Overview

overview

10

Static

static

3

cbec218282...0f.exe

windows7-x64

10

cbec218282...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2025 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbec218282c963881c0a72a5915011a608ed49d9a5f68d804208e795163d610f.exe

  • Size

    2.1MB

  • MD5

    4e7a229e8b5fab1ee9eaf6be664f447a

  • SHA1

    51c62dba30525b80d9ff26944885c8440f42dafd

  • SHA256

    cbec218282c963881c0a72a5915011a608ed49d9a5f68d804208e795163d610f

  • SHA512

    9cddf8d97900d5caa0a12d867c143093d16876a65ba53efe00102acad22bc7c20fc277a20e48baf970281370141fcf7e4f5b7b6ca0db151e6184de8adeeb3956

  • SSDEEP

    24576:2TbBv5rUyXV64kCh/cVhLzQOn5aL5yRImcVIOnoEvwwK5q712DNDeFN1OlLUn3JQ:IBJ640h5+5PtVIOoS4k7cNDENO1

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbec218282c963881c0a72a5915011a608ed49d9a5f68d804208e795163d610f.exe
    "C:\Users\Admin\AppData\Local\Temp\cbec218282c963881c0a72a5915011a608ed49d9a5f68d804208e795163d610f.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\webMonitorCommon\pkk.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3392
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\webMonitorCommon\de0gQ0DUy6.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\webMonitorCommon\hyperInto.exe
          "C:\webMonitorCommon/hyperInto.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3440
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xgpa04fc\xgpa04fc.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3964
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC256.tmp" "c:\Windows\System32\CSCC90997B0522448BF8AB476DFA17CAA9C.TMP"
              6⤵
                PID:2684
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8eDHE8XUE4.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4612
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4900
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2212
                • C:\webMonitorCommon\dwm.exe
                  "C:\webMonitorCommon\dwm.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2220
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\security\database\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2416
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\security\database\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\security\database\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4412
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1300
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\webMonitorCommon\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\webMonitorCommon\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\webMonitorCommon\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 12 /tr "'C:\webMonitorCommon\hyperInto.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperInto" /sc ONLOGON /tr "'C:\webMonitorCommon\hyperInto.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 6 /tr "'C:\webMonitorCommon\hyperInto.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4036

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\8eDHE8XUE4.bat
        Filesize

        155B

        MD5

        7eaa906dd8ebc184cce53b63d03d8e8c

        SHA1

        67612143f7164bfe2f235e554019477274c92d34

        SHA256

        c78e2cd4c3920e3250520cae154a2d48fdef414acdf7be699ec237f1cd3670b9

        SHA512

        b308413a01a1fc4309ab716032bceba5e56bf68a8aefd7da9ba05abbafac20eafeba8f8acaf44ea85dcf77a78cf0d50906e6650098957ee1c4623aaecd77b22c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESC256.tmp
        Filesize

        1KB

        MD5

        471b3fdb79bd02b226897146b2c88e0e

        SHA1

        fde2303d96124bbd7cd4f23e76b585475365562b

        SHA256

        c76b532e50175d80e8a19f21f0493fe6f909cf46db26169c6edd0a06f91c5f45

        SHA512

        344721c7e0b8e2d9dfde70bb5415b4bc4c97989f85d83485a9b02b4c35ee6a62ce13e1fba64c677d7038f595b43ddf5e3bc1bf1ee225a317b31c3dc392722f90

        Download Submit

      • C:\webMonitorCommon\de0gQ0DUy6.bat
        Filesize

        82B

        MD5

        f7b437095bba4858238b85c7d164209f

        SHA1

        5e61a822e2823cb5cc2609bac81ca2906013ee20

        SHA256

        daa12b4ba1fce300ba75a73be8ff5513de54f97fbe1e7f53d03ab06dda6d6ea6

        SHA512

        3e75b539be15ace30000bc69f913881a33d57014db6988f8bce1b343b088283601489ab17cf294398c9878659ae8c1db6ba89a2b97c49858d6c78d91e09f2ee0

        Download Submit

      • C:\webMonitorCommon\hyperInto.exe
        Filesize

        1.8MB

        MD5

        55fcd12e8a0321e66cd88902517ab1af

        SHA1

        b0526714e0f060fa54e2f6f515d30fd0271439bf

        SHA256

        f0dee784d53a740c47f0c7061fd54513449557eecee8e19d07323dd0d63f9c51

        SHA512

        b7aaac28a8f0d5c60f0e03d0d19688daf69706f39ce7ef09c6f208f6e8f02e792e312d55982b758e190d659000efe0fbfa57d1eff3586f74fe84ea01644f4e76

        Download Submit

      • C:\webMonitorCommon\pkk.vbe
        Filesize

        204B

        MD5

        14094bef3d34dbe414847095b5463c0a

        SHA1

        353a6926a2cd38cca235f0fc42b9620ff260654b

        SHA256

        ab22dd7a10836a1342e09ee03f9f7e12bb6d2938267a323fcd6c9739b1e3c6aa

        SHA512

        2f6afa73ffbd7510bea17630327dcb5f87717f328996a134a3b5aa88e5af2b865765a054abea557f8956bb6bdbcf6f83534b50e32776509da4d2a44c0dc44cf2

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xgpa04fc\xgpa04fc.0.cs
        Filesize

        391B

        MD5

        f7d218118831ff2dcb83934767060607

        SHA1

        bc7fad43f9ff8f7bb1806a3dbe91433b343d2aec

        SHA256

        eaedcd99c34e19f291413725005adb22127849e9e50b505a587470d931365cae

        SHA512

        1c5e1d64f2bf1012807fc2dbff62162c48e11f2762b87250cd7b1701f0581ed36be3e1b2afaf62badf9365e8b79c7b9169f3a41f50782d7e18b8f869c3c07f0f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xgpa04fc\xgpa04fc.cmdline
        Filesize

        235B

        MD5

        933a08d98311a15ecb65535bcc812079

        SHA1

        556a559dfd549b2cbcc458aed13b4f4a09e735b1

        SHA256

        8e64dede00f538b219c17a926e201fbfbe8f8577ac9b4332bf42488119a8bacc

        SHA512

        375b81b442c660540b613ab1e0fb453df8fe4dbc326acfe891288260f7723701612e84c6cca104d6e7567b3d6d50db2edd813621324d52114ad5e94a7884a5af

        Download Submit

      • \??\c:\Windows\System32\CSCC90997B0522448BF8AB476DFA17CAA9C.TMP
        Filesize

        1KB

        MD5

        75e32610d8ef6143201c7c28465fcda9

        SHA1

        b2bae99fade2dda07aecbe1659d184be0fc4e7a6

        SHA256

        97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

        SHA512

        b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

        Download Submit

      • memory/2220-60-0x000000001D7E0000-0x000000001D8AD000-memory.dmp

        Filesize

        820KB

        Download

      • memory/3440-13-0x0000000000190000-0x000000000036A000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/3440-22-0x0000000002580000-0x000000000258C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3440-20-0x000000001AFA0000-0x000000001AFB8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3440-18-0x000000001B040000-0x000000001B090000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3440-17-0x00000000025A0000-0x00000000025BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3440-51-0x000000001B5E0000-0x000000001B6AD000-memory.dmp

        Filesize

        820KB

        Download

      • memory/3440-15-0x0000000002570000-0x000000000257E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3440-12-0x00007FFD7F793000-0x00007FFD7F795000-memory.dmp

        Filesize

        8KB

        Download