Overview

overview

10

Static

static

UDS-Trojan...d2.exe

windows7-x64

10

UDS-Trojan...d2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2023 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UDS-Trojan-PSW.MSIL.Tepfer.gen-09342b36eeaad2.exe

  • Size

    2.4MB

  • MD5

    b8ebe55c83b79c2f0c4c15ac4ec8c3a0

  • SHA1

    c13137e3bfb16f61e5c69f60248be578bdd70551

  • SHA256

    09342b36eeaad27a94f1fd6817bf161cf1c9194709ce8fe869afccd4239f4db3

  • SHA512

    93778d19151b28cfea617ca64e707d43a6bcb342bb502ea2e9723200f71a2f26cea3f1f128e7252528eb586e85eb35b47b08afd58056aaf1c84fdd29a57feb9b

  • SSDEEP

    49152:ubA34q6DjV16+6mCoG4HWT9TV6fsmLp3nfw9heL5fE3zdbg1NG:ubRDjV1x6mCoPYofsy9wvg5fgzd0HG

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UDS-Trojan-PSW.MSIL.Tepfer.gen-09342b36eeaad2.exe
    "C:\Users\Admin\AppData\Local\Temp\UDS-Trojan-PSW.MSIL.Tepfer.gen-09342b36eeaad2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3348
    • C:\Users\Admin\AppData\Roaming\output.exe
      "C:\Users\Admin\AppData\Roaming\output.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Users\Admin\AppData\Local\Temp\DkxWDWaVyBpI.exe
        "C:\Users\Admin\AppData\Local\Temp\DkxWDWaVyBpI.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:780
        • C:\Users\Admin\AppData\Roaming\protectuser.exe
          "C:\Users\Admin\AppData\Roaming\protectuser.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\ndfapi\lsass.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:5012
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:212
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2472
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4660
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4520
        • C:\Users\Admin\AppData\Roaming\SteamKeyBoost.exe
          "C:\Users\Admin\AppData\Roaming\SteamKeyBoost.exe"
          4⤵
          • Executes dropped EXE
          PID:2800

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DkxWDWaVyBpI.exe
    Filesize

    2.0MB

    MD5

    624ba3439ab7210c7eb0b2326e4fbd9a

    SHA1

    6815d815dde9ff0dcd17e56505a08566026bd7b7

    SHA256

    8fe8f3efc119e54d0946abefd2e439d6b9a729213cd7991743631823730a77cc

    SHA512

    7d2cd2a7011eac0f99f16bfe80f35c18f094fb6fd08438680bee343ee378ce3486a8b4763687acc123d4d26bf97562643576577d9eaa269ec23aca8eab866992

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DkxWDWaVyBpI.exe
    Filesize

    2.0MB

    MD5

    624ba3439ab7210c7eb0b2326e4fbd9a

    SHA1

    6815d815dde9ff0dcd17e56505a08566026bd7b7

    SHA256

    8fe8f3efc119e54d0946abefd2e439d6b9a729213cd7991743631823730a77cc

    SHA512

    7d2cd2a7011eac0f99f16bfe80f35c18f094fb6fd08438680bee343ee378ce3486a8b4763687acc123d4d26bf97562643576577d9eaa269ec23aca8eab866992

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SteamKeyBoost.exe
    Filesize

    2.3MB

    MD5

    7c3cab1d97259537f098637a470200c3

    SHA1

    87c760496eda6bc4a9ac3e6d76f20843e52d4de1

    SHA256

    fa44ed8e4fe3acf3033daf19db1b05b47fb8e2d9bc8a473d07756b0dba35177c

    SHA512

    7355bafbf5a483df81f26074868749eba153610e81b2594f2c4fb9136502c3c487cad2812beca258c193bca0d498afa5bae85335dd248ed53af63341887f3b4f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SteamKeyBoost.exe
    Filesize

    2.3MB

    MD5

    7c3cab1d97259537f098637a470200c3

    SHA1

    87c760496eda6bc4a9ac3e6d76f20843e52d4de1

    SHA256

    fa44ed8e4fe3acf3033daf19db1b05b47fb8e2d9bc8a473d07756b0dba35177c

    SHA512

    7355bafbf5a483df81f26074868749eba153610e81b2594f2c4fb9136502c3c487cad2812beca258c193bca0d498afa5bae85335dd248ed53af63341887f3b4f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\output.exe
    Filesize

    2.6MB

    MD5

    e7eb08585396e571d260dd55956e0a65

    SHA1

    bdf532d6ebe2b0de0d4fff8ba5f580101920335d

    SHA256

    55e95bfde07d8e6ab7824dd0a0b9a4e67e622793233729541ef258bf3610d434

    SHA512

    d2ddfbea5863566d8168c13eb7c311fec027af56db7cd2277f25ec800a6a63483f3e8cc89a519c57dc0bf20b51d0e0a64a603635519627c33decd00dcf70e49d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\output.exe
    Filesize

    2.6MB

    MD5

    e7eb08585396e571d260dd55956e0a65

    SHA1

    bdf532d6ebe2b0de0d4fff8ba5f580101920335d

    SHA256

    55e95bfde07d8e6ab7824dd0a0b9a4e67e622793233729541ef258bf3610d434

    SHA512

    d2ddfbea5863566d8168c13eb7c311fec027af56db7cd2277f25ec800a6a63483f3e8cc89a519c57dc0bf20b51d0e0a64a603635519627c33decd00dcf70e49d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\protectuser.exe
    Filesize

    1.5MB

    MD5

    4d4416d03c666f90cdffed05443b2ad1

    SHA1

    51dcca8d0e1b4d15f48497e42a421f5e4427bfd7

    SHA256

    09f8d2c21b615748a3789084587025142032537945301db93fc828adc836c7b6

    SHA512

    2556ed2aa689867285882543eebed0a6aa1a5af387fe15a2a5ef2138904fbd55c48b3ae81dac0ef783f55616e6eeeda4f6b5cb7a7751e10a9ac316899d0c21d3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\protectuser.exe
    Filesize

    1.5MB

    MD5

    4d4416d03c666f90cdffed05443b2ad1

    SHA1

    51dcca8d0e1b4d15f48497e42a421f5e4427bfd7

    SHA256

    09f8d2c21b615748a3789084587025142032537945301db93fc828adc836c7b6

    SHA512

    2556ed2aa689867285882543eebed0a6aa1a5af387fe15a2a5ef2138904fbd55c48b3ae81dac0ef783f55616e6eeeda4f6b5cb7a7751e10a9ac316899d0c21d3

    Download Submit

  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe
    Filesize

    1.5MB

    MD5

    4d4416d03c666f90cdffed05443b2ad1

    SHA1

    51dcca8d0e1b4d15f48497e42a421f5e4427bfd7

    SHA256

    09f8d2c21b615748a3789084587025142032537945301db93fc828adc836c7b6

    SHA512

    2556ed2aa689867285882543eebed0a6aa1a5af387fe15a2a5ef2138904fbd55c48b3ae81dac0ef783f55616e6eeeda4f6b5cb7a7751e10a9ac316899d0c21d3

    Download Submit

  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe
    Filesize

    1.5MB

    MD5

    4d4416d03c666f90cdffed05443b2ad1

    SHA1

    51dcca8d0e1b4d15f48497e42a421f5e4427bfd7

    SHA256

    09f8d2c21b615748a3789084587025142032537945301db93fc828adc836c7b6

    SHA512

    2556ed2aa689867285882543eebed0a6aa1a5af387fe15a2a5ef2138904fbd55c48b3ae81dac0ef783f55616e6eeeda4f6b5cb7a7751e10a9ac316899d0c21d3

    Download Submit

  • memory/212-148-0x0000000000000000-mapping.dmp

    Download

  • memory/780-136-0x0000000000000000-mapping.dmp

    Download

  • memory/2472-149-0x0000000000000000-mapping.dmp

    Download

  • memory/2780-146-0x00007FF811A20000-0x00007FF8124E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2780-143-0x00000000000E0000-0x0000000000260000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2780-139-0x0000000000000000-mapping.dmp

    Download

  • memory/2780-154-0x00007FF811A20000-0x00007FF8124E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2800-142-0x0000000000000000-mapping.dmp

    Download

  • memory/4520-151-0x0000000000000000-mapping.dmp

    Download

  • memory/4520-155-0x00007FF811A20000-0x00007FF8124E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4520-156-0x00007FF811A20000-0x00007FF8124E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4520-157-0x00007FF811A20000-0x00007FF8124E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4580-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4580-135-0x0000000000A90000-0x0000000000D26000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4660-150-0x0000000000000000-mapping.dmp

    Download

  • memory/5012-147-0x0000000000000000-mapping.dmp

    Download