Overview

overview

10

Static

static

3

Nixware.exe

windows7-x64

10

Nixware.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2025, 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nixware.exe

  • Size

    2.7MB

  • MD5

    d07543cb1bc6f660adcb7107ab33f270

  • SHA1

    8421ed19516a2152e4a53d694179107f3ef585c0

  • SHA256

    be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4

  • SHA512

    03b6e377af1022d298aeac70c779b621cb5c0e636874e7739fa7ad30b1d64a08a16429719f89dcd0122f8b7309b20708672f8da32577e0265c3c8b34bae2add0

  • SSDEEP

    49152:GB7nRsoz7nIZgHltNj/VImvhIudDXtNHUxQ:Y7nq27nIENjqihIerHUxQ

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nixware.exe
    "C:\Users\Admin\AppData\Local\Temp\Nixware.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\surrogatesession\9Jg3KVOjcV42zUZPCuIVZgehfMBu6YbdOPQ48qfJn162TYBQ.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\surrogatesession\SnwsOZ2aiJutXMyXmD.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\surrogatesession\BlockPortdriverCommon.exe
          "C:\surrogatesession/BlockPortdriverCommon.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2432
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zpmf1zpj\zpmf1zpj.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1612
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6F0.tmp" "c:\Windows\System32\CSCF437359A81BF4973BEB995EC402D7D1F.TMP"
              6⤵
                PID:2840
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LpuYxq6Ltx.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:876
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1036
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2604
                • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe
                  "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1580
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\surrogatesession\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\surrogatesession\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\surrogatesession\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2164
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockPortdriverCommonB" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\BlockPortdriverCommon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockPortdriverCommon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\BlockPortdriverCommon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2176
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockPortdriverCommonB" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\BlockPortdriverCommon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2412
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2168
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockPortdriverCommonB" /sc MINUTE /mo 14 /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockPortdriverCommon" /sc ONLOGON /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2436
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockPortdriverCommonB" /sc MINUTE /mo 9 /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2008

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\LpuYxq6Ltx.bat
        Filesize

        201B

        MD5

        77d8b46b5618a8b69f7d26402587cb66

        SHA1

        285cb62ebcd0e2057dc9da32151e47a1695bb032

        SHA256

        2d8f051e366d4363f18b716dec8186763b2482141d5e0343d3a40a00e6756e0f

        SHA512

        e76483ed1634d3a95d99ec29aefdc76c37833264d6faf11e12e9af29a76f1245f6ce203b86d7dfc4cd209d326a2ebe022904ba79f3af3df955065cc59f07f296

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESB6F0.tmp
        Filesize

        1KB

        MD5

        8964d4a5e4fdc9b11fdfeeda0ff5dac7

        SHA1

        0f0ef52c0d70fdfc925d260841dfe1b281e98ef1

        SHA256

        df173699e32c5e560b266b46d2c10b35acc2252cbda5798cd72714f42692db0f

        SHA512

        db363ded8ec25710aef9949b7bd66c7eab3926f393dfe56e44bb896ee95c61f26e492f9738ca8c84234ed3e2a450e1abf18bca4c89413a8482d19497672786c8

        Download Submit

      • C:\surrogatesession\9Jg3KVOjcV42zUZPCuIVZgehfMBu6YbdOPQ48qfJn162TYBQ.vbe
        Filesize

        213B

        MD5

        f8702ecc9e0f72ccee89fdef7a40b971

        SHA1

        a495334be7d04fd4d3d4ceba0b1b846a0ad76d78

        SHA256

        eea23b38c07a415c44a958410d435a4266ebdf7b7cdbb57c2f011b094df99cd5

        SHA512

        68c8b4ebc2c57f0716b6c62d2596686f50a1a02b58a8090dcffec1615125b05ad76e9650be78e094b9df29f4ca3ac91d4ca7718abe4502266ecca8b44c872ee4

        Download Submit

      • C:\surrogatesession\BlockPortdriverCommon.exe
        Filesize

        2.0MB

        MD5

        77905da28eb0ae1c97f92d614f341411

        SHA1

        aa7a9229ede890bc8efd667aa4ac488517260f32

        SHA256

        3c53924669c7c88687d862775af6f78fb2c656d93577f8c96358918e984d8a42

        SHA512

        66b36b0bc4f38d069ab02adb7d0d2a030ea2268bc826c24533193bc3477c703d941bad86433cfd04af27af6854ee60f17eb1dd84440ebab9494b1d5b0d8ba904

        Download Submit

      • C:\surrogatesession\SnwsOZ2aiJutXMyXmD.bat
        Filesize

        105B

        MD5

        c4ede3cc43ab27c5ac840dfd8cd98632

        SHA1

        61b6df44c8563c5d400c50bbedd91ee9d8c4b28c

        SHA256

        64eab9ebe09f70865dbb3f35b7e5b76d3ac1c6246bfe7d08569d218a6d0bcfcb

        SHA512

        715182ee0e5a1a38be29484d6b241a80360dd6afcf9991330d5b278c8bb7ea371d89cd7edf4d943dcc405ce85ff276ea882b219eb1f50526307c02ce1f354ade

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\zpmf1zpj\zpmf1zpj.0.cs
        Filesize

        364B

        MD5

        112e61fafdc9351bddee86b2cbea89e1

        SHA1

        54e3b0d3df1f34a1737cf037a2afdd635b3b45d0

        SHA256

        d7e3d85ef89aab031cc31eb2ea5db7645637b38389a61fd2f0c6f4037a06495c

        SHA512

        12aa1cec92f64495adef35e2ea03daa0d07b4dafe0541447889c5abbecb5725a5144bdfb6749cb1cfa887faa5f848e28a7ac25c2068cb4463ac63e2ded68af19

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\zpmf1zpj\zpmf1zpj.cmdline
        Filesize

        235B

        MD5

        072f7f0249877df60f1554a0e57c4f37

        SHA1

        f2e45540ff4c370f5c2b1a0428ee5cdda760072b

        SHA256

        2d50f9fb5338a5990291b7caec299672f6e0ee360271758b682e8e1cc3d12cb9

        SHA512

        4501582e2e6b31f0914da2ddb3c00443128447bdb05f46748922392b6eea6a2fd7401e9d42b0354dd56dca69e078ce011e3b9743610b1a6dd971666f733a476f

        Download Submit

      • \??\c:\Windows\System32\CSCF437359A81BF4973BEB995EC402D7D1F.TMP
        Filesize

        1KB

        MD5

        60a1ebb8f840aad127346a607d80fc19

        SHA1

        c8b7e9ad601ac19ab90b3e36f811960e8badf354

        SHA256

        9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

        SHA512

        44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

        Download Submit

      • memory/1580-98-0x000000001B2F0000-0x000000001B34A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/1580-64-0x0000000000CD0000-0x0000000000EE2000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2432-17-0x00000000004D0000-0x00000000004EC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2432-29-0x00000000004F0000-0x00000000004FC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2432-31-0x00000000006A0000-0x00000000006A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2432-33-0x00000000006B0000-0x00000000006BC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2432-27-0x00000000006C0000-0x00000000006D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2432-25-0x00000000004C0000-0x00000000004CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2432-23-0x00000000004B0000-0x00000000004BC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2432-21-0x0000000000490000-0x000000000049E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2432-19-0x0000000000680000-0x0000000000698000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2432-15-0x0000000000480000-0x000000000048E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2432-13-0x00000000010C0000-0x00000000012D2000-memory.dmp

        Filesize

        2.1MB

        Download