Overview

overview

10

Static

static

10

333413d3a1...46.exe

windows7-x64

10

333413d3a1...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2023 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    333413d3a10dbf3bf121d1ab4b866346.exe

  • Size

    2.3MB

  • MD5

    333413d3a10dbf3bf121d1ab4b866346

  • SHA1

    e4ab9d6bbc56e1c48c2a444cf885833af963fd09

  • SHA256

    7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

  • SHA512

    59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20

  • SSDEEP

    49152:INaBz16Zarg7zdXaCVCPr5szFTBwWGZfr9KWz/:Ia8YQsfPrUlyWGF4Wz/

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\333413d3a10dbf3bf121d1ab4b866346.exe
    "C:\Users\Admin\AppData\Local\Temp\333413d3a10dbf3bf121d1ab4b866346.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zJxqwOqoEf.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2284
        • C:\Program Files (x86)\Windows NT\Accessories\fr-FR\taskhost.exe
          "C:\Program Files (x86)\Windows NT\Accessories\fr-FR\taskhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\HomeGroup\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Branding\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\it-IT\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\it-IT\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2460
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1660

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Windows NT\Accessories\fr-FR\taskhost.exe
      Filesize

      2.3MB

      MD5

      333413d3a10dbf3bf121d1ab4b866346

      SHA1

      e4ab9d6bbc56e1c48c2a444cf885833af963fd09

      SHA256

      7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

      SHA512

      59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20

      Download Submit

    • C:\Program Files (x86)\Windows NT\Accessories\fr-FR\taskhost.exe
      Filesize

      2.3MB

      MD5

      333413d3a10dbf3bf121d1ab4b866346

      SHA1

      e4ab9d6bbc56e1c48c2a444cf885833af963fd09

      SHA256

      7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

      SHA512

      59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\zJxqwOqoEf.bat
      Filesize

      229B

      MD5

      b6c049328f49f5e8ce76468c27aba412

      SHA1

      a384c36adf7e571ab1c0cf7c0b34df0d0be45e97

      SHA256

      5f180418facb903b970da60ee70c606d9e5ec04beffa9a5717263013fcf60985

      SHA512

      86f58e57ef44d59d09fe68e1f52024dccf1f4d9830088d141dd0f64c4cb9667684596e1aa6c6f8afcf3c8a7f1cbe501fe10fed67aa2252a69a4acd1d47ec286d

      Download Submit

    • C:\Users\Default\lsm.exe
      Filesize

      2.3MB

      MD5

      333413d3a10dbf3bf121d1ab4b866346

      SHA1

      e4ab9d6bbc56e1c48c2a444cf885833af963fd09

      SHA256

      7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

      SHA512

      59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20

      Download Submit

    • memory/888-100-0x000007FEF4F90000-0x000007FEF597C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/888-101-0x00000000010F0000-0x0000000001342000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/888-130-0x000000001B1E0000-0x000000001B260000-memory.dmp

      Filesize

      512KB

      Download

    • memory/888-129-0x000000001B1E0000-0x000000001B260000-memory.dmp

      Filesize

      512KB

      Download

    • memory/888-128-0x000007FEF4F90000-0x000007FEF597C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/888-108-0x000000001B1E0000-0x000000001B260000-memory.dmp

      Filesize

      512KB

      Download

    • memory/888-103-0x0000000000460000-0x0000000000472000-memory.dmp

      Filesize

      72KB

      Download

    • memory/888-102-0x000000001B1E0000-0x000000001B260000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2264-63-0x00000000009C0000-0x00000000009C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2264-56-0x0000000000810000-0x0000000000890000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2264-55-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2264-54-0x00000000000A0000-0x00000000002F2000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2264-57-0x00000000003A0000-0x00000000003BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2264-97-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2264-58-0x0000000000650000-0x0000000000666000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2264-59-0x000000001A950000-0x000000001A9A6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2264-62-0x00000000009B0000-0x00000000009B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2264-61-0x00000000009A0000-0x00000000009AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2264-60-0x00000000003C0000-0x00000000003D2000-memory.dmp

      Filesize

      72KB

      Download