Overview

overview

10

Static

static

3

902f94aa72...d6.exe

windows7-x64

10

902f94aa72...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 02:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6.exe

  • Size

    2.3MB

  • MD5

    a3063deffb695211eacaad97e9c38936

  • SHA1

    22c0dcbff864ac7ab665dcaa40fa0e2f5a609d6b

  • SHA256

    902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6

  • SHA512

    c3365f69bcaf92b73449a58596ac9e37bc2a5eb11c048d336ff296439d9ec55f53f9f23a741305f565d64d449fc3ba508b03657ae73c3ed4108dd38aa8f10ed1

  • SSDEEP

    49152:3LeY9/gdSz5eLeorkMy9UVfSpk2+GmC/KrluvCd:9sLeorNg8fcl+Gm8Na

Score
10/10
dcratxwormexecutioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

football-emily.gl.at.ply.gg:39625

Attributes
  • Install_directory

    %AppData%

  • install_file

    Registry.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6.exe
    "C:\Users\Admin\AppData\Local\Temp\902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Roaming\Bootstrapper.exe
      "C:\Users\Admin\AppData\Roaming\Bootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Bootstrapper.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:888
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bootstrapper.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Registry.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1476
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Registry.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:852
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Registry" /tr "C:\Users\Admin\AppData\Roaming\Registry.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1844
    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\ProgramData\Bootstrapper.exe
      "C:\ProgramData\Bootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\ProgramData\SolaraBootstrapper.exe
        "C:\ProgramData\SolaraBootstrapper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
    • C:\Users\Admin\AppData\Local\Temp\Boostraper.bat
      "C:\Users\Admin\AppData\Local\Temp\Boostraper.bat"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Media\TKlkLwYGTbrYwK.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Media\3KNj5pJ.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2900
          • C:\Media\fontreview.exe
            "C:\Media\fontreview.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1136
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {86A08173-3891-49D6-952F-BC3AA07ED7B3} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Roaming\Registry.exe
      C:\Users\Admin\AppData\Roaming\Registry.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Users\Admin\AppData\Roaming\Registry.exe
      C:\Users\Admin\AppData\Roaming\Registry.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Users\Admin\AppData\Roaming\Registry.exe
      C:\Users\Admin\AppData\Roaming\Registry.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Media\3KNj5pJ.bat
    Filesize

    25B

    MD5

    7e45908823780cf03744e36548ef778a

    SHA1

    0988bf98f3ec92139ba1695893ca2ac712ca6b77

    SHA256

    1a6e5542fc446811c85925bf03ec7f495867d284232da339a23fc8c4b741df29

    SHA512

    dfb4454bf825b4150e36d837e110d19510e11bcf6a1819b5e73dcb9920e6478368a57733c60f055c9ab83e0103cad1706a356b57233ce475c6361c49c4a3b2d8

    Download Submit
  • C:\Media\TKlkLwYGTbrYwK.vbe
    Filesize

    186B

    MD5

    883d110d2a404e5aaaa8c4f25e8d0099

    SHA1

    0793c14c1237c6da5f4456e17b1e617f4660b041

    SHA256

    0e4be77d728c9046e72857f46db53646cdbe1244490d5c0aa786efd2b5de5e71

    SHA512

    ad244c4ffad1be4fa28290409ee735b5c50c41f9ba9b0876e068b3e16c016716d444d7984bab19df384d34bc5e5b178743765db2bc17e0a2e78b9b91fe37c934

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Boostraper.bat
    Filesize

    1.3MB

    MD5

    820ca8ab4b7500ce29e8a1a79b7b8d95

    SHA1

    cb5ad50cac3184af88bed5e22c5f83a981474c5f

    SHA256

    13704b32bee03719d86744a997b75ae735d93e581b0a9b54e730808ad418d534

    SHA512

    212bdce126d2172a6210d34542e7609986c585752575c46d88f9aabb35b61a820509908bab7d41fd0508716c66a79f5526209f0ccc92309d85d6c93d14ec98a7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    2a3a9cd9fb14778f32307583478f917b

    SHA1

    e7c28a5b9c46cb32fc2bb8f5436ac1e83afdd823

    SHA256

    30d71f9be16bbac54a7989cbb8d9fdc785ef520cfe0426468dcda18dc16f891b

    SHA512

    fe5755cc92e9b2572ac7870967c2eb15d35d146691fb8a9617e286250eefc793aedb4df43a119e4207c1c110c5d836d767f3be44723fa7c557a8ee8f29e65beb

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \Media\fontreview.exe
    Filesize

    1.0MB

    MD5

    d59145e6ddad7699d0c9c5e1416229f9

    SHA1

    bda54641a52bb99147cf57bcbd6b8048bc3e2d2d

    SHA256

    3d9b74a6bd97a5fa455737b72d8970898527a4478e912b68e9bf9459cccb7c87

    SHA512

    7e1122c02ddab5bf333d7b1b89a596419e3d7fe31d30877b17f36ab1e5207127c6d757eee243dd1c38c51b993f1d2ab2ccc0f266d899ff0a9b7d3a61bf24994c

    Download Submit
  • \ProgramData\Bootstrapper.exe
    Filesize

    125KB

    MD5

    38abadb644a721c6526c13781f034f3c

    SHA1

    73d1c05be000e6dca09c3b0c68ccbd26ea8ba284

    SHA256

    ba5dab0bab062cef4292800e49d1910e455a11628481782ef18b7a0a76d492c3

    SHA512

    ff7ec8ba0692b0e7849f1342c6b9547e2677a7f96d7c7f53c10d4ef1b828f64437ab826ca0932bb1b86770815eabc72ad7d8c38edfcc4c3040e350bbaea4ddd3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    Filesize

    13KB

    MD5

    6557bd5240397f026e675afb78544a26

    SHA1

    839e683bf68703d373b6eac246f19386bb181713

    SHA256

    a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

    SHA512

    f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

    Download Submit
  • \Users\Admin\AppData\Roaming\Bootstrapper.exe
    Filesize

    64KB

    MD5

    0c88f913b456d4fc6b5836275f2a48ad

    SHA1

    1d58a200748571696f5fb8ec5c2abe40d36f021b

    SHA256

    02b7e575969e1f23f76fdad703bf74241b6276f7551eb5f8996c098f87093417

    SHA512

    8b42ee4d734179cd9a04c71d03b8cb41511d17f6e9a0d2c7022e1bac1c4801de758d5178d81ccd7acb5ac289268ea49c91f050f4129ba572389acd287537e802

    Download Submit
  • memory/324-71-0x0000000002250000-0x0000000002258000-memory.dmp
    Filesize

    32KB

    Download
  • memory/324-70-0x000000001B660000-0x000000001B942000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/888-63-0x00000000027F0000-0x00000000027F8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/888-62-0x000000001B750000-0x000000001BA32000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/1060-87-0x0000000000B40000-0x0000000000B56000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1136-56-0x00000000003F0000-0x0000000000502000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1136-57-0x00000000005A0000-0x00000000005AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2092-39-0x0000000000DD0000-0x0000000000DE6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2660-30-0x0000000000400000-0x0000000000422000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2692-89-0x0000000001050000-0x0000000001066000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2840-42-0x0000000001340000-0x000000000134A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2920-38-0x0000000000360000-0x000000000036A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2924-0-0x0000000000400000-0x0000000000656000-memory.dmp
    Filesize

    2.3MB

    Download