Overview

overview

10

Static

static

7

InstallFile.exe

windows7-x64

10

InstallFile.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    26s
  • max time network
    2s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2023 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    InstallFile.exe

  • Size

    2.2MB

  • MD5

    e14d3c54fb43442b8c99febfb7007d71

  • SHA1

    5f2872a705eb75516e491b0a3e57d8fd945a23c5

  • SHA256

    f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366

  • SHA512

    aa6942e8d434ffc3e1885832f43f18f9345ad221346def10a87ea5c19670f05c22a8f281d2de2ba53079f2114371c451fb0c53d5103a87966a3effd165ce50bf

  • SSDEEP

    49152:JmYP7zNGoWl6NcM8HLSqHmNMZkWHkF+H:JmYzGQWJrtGI

Score
10/10
dcratevasioninfostealerratthemidatrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\InstallFile.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallFile.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1152
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1196
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:836
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4216
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2156
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3096
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\odt\SppExtComObj.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3128
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2248
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4564
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3296
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\upfc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3876
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2400
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5048
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4284
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5024
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4532
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4648
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4620
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1004
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4280
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SearchApp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2128
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\SearchApp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SearchApp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Templates\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:308
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:212
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Java\taskhostw.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Java\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1152-132-0x0000000000840000-0x0000000000ECC000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1152-135-0x00000000771B0000-0x0000000077353000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1152-136-0x0000000000840000-0x0000000000ECC000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1152-137-0x00000000065B0000-0x0000000006B54000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1152-138-0x00000000061E0000-0x0000000006230000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1152-139-0x0000000006C00000-0x0000000006C92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1152-140-0x0000000006CA0000-0x0000000006D06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1152-141-0x0000000000840000-0x0000000000ECC000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1152-142-0x00000000771B0000-0x0000000077353000-memory.dmp

    Filesize

    1.6MB

    Download