Overview

overview

10

Static

static

10

9781aaa439...9f.exe

windows7-x64

10

9781aaa439...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2023 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9781aaa439fcf85da08d40c5c3e3909f.exe

  • Size

    2.9MB

  • MD5

    9781aaa439fcf85da08d40c5c3e3909f

  • SHA1

    edd84aae94017cdde7dd564d2791c6389f98c01f

  • SHA256

    413e93938387abf6009f38e415cdbb6d2c800a4a163cd3987c68bee89d432f35

  • SHA512

    27be25ed8a4df487bbb3066a9d67ee8403cb91ec8f21aeb2367252c57cf209903f01f770394f6e9d05e627a7697a9ba446bea98f65f5be166f7be33c74dedd02

  • SSDEEP

    49152:VVqaWggE8cLbTM0Qpx80y5tq4JyiK+RzzO/twfoLFAq4JNpFLP7:zqLggl0QpC0qt/JyV+hz5foLB4Jn

Score
10/10
dcratevasioninfostealerratspywarestealertrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9781aaa439fcf85da08d40c5c3e3909f.exe
    "C:\Users\Admin\AppData\Local\Temp\9781aaa439fcf85da08d40c5c3e3909f.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:324
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y6R1EO2Q7w.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2880
        • C:\Users\Public\Music\taskhostw.exe
          "C:\Users\Public\Music\taskhostw.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3316
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69b74b01-6754-4280-b47d-534791876905.vbs"
            4⤵
              PID:4808
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac3e06f-31d6-4228-8af3-470141579451.vbs"
              4⤵
                PID:1312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\taskhostw.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2812
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Music\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4152
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3968
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2656
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1852
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2960
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4968
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1400
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1420
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:960
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\odt\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2060
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sysmon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1816
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3640
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:548
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:2440

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Scheduled Task

          1
          T1053

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          1
          T1089

          Modify Registry

          2
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          3
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\5ac3e06f-31d6-4228-8af3-470141579451.vbs
            Filesize

            487B

            MD5

            88e0e35770ef41324f8268a35ef5aa02

            SHA1

            6dd0f3b4db94d9235b7290de3d4911b57c3b43a5

            SHA256

            57898915471640e5abff522083d2f20af50ec4f2f4f7cb83a22dfd104acb82cc

            SHA512

            8d6b8faa0c31563f3bbe82a24d7510923db8d7b74b0fb1709546a52e3727efafca8877afcd66c47133ddaf76682c907918c4fbf0a0d5d42af71d8dfe550e04e9

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\69b74b01-6754-4280-b47d-534791876905.vbs
            Filesize

            711B

            MD5

            d082228e554102c0304d5dc8b8b9971c

            SHA1

            3bf465bccd67e80afd394b673567acbaa7354e07

            SHA256

            6f57fca2bc4b58ec225f06030afbd52350fd80158c6c9f8f201deb8fe69fab2f

            SHA512

            7cf3d25f620f0ad09235f7def39a50a5250041e1ce91a8d70e04f0d0a9a915000b65e8c9946482520322cea062eb2155c00d414b1658b3b76c7bac2119dfaf71

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\y6R1EO2Q7w.bat
            Filesize

            200B

            MD5

            683c09e9cde0d05aace192e550b9cf06

            SHA1

            9443eaec473b7c04936f8f2f9ac8c0621ac59d67

            SHA256

            a03af45fe83c0149e0c4ce26c6eebc8c2ff95cc949d1866926a26e5a669eee6c

            SHA512

            1587f2a6ad11b0ae863dca228d060c97db6b74c93a69fc1add50e639e123466676b063ca4c6293aae54d027284340d00f25710f6be54c598b413e62b7f45fc5a

            Download Submit
          • C:\Users\Public\Music\taskhostw.exe
            Filesize

            2.9MB

            MD5

            9781aaa439fcf85da08d40c5c3e3909f

            SHA1

            edd84aae94017cdde7dd564d2791c6389f98c01f

            SHA256

            413e93938387abf6009f38e415cdbb6d2c800a4a163cd3987c68bee89d432f35

            SHA512

            27be25ed8a4df487bbb3066a9d67ee8403cb91ec8f21aeb2367252c57cf209903f01f770394f6e9d05e627a7697a9ba446bea98f65f5be166f7be33c74dedd02

            Download Submit
          • C:\Users\Public\Music\taskhostw.exe
            Filesize

            2.9MB

            MD5

            9781aaa439fcf85da08d40c5c3e3909f

            SHA1

            edd84aae94017cdde7dd564d2791c6389f98c01f

            SHA256

            413e93938387abf6009f38e415cdbb6d2c800a4a163cd3987c68bee89d432f35

            SHA512

            27be25ed8a4df487bbb3066a9d67ee8403cb91ec8f21aeb2367252c57cf209903f01f770394f6e9d05e627a7697a9ba446bea98f65f5be166f7be33c74dedd02

            Download Submit
          • C:\odt\RuntimeBroker.exe
            Filesize

            2.9MB

            MD5

            9781aaa439fcf85da08d40c5c3e3909f

            SHA1

            edd84aae94017cdde7dd564d2791c6389f98c01f

            SHA256

            413e93938387abf6009f38e415cdbb6d2c800a4a163cd3987c68bee89d432f35

            SHA512

            27be25ed8a4df487bbb3066a9d67ee8403cb91ec8f21aeb2367252c57cf209903f01f770394f6e9d05e627a7697a9ba446bea98f65f5be166f7be33c74dedd02

            Download Submit
          • memory/324-133-0x0000000000850000-0x0000000000B36000-memory.dmp
            Filesize

            2.9MB

            Download
          • memory/324-134-0x0000000002BD0000-0x0000000002BE0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/324-135-0x0000000002DA0000-0x0000000002DF0000-memory.dmp
            Filesize

            320KB

            Download
          • memory/324-136-0x000000001D010000-0x000000001D538000-memory.dmp
            Filesize

            5.2MB

            Download
          • memory/3316-164-0x000000001C830000-0x000000001C840000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3316-209-0x000000001DBA0000-0x000000001DBB7000-memory.dmp
            Filesize

            92KB

            Download