Overview

overview

10

Static

static

10

05301399.exe

windows7-x64

10

05301399.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2023 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05301399.exe

  • Size

    828KB

  • MD5

    ece82b00b9400f1d09a763853964e291

  • SHA1

    b1b36fcd10ff7833f9bb430ea371df5d295498af

  • SHA256

    90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

  • SHA512

    52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

  • SSDEEP

    12288:NaKyDgt9n5S56ZJ2dUWmBXcKOLUJMgAGuhLbLwN:NyDgt9n4iJ2dUbXwRgAGuLbLwN

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\05301399.exe
    "C:\Users\Admin\AppData\Local\Temp\05301399.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Public\Documents\My Videos\fontdrvhost.exe
      "C:\Users\Public\Documents\My Videos\fontdrvhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:2196
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:2248
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:4660
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3376
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:1280
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Videos\fontdrvhost.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:1168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3900
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:3868
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3720
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:2552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:4756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:2060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:4572
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:1204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:1744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:3412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:1828
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:2256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\OfficeClickToRun.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:4736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:1488
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\smss.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:3584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\debug\smss.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:4496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\smss.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:1656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:3432
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:5096
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:716
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:1592
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:4580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\odt\spoolsv.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:2512
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:2308
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:4828
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\apppatch\services.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:2344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\apppatch\services.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:2128
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\apppatch\services.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:4740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:4684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:3748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3188
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\unsecapp.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:2704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:1812
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:4832
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\ja-JP\sysmon.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:4564
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:4904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\ja-JP\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:4324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:3404
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:4768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\SppExtComObj.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:4872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\WindowsRE\RuntimeBroker.exe
    Filesize

    828KB

    MD5

    ece82b00b9400f1d09a763853964e291

    SHA1

    b1b36fcd10ff7833f9bb430ea371df5d295498af

    SHA256

    90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

    SHA512

    52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

    Download Submit
  • C:\Users\Public\Documents\My Videos\fontdrvhost.exe
    Filesize

    828KB

    MD5

    ece82b00b9400f1d09a763853964e291

    SHA1

    b1b36fcd10ff7833f9bb430ea371df5d295498af

    SHA256

    90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

    SHA512

    52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

    Download Submit
  • C:\Users\Public\Videos\fontdrvhost.exe
    Filesize

    828KB

    MD5

    ece82b00b9400f1d09a763853964e291

    SHA1

    b1b36fcd10ff7833f9bb430ea371df5d295498af

    SHA256

    90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

    SHA512

    52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

    Download Submit
  • memory/1300-133-0x0000000000170000-0x0000000000246000-memory.dmp
    Filesize

    856KB

    Download
  • memory/1300-134-0x0000000000780000-0x0000000000790000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4696-185-0x00000000027F0000-0x0000000002800000-memory.dmp
    Filesize

    64KB

    Download