Overview

overview

10

Static

static

3

Nixware.exe

windows7-x64

10

Nixware.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2025 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nixware.exe

  • Size

    2.7MB

  • MD5

    d07543cb1bc6f660adcb7107ab33f270

  • SHA1

    8421ed19516a2152e4a53d694179107f3ef585c0

  • SHA256

    be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4

  • SHA512

    03b6e377af1022d298aeac70c779b621cb5c0e636874e7739fa7ad30b1d64a08a16429719f89dcd0122f8b7309b20708672f8da32577e0265c3c8b34bae2add0

  • SSDEEP

    49152:GB7nRsoz7nIZgHltNj/VImvhIudDXtNHUxQ:Y7nq27nIENjqihIerHUxQ

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nixware.exe
    "C:\Users\Admin\AppData\Local\Temp\Nixware.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\surrogatesession\9Jg3KVOjcV42zUZPCuIVZgehfMBu6YbdOPQ48qfJn162TYBQ.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\surrogatesession\SnwsOZ2aiJutXMyXmD.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\surrogatesession\BlockPortdriverCommon.exe
          "C:\surrogatesession/BlockPortdriverCommon.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2936
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1n3mqryc\1n3mqryc.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1744
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCF5.tmp" "c:\Windows\System32\CSCDA4DABB53F4597A421BDF8A6CD2ED6.TMP"
              6⤵
                PID:3060
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XDgyIfmXP1.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:944
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2552
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2528
                • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
                  "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2416
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1248
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1504
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3068
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1152
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockPortdriverCommonB" /sc MINUTE /mo 9 /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1688
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockPortdriverCommon" /sc ONLOGON /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockPortdriverCommonB" /sc MINUTE /mo 7 /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2128

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESFCF5.tmp
        Filesize

        1KB

        MD5

        88c20d087abe775431548cf8486489d1

        SHA1

        974907f586a8a471ae55062982b23f58b0eebc63

        SHA256

        b2ae96ac33b04c5e505b5f42e2421a1e1e5214fdf8b285de7f2b94675ade4198

        SHA512

        c3ef2ecd9a3e7bb948e87241017bd634ac8a0a8d95640fd32e370af3a917595723b2f9095c563f9068f52e5809917970e85e71d0fe6a3417b188e4cbf4c9c82e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XDgyIfmXP1.bat
        Filesize

        202B

        MD5

        7e1de011b39164580d749d458719f061

        SHA1

        953bd36f0133446bf5a107fe188d200bb7e4c5f6

        SHA256

        a712d575a129e1d172834bfe729b55163552f33c9058af75bd6b2afc7de91dbe

        SHA512

        cc0c17aff956ef3a9527cc83cff40a2926f86ef954753cccd4f856f28d114ef5e519fbd5468b572359718710a915dfdb36871167cb9a02849a98462b27b5de9f

        Download Submit

      • C:\surrogatesession\9Jg3KVOjcV42zUZPCuIVZgehfMBu6YbdOPQ48qfJn162TYBQ.vbe
        Filesize

        213B

        MD5

        f8702ecc9e0f72ccee89fdef7a40b971

        SHA1

        a495334be7d04fd4d3d4ceba0b1b846a0ad76d78

        SHA256

        eea23b38c07a415c44a958410d435a4266ebdf7b7cdbb57c2f011b094df99cd5

        SHA512

        68c8b4ebc2c57f0716b6c62d2596686f50a1a02b58a8090dcffec1615125b05ad76e9650be78e094b9df29f4ca3ac91d4ca7718abe4502266ecca8b44c872ee4

        Download Submit

      • C:\surrogatesession\BlockPortdriverCommon.exe
        Filesize

        2.0MB

        MD5

        77905da28eb0ae1c97f92d614f341411

        SHA1

        aa7a9229ede890bc8efd667aa4ac488517260f32

        SHA256

        3c53924669c7c88687d862775af6f78fb2c656d93577f8c96358918e984d8a42

        SHA512

        66b36b0bc4f38d069ab02adb7d0d2a030ea2268bc826c24533193bc3477c703d941bad86433cfd04af27af6854ee60f17eb1dd84440ebab9494b1d5b0d8ba904

        Download Submit

      • C:\surrogatesession\SnwsOZ2aiJutXMyXmD.bat
        Filesize

        105B

        MD5

        c4ede3cc43ab27c5ac840dfd8cd98632

        SHA1

        61b6df44c8563c5d400c50bbedd91ee9d8c4b28c

        SHA256

        64eab9ebe09f70865dbb3f35b7e5b76d3ac1c6246bfe7d08569d218a6d0bcfcb

        SHA512

        715182ee0e5a1a38be29484d6b241a80360dd6afcf9991330d5b278c8bb7ea371d89cd7edf4d943dcc405ce85ff276ea882b219eb1f50526307c02ce1f354ade

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\1n3mqryc\1n3mqryc.0.cs
        Filesize

        392B

        MD5

        ceaed59eeac03431d20f0bd67f32750f

        SHA1

        8c2373b565b78939c1569eabe64e672c2faf11d7

        SHA256

        a4e534d4f3680e35a8c7e413a02b89667c5dfab35744ccf850a23e6651da24c8

        SHA512

        8e3df332687424479dfe9da25c409dbcf9258678af6cc1d0c8768c236ee1663c23ef41b26ead34b5ec3a1f833fe66fba251948af3f945eecaf557ead47583fe7

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\1n3mqryc\1n3mqryc.cmdline
        Filesize

        235B

        MD5

        bba811559cbc1827b553554c2aa478a1

        SHA1

        56314f2feca3957e72c231421c19e008f18234b5

        SHA256

        4640ac7aa2e7f21ecf7e795744789f5677fd6f0e0e60e151c1492f7dc4e79cbc

        SHA512

        ae12b76c46ef7f4883e0a48e7e1e2db479554631d600a19073881b8b7a29ba0f55dd4f2e3356ff2e5d003d6916806ee31894571878d3933a37abf82a13f98b3d

        Download Submit

      • \??\c:\Windows\System32\CSCDA4DABB53F4597A421BDF8A6CD2ED6.TMP
        Filesize

        1KB

        MD5

        70046c6c63d509bb29450ef32b59dda3

        SHA1

        26802b73997ee22a7cd3d07ae77016969603cf00

        SHA256

        dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0

        SHA512

        d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

        Download Submit

      • memory/896-64-0x00000000001D0000-0x00000000003E2000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2936-17-0x0000000000880000-0x000000000089C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2936-27-0x0000000002190000-0x00000000021A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2936-29-0x00000000008A0000-0x00000000008AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2936-31-0x0000000002170000-0x0000000002178000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2936-33-0x0000000002180000-0x000000000218C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2936-25-0x0000000000660000-0x000000000066E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2936-23-0x0000000000650000-0x000000000065C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2936-21-0x0000000000640000-0x000000000064E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2936-19-0x0000000002150000-0x0000000002168000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2936-15-0x00000000005B0000-0x00000000005BE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2936-13-0x0000000000360000-0x0000000000572000-memory.dmp

        Filesize

        2.1MB

        Download