Overview

overview

10

Static

static

F1ACEEFBBB...66.exe

windows7-x64

10

F1ACEEFBBB...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2022 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe

  • Size

    1.5MB

  • MD5

    152fc3939962d6e1e572f00b33daf7b6

  • SHA1

    25a7bebb0bdce7657fc563949befbf52021b5ea0

  • SHA256

    f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743

  • SHA512

    ba0700f093f904470b739363f5825b5ff7a0039dd2f70f3d2795496875bccfa5eadcb7794675d48fd437c3ced03fa454bad7e6dad7b5e9be2ef7a469433ee9e2

  • SSDEEP

    24576:0crm83KQ6jF2oZkbkXu8MEG7GuR8jZBipt62ob1BKzickKhnakY:3XaJA86h7GuRIBat0BKvhX

Score
10/10
dcratinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat 32 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Process spawned unexpected child process 32 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 32 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
    "C:\Users\Admin\AppData\Local\Temp\F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LOOf5zVadd.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3544
        • C:\Recovery\WindowsRE\dwm.exe
          "C:\Recovery\WindowsRE\dwm.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\SoftwareDistribution\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\Users\All Users\SoftwareDistribution\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SoftwareDistribution\smss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc MINUTE /mo 6 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\ProgramData\regid.1991-06.com.microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONSTART /tr "'C:\ProgramData\regid.1991-06.com.microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\StartMenuExperienceHost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONSTART /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:256
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONSTART /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc MINUTE /mo 6 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1152
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\odt\Idle.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONSTART /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\SearchApp.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc MINUTE /mo 6 /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\sihost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\sihost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONSTART /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\sihost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\sihost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1068

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\WindowsRE\dwm.exe
      Filesize

      1.5MB

      MD5

      152fc3939962d6e1e572f00b33daf7b6

      SHA1

      25a7bebb0bdce7657fc563949befbf52021b5ea0

      SHA256

      f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743

      SHA512

      ba0700f093f904470b739363f5825b5ff7a0039dd2f70f3d2795496875bccfa5eadcb7794675d48fd437c3ced03fa454bad7e6dad7b5e9be2ef7a469433ee9e2

      Download Submit

    • C:\Recovery\WindowsRE\dwm.exe
      Filesize

      1.5MB

      MD5

      152fc3939962d6e1e572f00b33daf7b6

      SHA1

      25a7bebb0bdce7657fc563949befbf52021b5ea0

      SHA256

      f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743

      SHA512

      ba0700f093f904470b739363f5825b5ff7a0039dd2f70f3d2795496875bccfa5eadcb7794675d48fd437c3ced03fa454bad7e6dad7b5e9be2ef7a469433ee9e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\LOOf5zVadd.bat
      Filesize

      193B

      MD5

      6fb5803e978f2f78fc14d6e388f277fa

      SHA1

      5415885c68af9e054c1a960784a1b2ec56b837d0

      SHA256

      8a78ca8b5319db3db88d4962aaffc4b529cde6827f20ccd6a4979ab6c0bb3661

      SHA512

      9db3f10271eb40788ae81dcf614325d45f454f4d0c39c10a45a94a3421f56fd2afea1ac42d27d29cdf2a2b01b61451093400dc4af179f1f84c72c62f6b4f56f8

      Download Submit

    • memory/1932-140-0x0000000000000000-mapping.dmp

      Download

    • memory/1932-144-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1932-143-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3544-138-0x0000000000000000-mapping.dmp

      Download

    • memory/4084-136-0x0000000000000000-mapping.dmp

      Download

    • memory/4856-139-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4856-132-0x0000000000F20000-0x00000000010AC000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4856-135-0x000000001D390000-0x000000001D8B8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4856-134-0x00000000031C0000-0x0000000003210000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4856-133-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

      Filesize

      10.8MB

      Download