Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe
Resource
win10v2004-20240611-en
General
-
Target
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe
-
Size
1.8MB
-
MD5
289f27e7a02f8e76ebf39d2c0c3f09e4
-
SHA1
fb404a7a85d5fb617436f73832e4716556756d6a
-
SHA256
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9
-
SHA512
38798cc71da6dfd8022dff2be635db8b938ba8d8dc5db8196802af2d9deb26dda145e0e581a6b8eb7022a1e0c33ff34c666cc4817f9f2ac50d1f362f434a75fe
-
SSDEEP
24576:KuDXTIGaPhEYzUzA0Dz46fMR/6Y/M3pPux8KVzVvu9JDcEL0NLpgjdyWhPOePTnK:9Djlabwz9PHMf/M3BuxbzuDQyBPXam0H
Malware Config
Extracted
lumma
https://backcreammykiel.shop/api
https://publicitycharetew.shop/api
https://computerexcudesp.shop/api
https://leafcalfconflcitw.shop/api
https://injurypiggyoewirog.shop/api
https://bargainnygroandjwk.shop/api
https://disappointcredisotw.shop/api
https://doughtdrillyksow.shop/api
https://facilitycoursedw.shop/api
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, C:\\Users\\skeet\\AppData\\Local\\Temp\\Loader\\572stuOQ0pZG2Xj.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\system32\\explorer.exe, C:\\ProgramData\\SoftwareDistribution\\572stuOQ0pZG2Xj.exe" reg.exe -
Processes:
resource yara_rule C:\ProgramData\SoftwareDistribution\Bypass.exe dcrat behavioral2/memory/1240-52-0x0000000000350000-0x000000000051A000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
572stuOQ0pZG2Xj.execmd.exe854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 572stuOQ0pZG2Xj.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe -
Executes dropped EXE 3 IoCs
Processes:
572stuOQ0pZG2Xj.exeLoader.exeBypass.exepid process 2560 572stuOQ0pZG2Xj.exe 3344 Loader.exe 1240 Bypass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 61 ipinfo.io 62 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Loader.exedescription pid process target process PID 3344 set thread context of 212 3344 Loader.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exeBypass.exepid process 3220 powershell.exe 3220 powershell.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe 1240 Bypass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Bypass.exepid process 1240 Bypass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeBypass.exedescription pid process Token: SeDebugPrivilege 3220 powershell.exe Token: SeDebugPrivilege 1240 Bypass.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.execmd.execmd.exeLoader.exe572stuOQ0pZG2Xj.exedescription pid process target process PID 4484 wrote to memory of 2012 4484 854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe cmd.exe PID 4484 wrote to memory of 2012 4484 854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe cmd.exe PID 2012 wrote to memory of 4592 2012 cmd.exe cacls.exe PID 2012 wrote to memory of 4592 2012 cmd.exe cacls.exe PID 2012 wrote to memory of 2440 2012 cmd.exe cmd.exe PID 2012 wrote to memory of 2440 2012 cmd.exe cmd.exe PID 2440 wrote to memory of 3220 2440 cmd.exe powershell.exe PID 2440 wrote to memory of 3220 2440 cmd.exe powershell.exe PID 2440 wrote to memory of 3132 2440 cmd.exe choice.exe PID 2440 wrote to memory of 3132 2440 cmd.exe choice.exe PID 2440 wrote to memory of 2760 2440 cmd.exe reg.exe PID 2440 wrote to memory of 2760 2440 cmd.exe reg.exe PID 2440 wrote to memory of 5068 2440 cmd.exe reg.exe PID 2440 wrote to memory of 5068 2440 cmd.exe reg.exe PID 2440 wrote to memory of 2560 2440 cmd.exe 572stuOQ0pZG2Xj.exe PID 2440 wrote to memory of 2560 2440 cmd.exe 572stuOQ0pZG2Xj.exe PID 2440 wrote to memory of 3344 2440 cmd.exe Loader.exe PID 2440 wrote to memory of 3344 2440 cmd.exe Loader.exe PID 2440 wrote to memory of 3344 2440 cmd.exe Loader.exe PID 3344 wrote to memory of 212 3344 Loader.exe RegAsm.exe PID 3344 wrote to memory of 212 3344 Loader.exe RegAsm.exe PID 3344 wrote to memory of 212 3344 Loader.exe RegAsm.exe PID 3344 wrote to memory of 212 3344 Loader.exe RegAsm.exe PID 3344 wrote to memory of 212 3344 Loader.exe RegAsm.exe PID 3344 wrote to memory of 212 3344 Loader.exe RegAsm.exe PID 3344 wrote to memory of 212 3344 Loader.exe RegAsm.exe PID 3344 wrote to memory of 212 3344 Loader.exe RegAsm.exe PID 3344 wrote to memory of 212 3344 Loader.exe RegAsm.exe PID 2560 wrote to memory of 1240 2560 572stuOQ0pZG2Xj.exe Bypass.exe PID 2560 wrote to memory of 1240 2560 572stuOQ0pZG2Xj.exe Bypass.exe PID 2440 wrote to memory of 4252 2440 cmd.exe WScript.exe PID 2440 wrote to memory of 4252 2440 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe"C:\Users\Admin\AppData\Local\Temp\854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\choice.exechoice /c y /n /t 10 /d y4⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe" /f4⤵
- Modifies WinLogon for persistence
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\572stuOQ0pZG2Xj.exe" /f4⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exeC:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\SoftwareDistribution\Bypass.exe"C:\ProgramData\SoftwareDistribution\Bypass.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exeC:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SoftwareDistribution\Bypass.exeFilesize
1.8MB
MD593e99fb34ac2cd9d6e867e24dcafb2ab
SHA1c6ee148abc972494c2912e68534512160372f4a6
SHA2568cf7a779191a6b146749de10a52303201d4c72621f04d1336d51f400256d662e
SHA51265ade8226509bdf7b160f04bc6cbb12c790c7a960ddee6776aa0e6094246062f323a80dd2d858a49aafef5cc5db2ade00a8a42d939ff3571029172aa7d34d877
-
C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exeFilesize
1.2MB
MD543af303e1f32ce8c477abbfb07887ea2
SHA1c69b0f73b6219d05cec8258c445af5f39d3313c9
SHA25637493d6b5fd0f186bb2e70edfafe91f28b43938293965461a7eefb5cca4c36bf
SHA51268d0ed901c7aa8bc6de3f8d83fea9c0a362d6582ea54b052941f9a02c25b9bb32b096bd8efe73506985ad7b94eea0757a35cb3924e845d8f69216ce999327774
-
C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.batFilesize
9KB
MD54c44aab923a5c7719850e5138ecb64c0
SHA19634bb1db8ed400b033225a849c88c7908d61b3d
SHA25663047a792bde6efb6aab1a6dbb178f55b6ae86317d75cb4470e51dd0ef76be2e
SHA51298fd476c2b48be92a6101ff71514818eca6c7849ad17097b86babbbae9ecc9ff60a0a88c143a6ccbb67f002798531ab3717ad3fd7246de53c49b8daaeebad8f0
-
C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.batFilesize
8KB
MD567789813c0d52fa2d7bfbffd5d572e6e
SHA152389d023f55bda8aba2efdbe82ee48c17f19639
SHA256ab044df54893f5f2e54233fc6ea4ef6dd8a9a0731a893734f287e62eeae0c3cf
SHA512467f875a6bf70a39fcb4918952706d41f92c0166c4c2ad2a9c6b2207c7ac076a155dbc9b7682e65f9f9498c3636bd2b04e2aad5b2b89a185ea22bb6146980527
-
C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exeFilesize
594KB
MD5b6c3c00d7cf6d8d13f20dbc590a675ad
SHA1a36e5c3c94f7abe3cbdfd3418e3ae03e66aa5323
SHA2560021b20ecb3a2d562118bae38f00d1bdffc8facda49c8e1d1995966e1cd7957c
SHA512e6f5165b9678cc6818d0213e84a6fdfb606af69dd6be67ea3db12dbb4a8b3503afcb9dc729a727691bef2374a355ea3ab7d8f8864adcab87d0cfee892c660eba
-
C:\Users\Admin\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbsFilesize
1KB
MD5f6c38031293030ef28e5806abb9d072d
SHA11c5c39f986c9e717d85321536e44541aa3a6f33b
SHA25676166b3a990a0f6606fa9ad1ed52daa04ce37f813865c539e5d1f68da9ebeba1
SHA5128bfbac376e92ce870310926bdf42fbcce4ec10829e508c6e2b546d25da77b78ad8f2b7718c5cc1409962da7214d83f379b3ee6cba6b9849a3a525aa4029035b2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2y1ix5q0.rjp.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/212-47-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/212-39-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1240-53-0x000000001B020000-0x000000001B03C000-memory.dmpFilesize
112KB
-
memory/1240-52-0x0000000000350000-0x000000000051A000-memory.dmpFilesize
1.8MB
-
memory/1240-55-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/1240-54-0x000000001B0B0000-0x000000001B100000-memory.dmpFilesize
320KB
-
memory/1240-57-0x000000001B100000-0x000000001B156000-memory.dmpFilesize
344KB
-
memory/1240-56-0x000000001B040000-0x000000001B056000-memory.dmpFilesize
88KB
-
memory/1240-58-0x000000001B060000-0x000000001B06E000-memory.dmpFilesize
56KB
-
memory/3220-29-0x00007FF94A3F0000-0x00007FF94AEB1000-memory.dmpFilesize
10.8MB
-
memory/3220-26-0x00007FF94A3F0000-0x00007FF94AEB1000-memory.dmpFilesize
10.8MB
-
memory/3220-25-0x00007FF94A3F0000-0x00007FF94AEB1000-memory.dmpFilesize
10.8MB
-
memory/3220-15-0x000001C87F0C0000-0x000001C87F0E2000-memory.dmpFilesize
136KB
-
memory/3220-14-0x00007FF94A3F3000-0x00007FF94A3F5000-memory.dmpFilesize
8KB