Overview

overview

10

Static

static

10

0e444044fd...5b.exe

windows7-x64

10

0e444044fd...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2023 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e444044fdfea512ca18fc3396abb65b.exe

  • Size

    2.4MB

  • MD5

    0e444044fdfea512ca18fc3396abb65b

  • SHA1

    8b601ccad5b2a76967c0ca7579dc13d092307f34

  • SHA256

    3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

  • SHA512

    7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

  • SSDEEP

    49152:bkcwlRFUh2b69Cs9MR3uh+tytRY1aLXYqIiiJd2EHt:bkdlRI3ceI1azYqWj

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e444044fdfea512ca18fc3396abb65b.exe
    "C:\Users\Admin\AppData\Local\Temp\0e444044fdfea512ca18fc3396abb65b.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1064
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RYgIhUrcip.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:612
        • C:\MSOCache\All Users\taskhost.exe
          "C:\MSOCache\All Users\taskhost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:1360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\en-US\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1596

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\taskhost.exe
      Filesize

      2.4MB

      MD5

      0e444044fdfea512ca18fc3396abb65b

      SHA1

      8b601ccad5b2a76967c0ca7579dc13d092307f34

      SHA256

      3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

      SHA512

      7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

      Download Submit

    • C:\MSOCache\All Users\taskhost.exe
      Filesize

      2.4MB

      MD5

      0e444044fdfea512ca18fc3396abb65b

      SHA1

      8b601ccad5b2a76967c0ca7579dc13d092307f34

      SHA256

      3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

      SHA512

      7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RYgIhUrcip.bat
      Filesize

      199B

      MD5

      23ba7533df7058309256b1e95a98e5c9

      SHA1

      c10103d742de4012cac89013e563645fe7c00f47

      SHA256

      302942214581c329407ccadf668df70010e55fc6282da54491efbf3dbd0aef61

      SHA512

      692f1c2aaaddd2140bffbdabf5e4e8344ca9ebd3844d2db2c1181cacd79bcea62edd6866750f4b23279a78c4be49bc50546beac49b9d53a69150df8c8f1f6c35

      Download Submit

    • C:\Windows\ServiceProfiles\NetworkService\Saved Games\Idle.exe
      Filesize

      2.4MB

      MD5

      0e444044fdfea512ca18fc3396abb65b

      SHA1

      8b601ccad5b2a76967c0ca7579dc13d092307f34

      SHA256

      3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

      SHA512

      7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

      Download Submit

    • memory/1064-59-0x0000000000910000-0x000000000091A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1064-65-0x00000000022A0000-0x00000000022A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1064-60-0x0000000002250000-0x00000000022A6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1064-61-0x0000000000920000-0x000000000092C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1064-62-0x00000000020A0000-0x00000000020AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1064-63-0x00000000020B0000-0x00000000020BC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1064-64-0x00000000022B0000-0x00000000022BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1064-54-0x0000000000390000-0x0000000000608000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1064-58-0x0000000000870000-0x0000000000886000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1064-57-0x0000000000760000-0x000000000077C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1064-56-0x000000001B110000-0x000000001B190000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1064-55-0x0000000000750000-0x000000000075E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1360-85-0x00000000012E0000-0x0000000001558000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1360-86-0x0000000000950000-0x00000000009A6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1360-87-0x000000001B050000-0x000000001B0D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1360-88-0x000000001B050000-0x000000001B0D0000-memory.dmp

      Filesize

      512KB

      Download