Overview

overview

10

Static

static

10

3a97196465...49.exe

windows7-x64

10

3a97196465...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2023, 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a971964658a0bcaa170bed49.exe

  • Size

    1.1MB

  • MD5

    3a971964658a0bcaa170bed495b58f02

  • SHA1

    13a17c7def21294f71b50db342e52685161432dc

  • SHA256

    b1793fd7329055b97df5f70b7a325df0b79a132321e9d116d501fa9aaa95d4dd

  • SHA512

    f94e13e6f884f841b8181b85a93c1dcaa1c4c06c5e4e158c1c4fb7cd7251ef9b8a1fe5179fdb578a255b9624e4c19f24068013bbb5490a6740f6ff9bf357dc0e

  • SSDEEP

    24576:DAkqmxZDdR4L5LGwrZrD69Ug/oL8WkKWb7LnwPCsu:DA3WZDf4L5k9xOSKWnLGD

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a971964658a0bcaa170bed49.exe
    "C:\Users\Admin\AppData\Local\Temp\3a971964658a0bcaa170bed49.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\06uRfOfGub.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2748
        • C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\services.exe
          "C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\services.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Prefetch\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "3a971964658a0bcaa170bed493" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\3a971964658a0bcaa170bed49.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1956
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "3a971964658a0bcaa170bed49" /sc ONLOGON /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\3a971964658a0bcaa170bed49.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "3a971964658a0bcaa170bed493" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\3a971964658a0bcaa170bed49.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\fr-FR\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2708

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\services.exe
      Filesize

      1.1MB

      MD5

      3a971964658a0bcaa170bed495b58f02

      SHA1

      13a17c7def21294f71b50db342e52685161432dc

      SHA256

      b1793fd7329055b97df5f70b7a325df0b79a132321e9d116d501fa9aaa95d4dd

      SHA512

      f94e13e6f884f841b8181b85a93c1dcaa1c4c06c5e4e158c1c4fb7cd7251ef9b8a1fe5179fdb578a255b9624e4c19f24068013bbb5490a6740f6ff9bf357dc0e

      Download Submit

    • C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\services.exe
      Filesize

      1.1MB

      MD5

      3a971964658a0bcaa170bed495b58f02

      SHA1

      13a17c7def21294f71b50db342e52685161432dc

      SHA256

      b1793fd7329055b97df5f70b7a325df0b79a132321e9d116d501fa9aaa95d4dd

      SHA512

      f94e13e6f884f841b8181b85a93c1dcaa1c4c06c5e4e158c1c4fb7cd7251ef9b8a1fe5179fdb578a255b9624e4c19f24068013bbb5490a6740f6ff9bf357dc0e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\06uRfOfGub.bat
      Filesize

      226B

      MD5

      c2a373fc5e775d17e7695a70a8ece5c5

      SHA1

      44dc8a4be7b962ab11ba0651336d74a0558c7c92

      SHA256

      eba674cf878b4b9a5f267d64e4e17db7629fc3091c2e35ed3d310cea5d7d8a68

      SHA512

      98d46648cd6e946f18a5de485f56af6d88fc8c00fdb9cf5d57430cb4b16c95cb7c2c23c8c26cc7866da957a646086ad90794e4faad4b96fb81a3dfe683da9d07

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\taskhost.exe
      Filesize

      1.1MB

      MD5

      3a971964658a0bcaa170bed495b58f02

      SHA1

      13a17c7def21294f71b50db342e52685161432dc

      SHA256

      b1793fd7329055b97df5f70b7a325df0b79a132321e9d116d501fa9aaa95d4dd

      SHA512

      f94e13e6f884f841b8181b85a93c1dcaa1c4c06c5e4e158c1c4fb7cd7251ef9b8a1fe5179fdb578a255b9624e4c19f24068013bbb5490a6740f6ff9bf357dc0e

      Download Submit

    • memory/596-85-0x0000000000C60000-0x0000000000D86000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/596-86-0x000000001B060000-0x000000001B0E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/596-92-0x000000001B060000-0x000000001B0E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2308-54-0x0000000000CB0000-0x0000000000DD6000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2308-55-0x00000000004C0000-0x00000000004DC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2308-56-0x000000001B120000-0x000000001B1A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2308-57-0x0000000000560000-0x0000000000576000-memory.dmp

      Filesize

      88KB

      Download