Overview

overview

10

Static

static

10

bb1ef2ca98...26.exe

windows7-x64

10

bb1ef2ca98...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2023 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb1ef2ca98ae809bf836c6f1767cc426.exe

  • Size

    827KB

  • MD5

    bb1ef2ca98ae809bf836c6f1767cc426

  • SHA1

    3ec5f3acbf39a52ae978cfe6d440090e6e7e85d6

  • SHA256

    5232c6db5c412780ace4c035be6bde85e2ff91f4d5699f849b028939dc39cf74

  • SHA512

    c3d9a6ceaff7bfdca46cd115aad4ed0739cfdef2809149a29e5eca26a0a5cc9bedd0225adc17d6c4fb344a3edf0e553d24fdba63a34e820dcd8144453985e7cc

  • SSDEEP

    12288:tuSciL28Yzhe9iolOGbdUUd+3JQvv0Iggv0v/X8qnNLblqR:tciL28Y+iYOGpUUd+3HIg3nNLG

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb1ef2ca98ae809bf836c6f1767cc426.exe
    "C:\Users\Admin\AppData\Local\Temp\bb1ef2ca98ae809bf836c6f1767cc426.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPruMTYe2E.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3740
        • C:\odt\spoolsv.exe
          "C:\odt\spoolsv.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\odt\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4660
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\odt\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1756
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2264
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Themes\SIHClient.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Themes\SIHClient.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1120
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Themes\SIHClient.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\odt\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:232

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Internet Explorer\de-DE\fontdrvhost.exe
      Filesize

      827KB

      MD5

      bb1ef2ca98ae809bf836c6f1767cc426

      SHA1

      3ec5f3acbf39a52ae978cfe6d440090e6e7e85d6

      SHA256

      5232c6db5c412780ace4c035be6bde85e2ff91f4d5699f849b028939dc39cf74

      SHA512

      c3d9a6ceaff7bfdca46cd115aad4ed0739cfdef2809149a29e5eca26a0a5cc9bedd0225adc17d6c4fb344a3edf0e553d24fdba63a34e820dcd8144453985e7cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\gPruMTYe2E.bat
      Filesize

      183B

      MD5

      69561caeef7aa6ed66ad8a9a5c71bc9a

      SHA1

      4f6086901c8cfaf50aec57fc2a9a9329a99a64bc

      SHA256

      95252f1c3e1acd66d1a5a71cf562e2078495b46d8d4c2bcab818891604ede0ba

      SHA512

      66b43f47bf6313abe2b277796aa64d36e9cc7a42de5b0d54399833e56a4b615746dc3e993a5d2d7c97422c515606208732a9a90aa77d4d550d7c155acb651eda

      Download Submit
    • C:\odt\spoolsv.exe
      Filesize

      827KB

      MD5

      bb1ef2ca98ae809bf836c6f1767cc426

      SHA1

      3ec5f3acbf39a52ae978cfe6d440090e6e7e85d6

      SHA256

      5232c6db5c412780ace4c035be6bde85e2ff91f4d5699f849b028939dc39cf74

      SHA512

      c3d9a6ceaff7bfdca46cd115aad4ed0739cfdef2809149a29e5eca26a0a5cc9bedd0225adc17d6c4fb344a3edf0e553d24fdba63a34e820dcd8144453985e7cc

      Download Submit
    • C:\odt\spoolsv.exe
      Filesize

      827KB

      MD5

      bb1ef2ca98ae809bf836c6f1767cc426

      SHA1

      3ec5f3acbf39a52ae978cfe6d440090e6e7e85d6

      SHA256

      5232c6db5c412780ace4c035be6bde85e2ff91f4d5699f849b028939dc39cf74

      SHA512

      c3d9a6ceaff7bfdca46cd115aad4ed0739cfdef2809149a29e5eca26a0a5cc9bedd0225adc17d6c4fb344a3edf0e553d24fdba63a34e820dcd8144453985e7cc

      Download Submit
    • memory/2336-164-0x000000001BA50000-0x000000001BA60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2336-165-0x000000001BA50000-0x000000001BA60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4972-133-0x0000000000450000-0x0000000000526000-memory.dmp
      Filesize

      856KB

      Download
    • memory/4972-134-0x000000001B4C0000-0x000000001B4D0000-memory.dmp
      Filesize

      64KB

      Download