Overview

overview

10

Static

static

3

loader.exe

windows7-x64

10

loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    3.2MB

  • MD5

    2307ca04c2633d28345fb0580c77c2ec

  • SHA1

    edbd1f092ed03cb2674877aba6e874722ee07814

  • SHA256

    168637ea64d64afefd1f88b91ffecb74715ccb6a98acf73d4a16175511628276

  • SHA512

    c2646c5bf3dcd6ef4679af80ae6424c1f88e3f29a40beff729b59bebd8fd3d9b0d45392d2e11f4e1b69ada0f4ec20cfc45430d184cdf0238f2845b7deaff7e9b

  • SSDEEP

    98304:ups+iZyomWShz+6WumEq5GGxLnIlP2NgQKGfxx:ndZOhNWumEqxLIB21K6H

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
          "C:\ServerWinRuntimeBroker/chainPorthostCommon.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vzbbuiuc\vzbbuiuc.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3388
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA930.tmp" "c:\Windows\System32\CSCC566B8DD127C43DFB973FCCA148C5.TMP"
              6⤵
                PID:3520
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dPWF812cZU.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1532
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4604
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:696
                  • C:\Program Files\MSBuild\Microsoft\dllhost.exe
                    "C:\Program Files\MSBuild\Microsoft\dllhost.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3104
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1548
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2856
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2588
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4080
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3456
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4960
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1908
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4668
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3248
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5080
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\ServerWinRuntimeBroker\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4516
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ServerWinRuntimeBroker\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4352
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\ServerWinRuntimeBroker\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 10 /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommon" /sc ONLOGON /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "chainPorthostCommonc" /sc MINUTE /mo 6 /tr "'C:\ServerWinRuntimeBroker\chainPorthostCommon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1020

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe
          Filesize

          223B

          MD5

          3569aec6289503482c7877ad3f205301

          SHA1

          cf016699d614c9f2e9a899c646cd24aca6b75fcf

          SHA256

          a2bb38c2d2eafac2d73af9247252de8cfac9a4f9522b4f66ad73d9a003fc7754

          SHA512

          d8df28cd229e31eb97a705d02aac38f836b5b05741bdb7c97f4a8d9d3eec183a3883e39b30c2141e9c8b650c98edfb51a8cb7fce1c87d67b15bd9dc52a1b1ef5

          Download Submit

        • C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
          Filesize

          1.9MB

          MD5

          cf5b49706562ba2047cda4a451dd573a

          SHA1

          d7d66016b5ea4215581f208c7972b2ff49cbeed1

          SHA256

          74547e5b862bd3691947b78eabbdab88c468e26144bd03911be68941376dc89b

          SHA512

          0dc54fc8afe4a1b8ce0d72e215cf617dbc657f4e02cabe7be694b0d20be385f63848e49717bd4856547dbb52f8a762e54c63323b53188cc1d8127c54b6a10f1e

          Download Submit

        • C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat
          Filesize

          96B

          MD5

          ca78c31c7fad40ca729ce40659dd91fa

          SHA1

          b649a3669cffe53122ad50f62f769faa45b96a92

          SHA256

          88b4be83a053855858771fda50d7f6fe0cd5f5fd0cd33b3299c28aab5eb40e2b

          SHA512

          b606a335ac5f28030e60a00f99e519240bc3d47d7d88e84eb8de1f34ef19ae6df56f01f5f6d83fa215f445732596f0865d630675706626545b15e0c64b0a21ec

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESA930.tmp
          Filesize

          1KB

          MD5

          7d4c54d3fddf72bf3b4d830eb3f1d53d

          SHA1

          2c9e0f269d74c96780044ac967513dd56151560a

          SHA256

          f3042fe58f16868594464ec035ebd0273a42a3beaf5edc45c95764431b71870a

          SHA512

          0db248e2a44b52359010cf09ed4b8b21d5cb1b977836875bd6c08df6bbae51462f7546637a31a406e3809be03af6a039c46a0ee80a80366fa3e4fd6a122b4137

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dPWF812cZU.bat
          Filesize

          222B

          MD5

          1def94b013f1ee6864951f01158974d4

          SHA1

          0f10d41d5af395a63c6e0edfd55e42d5a29f9c4e

          SHA256

          4464d9b8f3dce3f6abac61aeba990a364894ba69527978a46b23eaa1098c95bf

          SHA512

          a295f76f690316b8e8b327c12a3964115f4324ad4f156d8e7c872bb081f0e61f5d739162a3d0286a814e3688795d291b2d5107af43be3c71db09e615f18b428a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\vzbbuiuc\vzbbuiuc.0.cs
          Filesize

          371B

          MD5

          c185a2db5cd9a548d1391b77c0f2fb0f

          SHA1

          f81f8ea35372f3d6a59036cc9109c8fcea22007a

          SHA256

          b6643204602ad59d30e2a644c335134605862c27beac0dcc83ddc50f31822375

          SHA512

          fc0d4ad618042f9e6c4a4731e426451f34d961e2aafb106c6da9b1fdc188538d3521b000df3cca8b384036e8d84ee693705ee3348f56be2dec6c32401b21f160

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\vzbbuiuc\vzbbuiuc.cmdline
          Filesize

          235B

          MD5

          741954db97f5fabfd2bb190474683607

          SHA1

          12371a0f1c992c5731affcaecad6b6a284da9450

          SHA256

          bc41984d46d699e10b0027687d14531bc7677a5e9c4e8a761333dd3a7acf2b1e

          SHA512

          55996dd3db715dd98e3813eab6ae9708a75edf9cd3850168f4b35127bfa6dc5f6ade6bbd968f41e9d742ce0669730e5dcb7e9db0369d3dbfeb89eef7bab279cd

          Download Submit

        • \??\c:\Windows\System32\CSCC566B8DD127C43DFB973FCCA148C5.TMP
          Filesize

          1KB

          MD5

          5984679060d0fc54eba47cead995f65a

          SHA1

          f72bbbba060ac80ac6abedc7b8679e8963f63ebf

          SHA256

          4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

          SHA512

          bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

          Download Submit

        • memory/1312-10-0x0000000000EA0000-0x0000000001295000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1312-0-0x0000000000EA0000-0x0000000001295000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/5012-20-0x000000001B610000-0x000000001B62C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/5012-25-0x0000000002960000-0x000000000296E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/5012-27-0x000000001B180000-0x000000001B18C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/5012-23-0x000000001B630000-0x000000001B648000-memory.dmp

          Filesize

          96KB

          Download

        • memory/5012-21-0x000000001B680000-0x000000001B6D0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/5012-18-0x0000000002950000-0x000000000295E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/5012-16-0x00000000004B0000-0x0000000000696000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/5012-15-0x00007FFA49183000-0x00007FFA49185000-memory.dmp

          Filesize

          8KB

          Download