Overview

overview

10

Static

static

3

ccd01051f9...24.exe

windows7-x64

10

ccd01051f9...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    50s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 04:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccd01051f9e8bf3301b3bdd406f0bc24.exe

  • Size

    14.0MB

  • MD5

    ccd01051f9e8bf3301b3bdd406f0bc24

  • SHA1

    4e9f71953bd348261e9342f7dd230f274d808e4a

  • SHA256

    4fa025632546c9a5c346cde16c86c5d129d8381ace82e1a7d59ca865f948c533

  • SHA512

    93839aad8a1c533c48c9ef9cfa87c6b5e3abefe0054be20d7a0f1bd8affa2e1787b529ed4fc0371a6874ba7670b50270b554add56436540d4b197d14337455de

  • SSDEEP

    24576:2TbBv5rUyXVnAkClP6KrD3UGYB2Ue9L35+2WcESjvGMJoIlT1sMNAje+Iv4dr6/n:IBJAhMsccEmgIT1sJjdIvqr4tI5E

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccd01051f9e8bf3301b3bdd406f0bc24.exe
    "C:\Users\Admin\AppData\Local\Temp\ccd01051f9e8bf3301b3bdd406f0bc24.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainBroker\WiJ0Q2cIafyWfcOMJ8mrmlFuDvVbi9nZIDl7gyLiG4eFyDELulT2kNl2MWww.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ChainBroker\IrbV6YakyWCvQIuALcoa2IhBwWZ19ItpwUlqov7vyFBfFx5s16nM.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\ChainBroker\bridgeServerFontSavesMonitor.exe
          "C:\ChainBroker/bridgeServerFontSavesMonitor.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c5o00snp\c5o00snp.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDCA.tmp" "c:\Windows\System32\CSC327633ED4C6C46C4B6E8F61EA6F150F2.TMP"
              6⤵
                PID:2100
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SFqo0L9dHM.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2108
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2148
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:1728
                  • C:\Windows\Branding\Basebrd\it-IT\winlogon.exe
                    "C:\Windows\Branding\Basebrd\it-IT\winlogon.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2484
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1736
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1276
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2012
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2032
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\ChainBroker\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ChainBroker\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\ChainBroker\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2588
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3012
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\Basebrd\it-IT\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\it-IT\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:300
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\Basebrd\it-IT\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2128
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "bridgeServerFontSavesMonitorb" /sc MINUTE /mo 11 /tr "'C:\ChainBroker\bridgeServerFontSavesMonitor.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2668
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "bridgeServerFontSavesMonitor" /sc ONLOGON /tr "'C:\ChainBroker\bridgeServerFontSavesMonitor.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "bridgeServerFontSavesMonitorb" /sc MINUTE /mo 11 /tr "'C:\ChainBroker\bridgeServerFontSavesMonitor.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2384

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ChainBroker\IrbV6YakyWCvQIuALcoa2IhBwWZ19ItpwUlqov7vyFBfFx5s16nM.bat
          Filesize

          101B

          MD5

          746d44098ab92e627cebe72cfa9c560d

          SHA1

          b51342547c4b9227df75ed19d60c462827f83204

          SHA256

          7ca477b6f171461fa1b2ae2350a938b518d4323a03d4acc95ded7b4f518d1147

          SHA512

          b5f3daa4bee7a3317c1bf23b0c0d12861742328478c31b7714798b5be7ecd7ac6cc799532103db9a8a2a0d90a347b553b92f9cbfad43b2e19e57a16029449b03

          Download Submit

        • C:\ChainBroker\WiJ0Q2cIafyWfcOMJ8mrmlFuDvVbi9nZIDl7gyLiG4eFyDELulT2kNl2MWww.vbe
          Filesize

          241B

          MD5

          ee1d4dd46a1cb9b8dcf5841dae6bbc93

          SHA1

          7b5f9134a578673858b826c698dc0360db7d565f

          SHA256

          d2c34e5da842bf7ecb384880d6dbf05dffd1e59775961e017a281e3958f0b434

          SHA512

          9d1db891b0589e02812632d92ec297ae526abdeb7d37367728c0b6cfdeb0ff34acd9f5d8833654984fcec124c328eb41e4ac805fb1f6d9477e2933731eed02b3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESCDCA.tmp
          Filesize

          1KB

          MD5

          201f769cf2ffcf6997729181079d30ca

          SHA1

          35be8380ec7128ee3edda58c41126e8a315dad8c

          SHA256

          e8378bb9cb9653f5241c369b52bcdc8bca6fa46c0494d74362ad5ffc52fd98a1

          SHA512

          d77d4a7320348b601020e6f54fb7f8396c723cd9d004379e2aef343b3525a7945a79b66cba7c0455b9985a4117fd1f5eff3c30fb5ae23c3f1a99e547aebc612d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SFqo0L9dHM.bat
          Filesize

          222B

          MD5

          eabde410e494eedff8c34ac1d201efa5

          SHA1

          52c063ca4d95b9f8b860c7f8e4e16400ef993c33

          SHA256

          ac7a2e5cc3552956839a42d0b4530f60508463807c55be9bce4c1d4a09d19db2

          SHA512

          ced04a866fe1dda521cf97c08a975df97a0d15c4b563f8785435498506b44989acc88a44f85112a8bc4f6a131a200846501ff91f70f32cdb80136a6be9c62c00

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\c5o00snp\c5o00snp.0.cs
          Filesize

          412B

          MD5

          10bbc3573a8562912cccf84459458480

          SHA1

          8c1cd5d8cd28eb2137dd24ace2b5f21c9b439b98

          SHA256

          d8ab6991ad121edef9c624be0a932e8ce0b3478b4dc1bfdee3ed0e53212bd1a0

          SHA512

          f739ed9a29dee4eb73004ca356143a998445a460d58593f20e803f9763b19cef3c46481da9e7c2cad90f6dcea8efbd05c1d7e31e35f0e6b70ca561f25883c791

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\c5o00snp\c5o00snp.cmdline
          Filesize

          235B

          MD5

          74480282da785c82d9f2ab2b1be84028

          SHA1

          d3c669da16a85826237fed6048e030a7da2b18e8

          SHA256

          eca1a86c8e1aa02baef95bf43c6d28755f3cce787738e06758c5b57958191d96

          SHA512

          1dde0996423056d58e411175f2eef61cf34e58aa94c5e72f0aa3fa2e85734aa491b060dcfac797ed48bb0d246033d8aee92707da150f2067b74128b73cf4b085

          Download Submit

        • \??\c:\Windows\System32\CSC327633ED4C6C46C4B6E8F61EA6F150F2.TMP
          Filesize

          1KB

          MD5

          332eb1c3dc41d312a6495d9ea0a81166

          SHA1

          1d5c1b68be781b14620d9e98183506f8651f4afd

          SHA256

          bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2

          SHA512

          2c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440

          Download Submit

        • \ChainBroker\bridgeServerFontSavesMonitor.exe
          Filesize

          13.7MB

          MD5

          39953acd4fd32884e6cad0d1e4688051

          SHA1

          31579801f012118285f1fd48ccf63b07ebe1594a

          SHA256

          5773e581ce59418ee4c3f205d4fa16ad74718d16d1d8e4dd37332bb4ecb850bf

          SHA512

          3823ad17c90ef4454a774e59d9b5e37b11abf451d6485c4bf7f54cf04738d01a3b6020346fc7817cb48b32cfcefbce46667b3b185baf44c0ff00ecb4e027df35

          Download Submit

        • memory/2484-52-0x00000000012C0000-0x000000000149A000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2816-13-0x0000000000B00000-0x0000000000CDA000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2816-21-0x00000000009D0000-0x00000000009DC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2816-19-0x0000000000A10000-0x0000000000A28000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2816-17-0x00000000009F0000-0x0000000000A0C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2816-15-0x00000000009C0000-0x00000000009CE000-memory.dmp

          Filesize

          56KB

          Download