Overview

overview

10

Static

static

10

121e3de90a...6a.exe

windows7-x64

10

121e3de90a...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2022 03:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    121e3de90abf2278d3dba0701045616a.exe

  • Size

    1.6MB

  • MD5

    121e3de90abf2278d3dba0701045616a

  • SHA1

    5f1b0812c4c62f8e84ac02cede638ea65ef15e34

  • SHA256

    2b59699aca914b83391346f826e48c6f74f0208de0abdbf53773f82c35e9ff83

  • SHA512

    d0eb995ffcb6bddf4b795880fb98c10eda0f440abdc41aabc46a99c6654b953921788d773168a7c63b1da51b3344979d1d9d9934154c1529ffd8653d23a33487

  • SSDEEP

    49152:shNgwNHGuumlxR/uTxaMm3BMsP71Lx9N:85lDpjr9

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\121e3de90abf2278d3dba0701045616a.exe
    "C:\Users\Admin\AppData\Local\Temp\121e3de90abf2278d3dba0701045616a.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\121e3de90abf2278d3dba0701045616a.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\121e3de90abf2278d3dba0701045616a.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\taskhost.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe"
      2⤵
      • Executes dropped EXE
      PID:112
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b027c2a-2728-458f-91e7-e21e35e92dca.vbs"
        3⤵
          PID:680
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae5d7309-9edb-4ef3-9406-04f542e2fe91.vbs"
          3⤵
            PID:996
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:13456/
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:432
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "121e3de90abf2278d3dba0701045616a1" /sc MINUTE /mo 13 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\121e3de90abf2278d3dba0701045616a.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1436
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "121e3de90abf2278d3dba0701045616a" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\121e3de90abf2278d3dba0701045616a.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "121e3de90abf2278d3dba0701045616a1" /sc MINUTE /mo 13 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\121e3de90abf2278d3dba0701045616a.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\it-IT\taskhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1076

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe
        Filesize

        1.6MB

        MD5

        caf9a7f9f6186ad0f6dc5d191ae68ddd

        SHA1

        f67b57861da378fd33e59ed9e27094e4d4853cad

        SHA256

        ee5404c465d772f726eae90fc4d15a888404f167a2fec0e418982acf3bb52b1e

        SHA512

        e6c4bca3b3b2863858683b2e6ee79117de9444337465a82b275d91a669dd4bcc384027f9549f56439459003988cb16d12530d844191121ca104964d52b92e6e9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ITW9ZTFB.txt
        Filesize

        608B

        MD5

        dc64351b4794d8a55c254e9340fde263

        SHA1

        65fe999f5c2071c38a931e63eb5655ffdd7e9d89

        SHA256

        22eddf5ca213266ed21b9d07a7a9c45e5abf97058c5a28704906881441773d23

        SHA512

        b462c76d52f138bee5f834e7a689a2aca8e3d19f63bd95fdaca100de242e7ef2a3e41e21b073227ea6f0c4ce450abd4a7dd35b383ecf03797eeb7fab10255736

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        3e8ab905ba7f0e2e3eb16c2a5f708294

        SHA1

        0e3e7438537895c6a399e0831b010cccb4f2623b

        SHA256

        806890630ffa3e424a00cd1205b91f9728494524696834737138481e3596c4da

        SHA512

        35412d8cd271ec4bc507feb44f94f70ddfe0aa7178136297a5fc862466769bb3a000766f2c1fde3043737ec53573cdf11b989cb892cbb13d98205d18e83e6d39

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        3e8ab905ba7f0e2e3eb16c2a5f708294

        SHA1

        0e3e7438537895c6a399e0831b010cccb4f2623b

        SHA256

        806890630ffa3e424a00cd1205b91f9728494524696834737138481e3596c4da

        SHA512

        35412d8cd271ec4bc507feb44f94f70ddfe0aa7178136297a5fc862466769bb3a000766f2c1fde3043737ec53573cdf11b989cb892cbb13d98205d18e83e6d39

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        3e8ab905ba7f0e2e3eb16c2a5f708294

        SHA1

        0e3e7438537895c6a399e0831b010cccb4f2623b

        SHA256

        806890630ffa3e424a00cd1205b91f9728494524696834737138481e3596c4da

        SHA512

        35412d8cd271ec4bc507feb44f94f70ddfe0aa7178136297a5fc862466769bb3a000766f2c1fde3043737ec53573cdf11b989cb892cbb13d98205d18e83e6d39

        Download Submit

      • memory/112-79-0x0000000000000000-mapping.dmp

        Download

      • memory/916-89-0x000007FEEB5A0000-0x000007FEEC0FD000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/916-69-0x0000000000000000-mapping.dmp

        Download

      • memory/916-91-0x000000001B770000-0x000000001BA6F000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/916-104-0x00000000026AB000-0x00000000026CA000-memory.dmp

        Filesize

        124KB

        Download

      • memory/916-97-0x00000000026AB000-0x00000000026CA000-memory.dmp

        Filesize

        124KB

        Download

      • memory/916-85-0x00000000026A4000-0x00000000026A7000-memory.dmp

        Filesize

        12KB

        Download

      • memory/916-102-0x00000000026A4000-0x00000000026A7000-memory.dmp

        Filesize

        12KB

        Download

      • memory/916-82-0x000007FEEC100000-0x000007FEECB23000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/952-90-0x000007FEEB5A0000-0x000007FEEC0FD000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/952-67-0x0000000000000000-mapping.dmp

        Download

      • memory/952-103-0x000000000270B000-0x000000000272A000-memory.dmp

        Filesize

        124KB

        Download

      • memory/952-98-0x000000000270B000-0x000000000272A000-memory.dmp

        Filesize

        124KB

        Download

      • memory/952-93-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/952-101-0x0000000002704000-0x0000000002707000-memory.dmp

        Filesize

        12KB

        Download

      • memory/952-77-0x000007FEEC100000-0x000007FEECB23000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/952-86-0x0000000002704000-0x0000000002707000-memory.dmp

        Filesize

        12KB

        Download

      • memory/976-94-0x0000000002424000-0x0000000002427000-memory.dmp

        Filesize

        12KB

        Download

      • memory/976-95-0x000000000242B000-0x000000000244A000-memory.dmp

        Filesize

        124KB

        Download

      • memory/976-81-0x000007FEEC100000-0x000007FEECB23000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/976-83-0x000007FEEB5A0000-0x000007FEEC0FD000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/976-84-0x0000000002424000-0x0000000002427000-memory.dmp

        Filesize

        12KB

        Download

      • memory/976-68-0x0000000000000000-mapping.dmp

        Download

      • memory/1444-55-0x0000000000240000-0x000000000025C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1444-65-0x0000000000B20000-0x0000000000B2C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1444-64-0x0000000000A90000-0x0000000000A9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1444-61-0x00000000009E0000-0x00000000009E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1444-63-0x0000000000A80000-0x0000000000A8E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1444-54-0x0000000000DE0000-0x0000000000F7A000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1444-60-0x00000000009D0000-0x00000000009DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1444-56-0x0000000000260000-0x0000000000270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1444-57-0x0000000000410000-0x0000000000426000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1444-62-0x00000000009F0000-0x00000000009FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1444-58-0x0000000000270000-0x0000000000280000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1444-59-0x00000000009C0000-0x00000000009CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1480-66-0x0000000000000000-mapping.dmp

        Download

      • memory/1480-96-0x000000000238B000-0x00000000023AA000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1480-99-0x0000000002384000-0x0000000002387000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1480-92-0x000000001B700000-0x000000001B9FF000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1480-100-0x000000000238B000-0x00000000023AA000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1480-88-0x000007FEEB5A0000-0x000007FEEC0FD000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/1480-87-0x0000000002384000-0x0000000002387000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1480-75-0x000007FEEC100000-0x000007FEECB23000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/1480-70-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

        Filesize

        8KB

        Download