Overview

overview

10

Static

static

10

54c6b64cb2...ee.exe

windows7-x64

10

54c6b64cb2...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2023 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54c6b64cb242fc9e210578980c59c0ee.exe

  • Size

    1.3MB

  • MD5

    54c6b64cb242fc9e210578980c59c0ee

  • SHA1

    1dc98a41b748f67c73fd7be8d702dfc60e7c8305

  • SHA256

    d56bc8947bd949294eeb0b4191b94beb2553e5972c72587ddd215ebaf899354b

  • SHA512

    445089b0c012451f557e9a15f2cd5cf5b62b002cdf82130e2087120b1964638bf7d98ae85026896ec343144a0c60a23de58a6bcc321fad91a2eddafe6a1f6cdb

  • SSDEEP

    24576:52G/nvxW3W60GnMGAa6h5QcxfImbaPaoVRhL0b7wTy:5bA3+G7AScxfIuaiod6

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\54c6b64cb242fc9e210578980c59c0ee.exe
    "C:\Users\Admin\AppData\Local\Temp\54c6b64cb242fc9e210578980c59c0ee.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\MsSurrogatesavesDllCommon\KNXxoYbYBPxFU.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\MsSurrogatesavesDllCommon\8EVty8tFPt0VqMZlz5bMQ6Tt5F96.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:712
        • C:\MsSurrogatesavesDllCommon\portcomponenthost.exe
          "C:\MsSurrogatesavesDllCommon\portcomponenthost.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:360
          • C:\Program Files\Mozilla Firefox\fonts\Idle.exe
            "C:\Program Files\Mozilla Firefox\fonts\Idle.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1480
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1524
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\msadc\fr-FR\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\msadc\fr-FR\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\msadc\fr-FR\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1628
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1280
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1404
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:868
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:544
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1604
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:836
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MsSurrogatesavesDllCommon\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MsSurrogatesavesDllCommon\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MsSurrogatesavesDllCommon\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ModemLogs\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1692
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MsSurrogatesavesDllCommon\8EVty8tFPt0VqMZlz5bMQ6Tt5F96.bat
    Filesize

    52B

    MD5

    ce377e811edf958e24553755294774a8

    SHA1

    0c6faccdb6381e423aaef33e7544dce5de7cae60

    SHA256

    41c0d44b462f9731a9658a13e91ef3a02b964af9f16f3c53daf46441008eaa71

    SHA512

    f9b716e1a6884183d209d49a15354d8325e42e90cfefb2c6fe441d044e2496f1ab66675074c205bec79da04bf2673e0b5b5a10e6607a3ea869b2fe135942a575

    Download Submit
  • C:\MsSurrogatesavesDllCommon\KNXxoYbYBPxFU.vbe
    Filesize

    230B

    MD5

    d123093db1ad87dce8d25a1b15cc6f9f

    SHA1

    7c38bf3d49b5ba661b7979cbb60cd533a86a2018

    SHA256

    acbac6ea28763d88cdaa2f1bc1738b8c6149be7e30d66db31afa3babf3937537

    SHA512

    593397dbf44208fcefcc08de07a856b71a367a2bb77edb3ffcac4e7cf89fe2795b343a5617138ac1d79c474ae94e73cccf053306d959806634b0f88401b01de6

    Download Submit
  • C:\MsSurrogatesavesDllCommon\portcomponenthost.exe
    Filesize

    828KB

    MD5

    2ac0e24ee73528bf8e6205fdbf62cb48

    SHA1

    f103fb7fd6d4552c3e278d12a4d3e4fa3970cd22

    SHA256

    6a8b636d017e1d6daf0c78b7f46f7b0ab97805a4008301041603f79f6b3cd919

    SHA512

    c457029a45721254de3317573f466a7587794c80cdacb046de13418909363569df8f58d77b74c138bbb61f1d57be0db8bd408c8a3c840379b0d77fab01ebf136

    Download Submit
  • C:\MsSurrogatesavesDllCommon\portcomponenthost.exe
    Filesize

    828KB

    MD5

    2ac0e24ee73528bf8e6205fdbf62cb48

    SHA1

    f103fb7fd6d4552c3e278d12a4d3e4fa3970cd22

    SHA256

    6a8b636d017e1d6daf0c78b7f46f7b0ab97805a4008301041603f79f6b3cd919

    SHA512

    c457029a45721254de3317573f466a7587794c80cdacb046de13418909363569df8f58d77b74c138bbb61f1d57be0db8bd408c8a3c840379b0d77fab01ebf136

    Download Submit
  • C:\Program Files\Mozilla Firefox\fonts\Idle.exe
    Filesize

    828KB

    MD5

    2ac0e24ee73528bf8e6205fdbf62cb48

    SHA1

    f103fb7fd6d4552c3e278d12a4d3e4fa3970cd22

    SHA256

    6a8b636d017e1d6daf0c78b7f46f7b0ab97805a4008301041603f79f6b3cd919

    SHA512

    c457029a45721254de3317573f466a7587794c80cdacb046de13418909363569df8f58d77b74c138bbb61f1d57be0db8bd408c8a3c840379b0d77fab01ebf136

    Download Submit
  • C:\Program Files\Mozilla Firefox\fonts\Idle.exe
    Filesize

    828KB

    MD5

    2ac0e24ee73528bf8e6205fdbf62cb48

    SHA1

    f103fb7fd6d4552c3e278d12a4d3e4fa3970cd22

    SHA256

    6a8b636d017e1d6daf0c78b7f46f7b0ab97805a4008301041603f79f6b3cd919

    SHA512

    c457029a45721254de3317573f466a7587794c80cdacb046de13418909363569df8f58d77b74c138bbb61f1d57be0db8bd408c8a3c840379b0d77fab01ebf136

    Download Submit
  • C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\dwm.exe
    Filesize

    828KB

    MD5

    2ac0e24ee73528bf8e6205fdbf62cb48

    SHA1

    f103fb7fd6d4552c3e278d12a4d3e4fa3970cd22

    SHA256

    6a8b636d017e1d6daf0c78b7f46f7b0ab97805a4008301041603f79f6b3cd919

    SHA512

    c457029a45721254de3317573f466a7587794c80cdacb046de13418909363569df8f58d77b74c138bbb61f1d57be0db8bd408c8a3c840379b0d77fab01ebf136

    Download Submit
  • \MsSurrogatesavesDllCommon\portcomponenthost.exe
    Filesize

    828KB

    MD5

    2ac0e24ee73528bf8e6205fdbf62cb48

    SHA1

    f103fb7fd6d4552c3e278d12a4d3e4fa3970cd22

    SHA256

    6a8b636d017e1d6daf0c78b7f46f7b0ab97805a4008301041603f79f6b3cd919

    SHA512

    c457029a45721254de3317573f466a7587794c80cdacb046de13418909363569df8f58d77b74c138bbb61f1d57be0db8bd408c8a3c840379b0d77fab01ebf136

    Download Submit
  • \MsSurrogatesavesDllCommon\portcomponenthost.exe
    Filesize

    828KB

    MD5

    2ac0e24ee73528bf8e6205fdbf62cb48

    SHA1

    f103fb7fd6d4552c3e278d12a4d3e4fa3970cd22

    SHA256

    6a8b636d017e1d6daf0c78b7f46f7b0ab97805a4008301041603f79f6b3cd919

    SHA512

    c457029a45721254de3317573f466a7587794c80cdacb046de13418909363569df8f58d77b74c138bbb61f1d57be0db8bd408c8a3c840379b0d77fab01ebf136

    Download Submit
  • memory/360-67-0x0000000000BA0000-0x0000000000C76000-memory.dmp
    Filesize

    856KB

    Download
  • memory/360-68-0x000000001AE80000-0x000000001AF00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1480-101-0x0000000000E70000-0x0000000000F46000-memory.dmp
    Filesize

    856KB

    Download
  • memory/1480-102-0x00000000003F0000-0x0000000000470000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1480-103-0x00000000003F0000-0x0000000000470000-memory.dmp
    Filesize

    512KB

    Download