Overview

overview

10

Static

static

3

loader.exe

windows7-x64

10

loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    3.2MB

  • MD5

    2307ca04c2633d28345fb0580c77c2ec

  • SHA1

    edbd1f092ed03cb2674877aba6e874722ee07814

  • SHA256

    168637ea64d64afefd1f88b91ffecb74715ccb6a98acf73d4a16175511628276

  • SHA512

    c2646c5bf3dcd6ef4679af80ae6424c1f88e3f29a40beff729b59bebd8fd3d9b0d45392d2e11f4e1b69ada0f4ec20cfc45430d184cdf0238f2845b7deaff7e9b

  • SSDEEP

    98304:ups+iZyomWShz+6WumEq5GGxLnIlP2NgQKGfxx:ndZOhNWumEqxLIB21K6H

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
          "C:\ServerWinRuntimeBroker/chainPorthostCommon.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lkxt1nw5\lkxt1nw5.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2036
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87D5.tmp" "c:\Windows\System32\CSC87F2B6767A83485D9ACF34B63989DFA9.TMP"
              6⤵
                PID:2904
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8AdAoXslDu.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:292
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:892
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:1812
                  • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\chainPorthostCommon.exe
                    "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\chainPorthostCommon.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1404
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\chainPorthostCommon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommon" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\chainPorthostCommon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\chainPorthostCommon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2096
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2860
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2912
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\defaults\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:264
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2508
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\de-DE\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1012
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\de-DE\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2332
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\ServerWinRuntimeBroker\audiodg.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\ServerWinRuntimeBroker\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\ServerWinRuntimeBroker\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1688
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 10 /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2364
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommon" /sc ONLOGON /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1136
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 13 /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1240

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe
          Filesize

          223B

          MD5

          3569aec6289503482c7877ad3f205301

          SHA1

          cf016699d614c9f2e9a899c646cd24aca6b75fcf

          SHA256

          a2bb38c2d2eafac2d73af9247252de8cfac9a4f9522b4f66ad73d9a003fc7754

          SHA512

          d8df28cd229e31eb97a705d02aac38f836b5b05741bdb7c97f4a8d9d3eec183a3883e39b30c2141e9c8b650c98edfb51a8cb7fce1c87d67b15bd9dc52a1b1ef5

          Download Submit

        • C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat
          Filesize

          96B

          MD5

          ca78c31c7fad40ca729ce40659dd91fa

          SHA1

          b649a3669cffe53122ad50f62f769faa45b96a92

          SHA256

          88b4be83a053855858771fda50d7f6fe0cd5f5fd0cd33b3299c28aab5eb40e2b

          SHA512

          b606a335ac5f28030e60a00f99e519240bc3d47d7d88e84eb8de1f34ef19ae6df56f01f5f6d83fa215f445732596f0865d630675706626545b15e0c64b0a21ec

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\8AdAoXslDu.bat
          Filesize

          248B

          MD5

          ddda6f4f2ae9cd30a5992c6ae800cb74

          SHA1

          31c099f9d1199a83ed2f50320a47f80193346fbf

          SHA256

          f647c14cd997de779df5acc62b15606335bc74d22f004c7741f7cc6da5508beb

          SHA512

          3b27be3e64ff321d74d67937a6175f8f648d181a1da666459a1dc5344f26ccccc67d843cb637084b046dd0cd57cd6bd66dd70a2cf383d4e9f62b3c3f3fefac72

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES87D5.tmp
          Filesize

          1KB

          MD5

          b4982d031ad92f51c400f9501e68be2b

          SHA1

          bfcc4206e4ed0a26cd67d4615fb1197feb52565c

          SHA256

          63bc6e652e339f42b56a3643ffe2988a391cc5675a9a04bf7269176ea68277ae

          SHA512

          9eb0f77a96bb044ab3221a1c3630d5d9c82d6ba4ed5d2ce7483c6b8f36fcc1dc85add7c042816804de3e380779cc165b89638b3f7c57c7c8c06fbc5ecb1f6e74

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\lkxt1nw5\lkxt1nw5.0.cs
          Filesize

          404B

          MD5

          f524c7ca68db5a7b9dbb1c45afce852f

          SHA1

          d0b9363c89d986483efb2c80dc0676b24fe02ac6

          SHA256

          baa23275bf66521b27da7f912f6f8e1003a610e8730215f6e0e3a3a95cf22cb2

          SHA512

          57911fdb0360c8f484c6f255c812e216c187c60a8468dd6bae3015552366dae208be523b4e6586f3df2c2705f0babe37721557df8853d9673329f72c26cf07c2

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\lkxt1nw5\lkxt1nw5.cmdline
          Filesize

          235B

          MD5

          39520e769ba657c3abf8f3470249a472

          SHA1

          7c5c32abf913ac85011cada8df272091580f14ff

          SHA256

          e8fc5464bd5cce4c715626c396dd117d0052f7ffba23c4db34dd61ff7d638adb

          SHA512

          77f30425459ed618f430b0904e4967c993ec41db3c69f91b56827d197892f0c4bf25bae5d467c5bddcd54f16c88744ef67483e26d43f64ebe44e9de3c45816ca

          Download Submit

        • \??\c:\Windows\System32\CSC87F2B6767A83485D9ACF34B63989DFA9.TMP
          Filesize

          1KB

          MD5

          332eb1c3dc41d312a6495d9ea0a81166

          SHA1

          1d5c1b68be781b14620d9e98183506f8651f4afd

          SHA256

          bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2

          SHA512

          2c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440

          Download Submit

        • \ServerWinRuntimeBroker\chainPorthostCommon.exe
          Filesize

          1.9MB

          MD5

          cf5b49706562ba2047cda4a451dd573a

          SHA1

          d7d66016b5ea4215581f208c7972b2ff49cbeed1

          SHA256

          74547e5b862bd3691947b78eabbdab88c468e26144bd03911be68941376dc89b

          SHA512

          0dc54fc8afe4a1b8ce0d72e215cf617dbc657f4e02cabe7be694b0d20be385f63848e49717bd4856547dbb52f8a762e54c63323b53188cc1d8127c54b6a10f1e

          Download Submit

        • memory/1404-57-0x0000000000FF0000-0x00000000011D6000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2636-0-0x0000000000340000-0x0000000000735000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2636-9-0x0000000000340000-0x0000000000735000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2696-22-0x0000000002160000-0x0000000002178000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2696-24-0x00000000008F0000-0x00000000008FE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2696-26-0x0000000000900000-0x000000000090C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2696-20-0x0000000000910000-0x000000000092C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2696-18-0x00000000008E0000-0x00000000008EE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2696-16-0x0000000000370000-0x0000000000556000-memory.dmp

          Filesize

          1.9MB

          Download