Overview

overview

10

Static

static

HEUR-Troja...00.exe

windows7-x64

10

HEUR-Troja...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2023 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan.Win32.Generic-7fe5834f29daabc2f00.exe

  • Size

    1.5MB

  • MD5

    c532d809990659da1bc427ad039a7d5c

  • SHA1

    6158717c914aea611074a14fd0527663e95ccb64

  • SHA256

    7fe5834f29daabc2f0034eff990a5dcadccdbbad7a6428eea416322020f2afef

  • SHA512

    b70d7d8f646d5bb1bb1a7bbd787c16647448d00291ed231b79e2193237d3ac1d00d584873cadccfea1a7494648a1c9050a056f42ce8d434a8b5318d4f2371d63

  • SSDEEP

    12288:CC6105US81giZG7/N8vzvD//dH1P2TZeQmrD0:TUS813T

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-7fe5834f29daabc2f00.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-7fe5834f29daabc2f00.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exe
      "C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\KBDDV\csrss.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1540
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\C_10079\spoolsv.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:688
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\mciseq\taskhost.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1552
      • C:\Windows\System32\C_10079\spoolsv.exe
        "C:\Windows\System32\C_10079\spoolsv.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exe
    Filesize

    579KB

    MD5

    a5bb468e6bb248387e71ff2692106d47

    SHA1

    c673a5f6bee9ad99068a43455fac19cb4ffb948b

    SHA256

    5caa9414d268c408b9a82f4442a87efa2f7f4058d44de616a17da6c5ab113bc3

    SHA512

    fd8bdbb071ab7191ade1b19af740ceefd3743effa69c265a51bd98508aa62b73217e6fc99f19b09bd75d5403d71370a73575dd7fad3a9d1c679d0a1d7f3e743e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exe
    Filesize

    579KB

    MD5

    a5bb468e6bb248387e71ff2692106d47

    SHA1

    c673a5f6bee9ad99068a43455fac19cb4ffb948b

    SHA256

    5caa9414d268c408b9a82f4442a87efa2f7f4058d44de616a17da6c5ab113bc3

    SHA512

    fd8bdbb071ab7191ade1b19af740ceefd3743effa69c265a51bd98508aa62b73217e6fc99f19b09bd75d5403d71370a73575dd7fad3a9d1c679d0a1d7f3e743e

    Download Submit

  • C:\Windows\System32\C_10079\spoolsv.exe
    Filesize

    579KB

    MD5

    a5bb468e6bb248387e71ff2692106d47

    SHA1

    c673a5f6bee9ad99068a43455fac19cb4ffb948b

    SHA256

    5caa9414d268c408b9a82f4442a87efa2f7f4058d44de616a17da6c5ab113bc3

    SHA512

    fd8bdbb071ab7191ade1b19af740ceefd3743effa69c265a51bd98508aa62b73217e6fc99f19b09bd75d5403d71370a73575dd7fad3a9d1c679d0a1d7f3e743e

    Download Submit

  • C:\Windows\System32\C_10079\spoolsv.exe
    Filesize

    579KB

    MD5

    a5bb468e6bb248387e71ff2692106d47

    SHA1

    c673a5f6bee9ad99068a43455fac19cb4ffb948b

    SHA256

    5caa9414d268c408b9a82f4442a87efa2f7f4058d44de616a17da6c5ab113bc3

    SHA512

    fd8bdbb071ab7191ade1b19af740ceefd3743effa69c265a51bd98508aa62b73217e6fc99f19b09bd75d5403d71370a73575dd7fad3a9d1c679d0a1d7f3e743e

    Download Submit

  • memory/688-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1020-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1020-66-0x0000000000A50000-0x0000000000AE8000-memory.dmp

    Filesize

    608KB

    Download

  • memory/1284-54-0x0000000000C60000-0x0000000000DEA000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1540-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1552-61-0x0000000000000000-mapping.dmp

    Download

  • memory/2040-62-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2040-58-0x0000000000D00000-0x0000000000D98000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2040-55-0x0000000000000000-mapping.dmp

    Download