Overview

overview

10

Static

static

1

0788f92fd8...5d.exe

windows7-x64

10

0788f92fd8...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01/03/2023, 23:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0788f92fd80bc11117bec239bb15755d.exe

  • Size

    765KB

  • MD5

    0788f92fd80bc11117bec239bb15755d

  • SHA1

    10e4dd67943d8dfb22a223e0ce09597b5346144b

  • SHA256

    e265b6463579660b348a31ee258dbe9da699f5dbfd3649944ad4d2b61daf6cd1

  • SHA512

    3257b30d4527d0a0de2e7d89ce6e3afaebfa671b0392d4558a1b6fd364f64bb313d0a5472bbfaf4f269148f6b49ccd54ab2532ef5084c2548146ce7327087517

  • SSDEEP

    6144:nNg3uaSnrqUkT4CTAsc4gOL2+KKVxqFHa6fY++CyeSoSmF8OnFz1nCsLyyBA9whp:NKupNkTz7ufC4VUobBqBLku0cnCW

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 9 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0788f92fd80bc11117bec239bb15755d.exe
    "C:\Users\Admin\AppData\Local\Temp\0788f92fd80bc11117bec239bb15755d.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:924
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NCRG9tFKzO.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:328
        • C:\Users\Admin\AppData\Local\Temp\0788f92fd80bc11117bec239bb15755d.exe
          "C:\Users\Admin\AppData\Local\Temp\0788f92fd80bc11117bec239bb15755d.exe"
          3⤵
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1536
          • C:\Windows\System32\CompMgmtLauncher\wininit.exe
            "C:\Windows\System32\CompMgmtLauncher\wininit.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\AuxiliaryDisplayCpl\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\CompMgmtLauncher\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\cmutil\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\cmd\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\fdSSDP\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1668

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Windows Media Player\System.exe
      Filesize

      765KB

      MD5

      0788f92fd80bc11117bec239bb15755d

      SHA1

      10e4dd67943d8dfb22a223e0ce09597b5346144b

      SHA256

      e265b6463579660b348a31ee258dbe9da699f5dbfd3649944ad4d2b61daf6cd1

      SHA512

      3257b30d4527d0a0de2e7d89ce6e3afaebfa671b0392d4558a1b6fd364f64bb313d0a5472bbfaf4f269148f6b49ccd54ab2532ef5084c2548146ce7327087517

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NCRG9tFKzO.bat
      Filesize

      234B

      MD5

      757774e5eb98099b8269e1efcd309fc6

      SHA1

      5f61b7afaa6aa750457da6d44c01f9dd2710105d

      SHA256

      686c4083de4474ff634f09af13f9b65753ab4bd273650112d4a9fede32c98088

      SHA512

      bb494e84ac9d7e91037d9c96e6a9053111608f15177ac1b026e9bda2bc3fe728d51b2e1cb6e3f8b3fe0d16f2ae3a61ff059c2a25bb31ef4aa5ccd9d789e4fe60

      Download Submit

    • C:\Windows\System32\CompMgmtLauncher\wininit.exe
      Filesize

      765KB

      MD5

      0788f92fd80bc11117bec239bb15755d

      SHA1

      10e4dd67943d8dfb22a223e0ce09597b5346144b

      SHA256

      e265b6463579660b348a31ee258dbe9da699f5dbfd3649944ad4d2b61daf6cd1

      SHA512

      3257b30d4527d0a0de2e7d89ce6e3afaebfa671b0392d4558a1b6fd364f64bb313d0a5472bbfaf4f269148f6b49ccd54ab2532ef5084c2548146ce7327087517

      Download Submit

    • C:\Windows\System32\CompMgmtLauncher\wininit.exe
      Filesize

      765KB

      MD5

      0788f92fd80bc11117bec239bb15755d

      SHA1

      10e4dd67943d8dfb22a223e0ce09597b5346144b

      SHA256

      e265b6463579660b348a31ee258dbe9da699f5dbfd3649944ad4d2b61daf6cd1

      SHA512

      3257b30d4527d0a0de2e7d89ce6e3afaebfa671b0392d4558a1b6fd364f64bb313d0a5472bbfaf4f269148f6b49ccd54ab2532ef5084c2548146ce7327087517

      Download Submit

    • memory/924-54-0x0000000000F10000-0x0000000000FD6000-memory.dmp

      Filesize

      792KB

      Download

    • memory/924-55-0x000000001ADA0000-0x000000001AE20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1740-85-0x00000000001A0000-0x0000000000266000-memory.dmp

      Filesize

      792KB

      Download

    • memory/1740-86-0x0000000000650000-0x00000000006D0000-memory.dmp

      Filesize

      512KB

      Download