Overview

overview

10

Static

static

3

cheatxloader.exe

windows7-x64

10

cheatxloader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-01-2025 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cheatxloader.exe

  • Size

    2.1MB

  • MD5

    6ad4c27c5c844630732d5a6f1144f403

  • SHA1

    55eaa9e50b68ba4438ba8c495e2e872f70afea5d

  • SHA256

    a38de42e94a51926732b3b562723df643e5fde2c4b0286842dc356be62f697d6

  • SHA512

    050835c1abe9bb077882368b21e94583a8a69b290d34c810283cbf805619ee80b5432b3fd91e23ff4adfe3a6d736b71438c85874d3ee9e2e18040ca80c19509c

  • SSDEEP

    24576:2TbBv5rUyXVjfDjUr+21JjS+5+MtJoIeEs+TwAo7+Fgz2RPuWHvswr5ZvAPwfzkS:IBJjUXGMoMJwugSRzPswr5ZIPkMRnfU

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cheatxloader.exe
    "C:\Users\Admin\AppData\Local\Temp\cheatxloader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\webMonitorCommon\pblufgY0nnHtSVysTtPP5buTeBsOiw1qIug1R2lrGXhQEqDwXK7IPYqy.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\webMonitorCommon\AWwYlLp95CB13LX7XcfPLRXdri2HMYZVLvEdXP.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\webMonitorCommon\hyperInto.exe
          "C:\webMonitorCommon/hyperInto.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1872
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gr0c5vz2\gr0c5vz2.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:460
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA057.tmp" "c:\Windows\System32\CSC832652D8D7B44CF1984D744CBD238D83.TMP"
              6⤵
                PID:4932
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xaLJZCGvse.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2404
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3700
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:4272
                  • C:\webMonitorCommon\sppsvc.exe
                    "C:\webMonitorCommon\sppsvc.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4268
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\webMonitorCommon\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1448
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\webMonitorCommon\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\webMonitorCommon\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2292
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\webMonitorCommon\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1244
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\webMonitorCommon\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\webMonitorCommon\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3656
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4140
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4224
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\webMonitorCommon\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\webMonitorCommon\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\webMonitorCommon\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 6 /tr "'C:\webMonitorCommon\hyperInto.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2332
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "hyperInto" /sc ONLOGON /tr "'C:\webMonitorCommon\hyperInto.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 10 /tr "'C:\webMonitorCommon\hyperInto.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3092

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESA057.tmp
          Filesize

          1KB

          MD5

          b5c28218ed90a7b5967d6958288a4ea8

          SHA1

          8c466b21169e5c415b9285e4bc0a2144db323eac

          SHA256

          0aa0378a36584a1e60c484a9f4134fca866aa5a20ec7d8e6d0b96175cd885013

          SHA512

          c4595e72d4f04283f8cd47764924f790750d37affc86bece0f37a2537458f09e55a19c93e4a45381ffb6713fc429bf79b0ffafa4af8640f4ff0efc9d699bb57f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\xaLJZCGvse.bat
          Filesize

          206B

          MD5

          ca2313a1fc30dbb68b447fbddec04486

          SHA1

          b3dd0d19918cf1470618a555a787f3b6ce3735be

          SHA256

          597816ba779750de1402705e2f9ae7be9b6fc1e5881f002bc2615eefbf588e60

          SHA512

          dfa258f6b8531f6ebb0b83e3d777a3a7bb93b5b802599c030d229d42ba9abb390333858446861df9a38a3256d9e550edaed24725a1e210e156cb2f9a650f12e3

          Download Submit

        • C:\webMonitorCommon\AWwYlLp95CB13LX7XcfPLRXdri2HMYZVLvEdXP.bat
          Filesize

          79B

          MD5

          d3296b9af15688185225252f1bb0426a

          SHA1

          a7640941362ccbd9b271c078c0251b1d7eec8eea

          SHA256

          2f1440baf4b0fb670cb1a19adb3238fd02cbc02776dbf0a711e38e22246f6a47

          SHA512

          3d92586174722a2367e368c005144fe923eebc1a95cd35a7fd131ca1c396fc26cbb7c6d2831e2fd2e33610074b96d875b3f6b9a6e0ecd389937792e83fd4cd81

          Download Submit

        • C:\webMonitorCommon\hyperInto.exe
          Filesize

          1.8MB

          MD5

          df4915aec99c9e7e9532f9f60fc4f8ef

          SHA1

          65833ebdc04f11a93104d682291aa5ac21641f3f

          SHA256

          c8161e6afe1258799916a9a518b88ad76d9960b91627848b9e47fe8cc6633c16

          SHA512

          75227698a60affb197f7753630f9d54eccb3e3c8b5b37f4761d1a84fd619a6499e6efbe6ab9221a0f4fbada48e0fbf5aba3811d783424393bfe39ace2af32cb2

          Download Submit

        • C:\webMonitorCommon\pblufgY0nnHtSVysTtPP5buTeBsOiw1qIug1R2lrGXhQEqDwXK7IPYqy.vbe
          Filesize

          232B

          MD5

          9858bdea95a5bdcf4165f4d051f6765b

          SHA1

          7173b7f8df6456f589146f5f052a33e334479961

          SHA256

          a46486c946d037b3e3f729ed8d6e90c761d133cd956f75eaabdd69e6917417bc

          SHA512

          725b90d26cc16bc6c79c3548d4542e9cabc1e24982600eb8cd3ea2da1be35edfd0e0f244dc156b92cb2f6935700a2d6a0268c694b2bb85df8de79bf672e27454

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\gr0c5vz2\gr0c5vz2.0.cs
          Filesize

          369B

          MD5

          fb50981d8e4b3522a78f79ed3faacfe2

          SHA1

          335636b7f56cb27343e8b30747b4f0cdf6654ab6

          SHA256

          7305c321e1f80b7e84613709a5e6f9078d6f8964fccdfa94562c5ee663ad50f1

          SHA512

          ce37b49cf7c79ae2936813c07d03a67ec95803d4c3dae5d12fae2e737c6c28c20197ca01f99d58c5f92fe843805964793bf688bcd303cf796f9980ca6f0addb3

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\gr0c5vz2\gr0c5vz2.cmdline
          Filesize

          235B

          MD5

          9abbfe6d5d4c7cf99f9dcf87b35804b3

          SHA1

          91b7d06faf56e150ddc2e3999b1ba88d3b6c101c

          SHA256

          02fda523514145b054ad7f66041e9be101947e8b7146215b39d12ab59183741d

          SHA512

          4f19f1929a6915b2d0e03a937afe197449124e59a5de4915f16cdd21a6a93bfbc419a2413cbfae453a174a9b6c8d0bd76bc0e706a5226b386ff0acbbd78e8df7

          Download Submit

        • \??\c:\Windows\System32\CSC832652D8D7B44CF1984D744CBD238D83.TMP
          Filesize

          1KB

          MD5

          72f89171a1931b941e3fcc281bfc549e

          SHA1

          9648145810bb8b9ecef682a8215a08065723852e

          SHA256

          b1858806d65859b1f0607bdb45b33cbc0745c496a45414b6833c94a5a792a938

          SHA512

          04e9a596bc2354251ef44848eb1662658b053fd6065369c8ca46f6c597516738d57efafe9669fb9d20dbe4b957d6afa379fc48a06c252260419a82de72e4cf8a

          Download Submit

        • memory/1872-13-0x0000000000DA0000-0x0000000000F7C000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/1872-22-0x0000000003260000-0x000000000326C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1872-20-0x000000001BAC0000-0x000000001BAD8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1872-18-0x000000001BB30000-0x000000001BB80000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1872-17-0x000000001BAA0000-0x000000001BABC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1872-15-0x0000000003250000-0x000000000325E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1872-51-0x000000001C260000-0x000000001C309000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1872-12-0x00007FFAE85C3000-0x00007FFAE85C5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4268-60-0x000000001C260000-0x000000001C309000-memory.dmp

          Filesize

          676KB

          Download