Overview

overview

10

Static

static

10

0a41022c66...ev.exe

windows7-x64

10

0a41022c66...ev.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/10/2022, 11:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0a41022c66f4025a865a8986d417f088f3b7298e1537f4253e9e14c5e27f123a_noev.exe

  • Size

    1.3MB

  • MD5

    8b9eb441ae46675e56ddf5e5f02fe547

  • SHA1

    bde0260be99e0c128cbb5539c2f142f310e8a879

  • SHA256

    0a41022c66f4025a865a8986d417f088f3b7298e1537f4253e9e14c5e27f123a

  • SHA512

    1fc15295736f566f18414b3abd8a56d6655e081b4aed793cf0df3a2b25988c25770a963ccd05ddfd68134b76837878b499787d3ce4c9257782f3222ed081d617

  • SSDEEP

    24576:Or1EoK804IflP6CGaDI2jt4VwQtk+CsNFoDyObMfcQz9dTwHO742l2DXeAWH:0qod0/dJGaJt4fmSeDyObYfTwu1l1

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a41022c66f4025a865a8986d417f088f3b7298e1537f4253e9e14c5e27f123a_noev.exe
    "C:\Users\Admin\AppData\Local\Temp\0a41022c66f4025a865a8986d417f088f3b7298e1537f4253e9e14c5e27f123a_noev.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a41022c66f4025a865a8986d417f088f3b7298e1537f4253e9e14c5e27f123a_noev.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Media Player\System.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\explorer.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\lib\csrss.exe'
      2⤵
        PID:940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\lsm.exe'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1608
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\services.exe'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1124
      • C:\Users\All Users\Application Data\services.exe
        "C:\Users\All Users\Application Data\services.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Media Player\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Media Player\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Media Player\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Music\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1008

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\services.exe
            Filesize

            1.3MB

            MD5

            18638e427dc5b284407245854f68a8de

            SHA1

            35df2ccb76c3f5c7c2853223e158000de9312460

            SHA256

            59f6f9ea3a91c4ca139a26d9605ff056946b933e6a1b915b1531140e2a197964

            SHA512

            d956884bd3e6657efb8979e991fd92402e651933ca2e9b2042bfb56206087a183f615b849a0bdd0f1d4024ea112e932aba881be9303ae4aa53ed94456bee8d3b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3f0725ceac08ad740ab105cc59311783

            SHA1

            05b7b6611807b81bfd7250403de1cb7f4f36b618

            SHA256

            1b1dea1a9b7f461a75c5017b38982055b6570459ef6a311495058ce0ba5802e8

            SHA512

            7cdd304ef9801c69a866938e84dfa79cc948b8407812cbf06251dec46b8a201a7c6a3b4ab29b57118ac02d2e0ad41899c37ce31d52a43fcb64df750a0b917a41

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3f0725ceac08ad740ab105cc59311783

            SHA1

            05b7b6611807b81bfd7250403de1cb7f4f36b618

            SHA256

            1b1dea1a9b7f461a75c5017b38982055b6570459ef6a311495058ce0ba5802e8

            SHA512

            7cdd304ef9801c69a866938e84dfa79cc948b8407812cbf06251dec46b8a201a7c6a3b4ab29b57118ac02d2e0ad41899c37ce31d52a43fcb64df750a0b917a41

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3f0725ceac08ad740ab105cc59311783

            SHA1

            05b7b6611807b81bfd7250403de1cb7f4f36b618

            SHA256

            1b1dea1a9b7f461a75c5017b38982055b6570459ef6a311495058ce0ba5802e8

            SHA512

            7cdd304ef9801c69a866938e84dfa79cc948b8407812cbf06251dec46b8a201a7c6a3b4ab29b57118ac02d2e0ad41899c37ce31d52a43fcb64df750a0b917a41

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            3f0725ceac08ad740ab105cc59311783

            SHA1

            05b7b6611807b81bfd7250403de1cb7f4f36b618

            SHA256

            1b1dea1a9b7f461a75c5017b38982055b6570459ef6a311495058ce0ba5802e8

            SHA512

            7cdd304ef9801c69a866938e84dfa79cc948b8407812cbf06251dec46b8a201a7c6a3b4ab29b57118ac02d2e0ad41899c37ce31d52a43fcb64df750a0b917a41

            Download Submit

          • C:\Users\All Users\Application Data\services.exe
            Filesize

            1.3MB

            MD5

            18638e427dc5b284407245854f68a8de

            SHA1

            35df2ccb76c3f5c7c2853223e158000de9312460

            SHA256

            59f6f9ea3a91c4ca139a26d9605ff056946b933e6a1b915b1531140e2a197964

            SHA512

            d956884bd3e6657efb8979e991fd92402e651933ca2e9b2042bfb56206087a183f615b849a0bdd0f1d4024ea112e932aba881be9303ae4aa53ed94456bee8d3b

            Download Submit

          • memory/472-83-0x00000000001B0000-0x0000000000300000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1076-85-0x000007FEEA050000-0x000007FEEAA73000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1076-91-0x00000000024E4000-0x00000000024E7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1076-95-0x000007FEEC770000-0x000007FEED2CD000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1076-101-0x00000000024E4000-0x00000000024E7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1076-102-0x00000000024EB000-0x000000000250A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1124-90-0x0000000002A64000-0x0000000002A67000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1124-86-0x000007FEEA050000-0x000007FEEAA73000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1124-87-0x000007FEEC770000-0x000007FEED2CD000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1124-100-0x000000001B780000-0x000000001BA7F000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1124-103-0x0000000002A64000-0x0000000002A67000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1124-104-0x0000000002A6B000-0x0000000002A8A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1472-68-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1472-92-0x0000000001E64000-0x0000000001E67000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1472-110-0x0000000001E6B000-0x0000000001E8A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1472-109-0x0000000001E64000-0x0000000001E67000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1472-88-0x000007FEEC770000-0x000007FEED2CD000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1472-97-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1472-73-0x000007FEEA050000-0x000007FEEAA73000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1608-106-0x000000000296B000-0x000000000298A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1608-105-0x0000000002964000-0x0000000002967000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1608-94-0x0000000002964000-0x0000000002967000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1608-99-0x000000001B810000-0x000000001BB0F000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1608-79-0x000007FEEA050000-0x000007FEEAA73000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1608-96-0x000007FEEC770000-0x000007FEED2CD000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1648-62-0x0000000000550000-0x000000000055C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1648-55-0x0000000000240000-0x0000000000250000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1648-59-0x0000000000520000-0x000000000052C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1648-58-0x00000000004F0000-0x0000000000502000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1648-61-0x0000000000540000-0x000000000054C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1648-57-0x00000000003E0000-0x00000000003EC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1648-54-0x0000000000CF0000-0x0000000000E40000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1648-60-0x0000000000530000-0x000000000053E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1648-56-0x00000000003D0000-0x00000000003DA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1912-89-0x000007FEEC770000-0x000007FEED2CD000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1912-93-0x0000000002454000-0x0000000002457000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1912-108-0x000000000245B000-0x000000000247A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1912-107-0x0000000002454000-0x0000000002457000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1912-84-0x000007FEEA050000-0x000007FEEAA73000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/1912-98-0x000000001B700000-0x000000001B9FF000-memory.dmp

            Filesize

            3.0MB

            Download