e749f873543830addb82cb9edc4083e1e72

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\j0fH05LO6V.bat
        Filesize

        156B

        MD5

        41d2ee3ac51776d9ec687ed273f8a4b4

        SHA1

        1f7b64e31b1e4d37950aa49e6e683b510321299f

        SHA256

        6151fe270f74713702693d9b71be60500796b9a35f4f8020e085b1344c45b9ee

        SHA512

        6843728d67017f7b41e42db81bed8e12609d83357361cf8595ac67660cc3b82e0250c637b4415af49b64582e1676519a898e7b59ba6c979d48817074ed25fa14

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\kfbgyrmt\kfbgyrmt.0.cs
        Filesize

        360B

        MD5

        e6f438d5ce6ef3d618fcb1d29777db15

        SHA1

        b2690c6d1f86a2322f4a1ed51022e164fa53dd9b

        SHA256

        4f0545825d5971b801b2f1398c5b8ec88ec1047ba375bc6dd2da9f48b64c94a1

        SHA512

        0781df70c2828293f745f34f812f2ef0898effd38159e5c71be9afba2a0353244cc5796e25e6a80ea8fc3c647968d8d6181e60661efd6236c1eea625e8801232

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\kfbgyrmt\kfbgyrmt.cmdline
        Filesize

        235B

        MD5

        26ee6c698b786dc791b59fc30e25921f

        SHA1

        db2fd508c277e6d34bbae60d7bcdb918a45801b9

        SHA256

        e1cf4426434734988aaf2942957aa102677143a2b47b69f6336d8a897b4e61d5

        SHA512

        1b11851307fc2304d66711ed361213bffbcd0724ea8c207a447419e3566b9ee1b38375885f849fd1fd14626fc944656784ea626024209f865c411a0a7ab86611

        Download Submit

      • \??\c:\Windows\System32\CSC6955DC34AB7D4127A66120BBEA71506A.TMP
        Filesize

        1KB

        MD5

        5984679060d0fc54eba47cead995f65a

        SHA1

        f72bbbba060ac80ac6abedc7b8679e8963f63ebf

        SHA256

        4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

        SHA512

        bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

        Download Submit

      • memory/968-17-0x0000000002DA0000-0x0000000002DBC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/968-22-0x0000000002C60000-0x0000000002C6C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/968-20-0x0000000002DC0000-0x0000000002DD8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/968-18-0x000000001BB30000-0x000000001BB80000-memory.dmp

        Filesize

        320KB

        Download

      • memory/968-15-0x0000000002C10000-0x0000000002C1E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/968-12-0x00007FFAEE543000-0x00007FFAEE545000-memory.dmp

        Filesize

        8KB

        Download

      • memory/968-13-0x0000000000970000-0x0000000000B4A000-memory.dmp

        Filesize

        1.9MB

        Download