Analysis
-
max time kernel
95s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-01-2025 15:10
General
-
Target
Nixware.exe
-
Size
2.7MB
-
MD5
d07543cb1bc6f660adcb7107ab33f270
-
SHA1
8421ed19516a2152e4a53d694179107f3ef585c0
-
SHA256
be08dac8fc827b41b19be240140f13e19a802e6c6108105cc303a873c57a20c4
-
SHA512
03b6e377af1022d298aeac70c779b621cb5c0e636874e7739fa7ad30b1d64a08a16429719f89dcd0122f8b7309b20708672f8da32577e0265c3c8b34bae2add0
-
SSDEEP
49152:GB7nRsoz7nIZgHltNj/VImvhIudDXtNHUxQ:Y7nq27nIENjqihIerHUxQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nixware.exe"C:\Users\Admin\AppData\Local\Temp\Nixware.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatesession\9Jg3KVOjcV42zUZPCuIVZgehfMBu6YbdOPQ48qfJn162TYBQ.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\surrogatesession\SnwsOZ2aiJutXMyXmD.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\surrogatesession\BlockPortdriverCommon.exe"C:\surrogatesession/BlockPortdriverCommon.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\15rn1l1q\15rn1l1q.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDAC.tmp" "c:\Windows\System32\CSC1ECD5601EFB74A8A909E87A0CB46D86.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHLtc5cVMY.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe"C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockPortdriverCommonB" /sc MINUTE /mo 7 /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockPortdriverCommon" /sc ONLOGON /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BlockPortdriverCommonB" /sc MINUTE /mo 11 /tr "'C:\surrogatesession\BlockPortdriverCommon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173B
MD5744d3494d9b25d0506511675faeb3b0c
SHA15c6de7f59bc8964be079e0d40114e86e40e0d8f0
SHA256c6910c6389d16a00ff37bed351dd95f14249f26e67fd3cc6c17f48045a8ca0ba
SHA512c9d6da90bf73fb5fa00a1ceadc1fbb24d9f181b18c0b4701ba9c5527f2ed62ed2e28f4c3facbd067f04276dba74b2b07791f4f537b116d3c6895fbf7c36bf5ed
-
Filesize
1KB
MD583cc4fc01d3f6f13ca0993f59eac9cef
SHA1b000fa18c4275c821e8ada3291b28eec6007cd9a
SHA2565eba6cd86f1c206c04677870eb4603251a77c6883d8e57fe37a834e9e0495037
SHA5123d03dccc153db849ba5e9cb2059cc66df495e2da966fbd59cedfc57d24cef798d5391372c15132101d6a5d88036bc4aecfba1350bf20b0b49decb7af3e356099
-
Filesize
213B
MD5f8702ecc9e0f72ccee89fdef7a40b971
SHA1a495334be7d04fd4d3d4ceba0b1b846a0ad76d78
SHA256eea23b38c07a415c44a958410d435a4266ebdf7b7cdbb57c2f011b094df99cd5
SHA51268c8b4ebc2c57f0716b6c62d2596686f50a1a02b58a8090dcffec1615125b05ad76e9650be78e094b9df29f4ca3ac91d4ca7718abe4502266ecca8b44c872ee4
-
Filesize
2.0MB
MD577905da28eb0ae1c97f92d614f341411
SHA1aa7a9229ede890bc8efd667aa4ac488517260f32
SHA2563c53924669c7c88687d862775af6f78fb2c656d93577f8c96358918e984d8a42
SHA51266b36b0bc4f38d069ab02adb7d0d2a030ea2268bc826c24533193bc3477c703d941bad86433cfd04af27af6854ee60f17eb1dd84440ebab9494b1d5b0d8ba904
-
Filesize
105B
MD5c4ede3cc43ab27c5ac840dfd8cd98632
SHA161b6df44c8563c5d400c50bbedd91ee9d8c4b28c
SHA25664eab9ebe09f70865dbb3f35b7e5b76d3ac1c6246bfe7d08569d218a6d0bcfcb
SHA512715182ee0e5a1a38be29484d6b241a80360dd6afcf9991330d5b278c8bb7ea371d89cd7edf4d943dcc405ce85ff276ea882b219eb1f50526307c02ce1f354ade
-
Filesize
377B
MD57ce71cda102ee0b2efd0463754110e84
SHA1501c7a7a84858cc1d56412a13fcb900a549e9da0
SHA25679642ca2537f3aa4bb068792f5dfcd5854ecd43c2d7080bbf33ac12bb1eefe04
SHA512f9939d35157efcc6fb6f6c2487c144f189eccd2bfc228b81ab13f371b3034e7c9b832702e074e62b5174d1d43ce5df09da7da3214e8570b654ba5a90a6d15873
-
Filesize
235B
MD5fc9e052d195b8ec94e9a1786378ea846
SHA138676dd4a6c1352f283dd2a87e5be5c947288060
SHA25648e7e4810174c9aca901dc9cb93e08bd9d2b11e3a025b7fcedc658d5ca558923
SHA512b513e29d05d4a5eaf79236f66382eab176e80d81cf3dcb20a104e2efa6cf56c8e49d22fc602e0f346b3c6454a0fcfb6169ab2f9ba8132a953b2d0d0dee96807a
-
Filesize
1KB
MD5be99f41194f5159cc131a1a4353a0e0a
SHA1f24e3bf06e777b4de8d072166cff693e43f2295c
SHA256564d9051e5639603c83562a9ff2c2e478cc7e13d54faf39f761297bac78603bf
SHA51251d1a50772bb7d689193e6a9b2e363185cf5438103644b2b68cf13e08274c5d99407b99f8cdc856143d28669f5ee4ee316041a8e33df42f55bfd181aa3f3c0f5
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
96KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
2.1MB
-
Filesize
644KB
-
Filesize
8KB