Overview

overview

10

Static

static

3

cbec218282...0f.exe

windows7-x64

10

cbec218282...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2025 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbec218282c963881c0a72a5915011a608ed49d9a5f68d804208e795163d610f.exe

  • Size

    2.1MB

  • MD5

    4e7a229e8b5fab1ee9eaf6be664f447a

  • SHA1

    51c62dba30525b80d9ff26944885c8440f42dafd

  • SHA256

    cbec218282c963881c0a72a5915011a608ed49d9a5f68d804208e795163d610f

  • SHA512

    9cddf8d97900d5caa0a12d867c143093d16876a65ba53efe00102acad22bc7c20fc277a20e48baf970281370141fcf7e4f5b7b6ca0db151e6184de8adeeb3956

  • SSDEEP

    24576:2TbBv5rUyXV64kCh/cVhLzQOn5aL5yRImcVIOnoEvwwK5q712DNDeFN1OlLUn3JQ:IBJ640h5+5PtVIOoS4k7cNDENO1

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbec218282c963881c0a72a5915011a608ed49d9a5f68d804208e795163d610f.exe
    "C:\Users\Admin\AppData\Local\Temp\cbec218282c963881c0a72a5915011a608ed49d9a5f68d804208e795163d610f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\webMonitorCommon\pkk.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\webMonitorCommon\de0gQ0DUy6.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\webMonitorCommon\hyperInto.exe
          "C:\webMonitorCommon/hyperInto.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sl4fqcvo\sl4fqcvo.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2628
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1516.tmp" "c:\Windows\System32\CSCD8024960CE9740B3978B56FE3B1094D7.TMP"
              6⤵
                PID:2448
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXi5k4FfDp.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1152
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2508
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:1980
                  • C:\webMonitorCommon\hyperInto.exe
                    "C:\webMonitorCommon\hyperInto.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2224
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1472
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1160
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1396
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:764
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1668
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2500
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 7 /tr "'C:\webMonitorCommon\hyperInto.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2148
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "hyperInto" /sc ONLOGON /tr "'C:\webMonitorCommon\hyperInto.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 11 /tr "'C:\webMonitorCommon\hyperInto.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2736

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES1516.tmp
          Filesize

          1KB

          MD5

          31c82fdfe04be72b884cffae2a742dff

          SHA1

          4f28c8471435e2954465446cd0e42fc88b2b47bb

          SHA256

          1cf935a2f8ca517171897923011d7fee9680cb3d90336d33952957e596e2431b

          SHA512

          95d2bf03c00585519a2a7f5bbf23212c64b87100b4bc8bf81ef1bd26baac9b907dd157dd0c55c50702f0cf47f491ff1e12457545d3d2fa891689e11f604c255c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\yXi5k4FfDp.bat
          Filesize

          209B

          MD5

          725d3a16acf82898f95d817cea88356c

          SHA1

          793339e00039f8c3291a31a70ecd8b268529f481

          SHA256

          88187a5a369e781cfce57bf2a70ad15c3c075ac422e4b359ac805d84ace9a8ad

          SHA512

          bf4fd525b6d7424d90469e68699afbb00de565ea5b9ec4e630f2bd4f7afec8f98d4a2afd792268d92335004022219808113a1459405d6101b3b44b05a1706646

          Download Submit

        • C:\webMonitorCommon\de0gQ0DUy6.bat
          Filesize

          82B

          MD5

          f7b437095bba4858238b85c7d164209f

          SHA1

          5e61a822e2823cb5cc2609bac81ca2906013ee20

          SHA256

          daa12b4ba1fce300ba75a73be8ff5513de54f97fbe1e7f53d03ab06dda6d6ea6

          SHA512

          3e75b539be15ace30000bc69f913881a33d57014db6988f8bce1b343b088283601489ab17cf294398c9878659ae8c1db6ba89a2b97c49858d6c78d91e09f2ee0

          Download Submit

        • C:\webMonitorCommon\hyperInto.exe
          Filesize

          1.8MB

          MD5

          55fcd12e8a0321e66cd88902517ab1af

          SHA1

          b0526714e0f060fa54e2f6f515d30fd0271439bf

          SHA256

          f0dee784d53a740c47f0c7061fd54513449557eecee8e19d07323dd0d63f9c51

          SHA512

          b7aaac28a8f0d5c60f0e03d0d19688daf69706f39ce7ef09c6f208f6e8f02e792e312d55982b758e190d659000efe0fbfa57d1eff3586f74fe84ea01644f4e76

          Download Submit

        • C:\webMonitorCommon\pkk.vbe
          Filesize

          204B

          MD5

          14094bef3d34dbe414847095b5463c0a

          SHA1

          353a6926a2cd38cca235f0fc42b9620ff260654b

          SHA256

          ab22dd7a10836a1342e09ee03f9f7e12bb6d2938267a323fcd6c9739b1e3c6aa

          SHA512

          2f6afa73ffbd7510bea17630327dcb5f87717f328996a134a3b5aa88e5af2b865765a054abea557f8956bb6bdbcf6f83534b50e32776509da4d2a44c0dc44cf2

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\sl4fqcvo\sl4fqcvo.0.cs
          Filesize

          356B

          MD5

          5a9842ffa88b03c042daa2883852af61

          SHA1

          6f8a3a468394bf784c0c141cb6497260e3c05b1f

          SHA256

          6b37e0932ebfb426df97352ae6ae82effb5855309f706e2a1355c1aff4fb12a1

          SHA512

          64b31871ac959497125a63f42abb89f5f90b78494392525bf7a4a31f262341157eab7557354134034d5c4dc1d3c2fe6260d60840004f81b277fce4e220956c21

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\sl4fqcvo\sl4fqcvo.cmdline
          Filesize

          235B

          MD5

          22abb4b574d731920b1f3b108c2c436f

          SHA1

          4ce78a31fbadcead5d82b034b0c57628f85c00e3

          SHA256

          e9b934b0f5b3fdd60636789f7742af60bece590e67ab93fb9c581d495d4f26e9

          SHA512

          ffd66bd76fe3e391803e9d39212f2a753b2a230e0573beedac3c668e397978a4b3b7bd44827a2840766f83db5fbf6a27d23df4f33e82e015e4a57679efb09775

          Download Submit

        • \??\c:\Windows\System32\CSCD8024960CE9740B3978B56FE3B1094D7.TMP
          Filesize

          1KB

          MD5

          028d4cd290ab6fe13d6fecce144a32cc

          SHA1

          e1d9531cb2e6bc9cab285b1f19e5d627257a3394

          SHA256

          3f42f68eb3df49cf836fbb0019b8206af735e22f3d528e7b122fa9b2541fdde3

          SHA512

          2f99d37a56444831298f8efaef425e5dadec938ac459bfc0cdaf3708ef8662f12bd8d687a58fc1dd6bbdac6c806214b65a21489a24d3160c1e8575968e3caa6e

          Download Submit

        • memory/1620-51-0x0000000000D20000-0x0000000000EFA000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2996-13-0x0000000000B40000-0x0000000000D1A000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2996-19-0x0000000000900000-0x0000000000918000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2996-21-0x00000000004A0000-0x00000000004AC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2996-17-0x00000000006D0000-0x00000000006EC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2996-15-0x0000000000490000-0x000000000049E000-memory.dmp

          Filesize

          56KB

          Download