Overview

overview

10

Static

static

10

2e3ffb5f7f...64.exe

windows7-x64

10

2e3ffb5f7f...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2023 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e3ffb5f7fbeb7a61469de81dc14d064.exe

  • Size

    2.7MB

  • MD5

    2e3ffb5f7fbeb7a61469de81dc14d064

  • SHA1

    9d153b840d6c9b2df768252086db867a8d910adc

  • SHA256

    247fb8446c5648499cbcba01cda9e97ce5daad8398343dc239f234465fc8a1e3

  • SHA512

    4c4dc0160eddb055a9455f5a9f8efce41551d7f148fbdac9262b92d01a3a24a487b961130fde374ce7040ca1adc270c7d119205766caceb21e3b8eeb1833c9c3

  • SSDEEP

    49152:UbA30UK6G4e3r8dh03amztNBDLTAOGqrXkAS+iIHLlDbDCXj63:Ub4/G94dmKmt/MoQASwbDec

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 22 IoCs
    persistence
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e3ffb5f7fbeb7a61469de81dc14d064.exe
    "C:\Users\Admin\AppData\Local\Temp\2e3ffb5f7fbeb7a61469de81dc14d064.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4516
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComponentWebSvc\dnFW74Kzw603.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ComponentWebSvc\4ZTbrMkez5.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:656
        • C:\ComponentWebSvc\Componentruntime.exe
          "C:\ComponentWebSvc\Componentruntime.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\ComponentWebSvc\StartMenuExperienceHost.exe
            "C:\ComponentWebSvc\StartMenuExperienceHost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:752
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComponentWebSvc\file.vbs"
      2⤵
        PID:1352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3420
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\ComponentWebSvc\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ComponentWebSvc\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\ComponentWebSvc\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\ComponentWebSvc\StartMenuExperienceHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\ComponentWebSvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2232
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\ComponentWebSvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3428
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\en-US\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\en-US\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:60
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Setup\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Setup\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\ComponentWebSvc\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ComponentWebSvc\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2456
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\ComponentWebSvc\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\sysmon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\ComponentWebSvc\StartMenuExperienceHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\ComponentWebSvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\ComponentWebSvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ComponentWebSvc\4ZTbrMkez5.bat
      Filesize

      41B

      MD5

      f2a92cda1e56df588a3d30bc691e2f90

      SHA1

      a7365408d901d997fb85f675e72d24365a2d5a5d

      SHA256

      700925fccc92f0993b3f5226794279d70702c983249a1a27b49bdbdf9565c22e

      SHA512

      ae68e657e28650a1b59926d381f08e9e4c62a673ed445c4d4d4a4a85970f6e61d6b5b250980c62e9a12d2475c3f23d5532db2c6d98f672d0196df67b8525626c

      Download Submit

    • C:\ComponentWebSvc\Componentruntime.exe
      Filesize

      2.4MB

      MD5

      c96ab99f9e455ca8998df8b93a0d0ec2

      SHA1

      3be467577bf802731e0900f3e32fbb2747a23b84

      SHA256

      8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

      SHA512

      d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

      Download Submit

    • C:\ComponentWebSvc\Componentruntime.exe
      Filesize

      2.4MB

      MD5

      c96ab99f9e455ca8998df8b93a0d0ec2

      SHA1

      3be467577bf802731e0900f3e32fbb2747a23b84

      SHA256

      8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

      SHA512

      d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

      Download Submit

    • C:\ComponentWebSvc\StartMenuExperienceHost.exe
      Filesize

      2.4MB

      MD5

      c96ab99f9e455ca8998df8b93a0d0ec2

      SHA1

      3be467577bf802731e0900f3e32fbb2747a23b84

      SHA256

      8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

      SHA512

      d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

      Download Submit

    • C:\ComponentWebSvc\StartMenuExperienceHost.exe
      Filesize

      2.4MB

      MD5

      c96ab99f9e455ca8998df8b93a0d0ec2

      SHA1

      3be467577bf802731e0900f3e32fbb2747a23b84

      SHA256

      8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

      SHA512

      d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

      Download Submit

    • C:\ComponentWebSvc\dnFW74Kzw603.vbe
      Filesize

      202B

      MD5

      d24d8ce4b1ef38e575a7926863890612

      SHA1

      158cc0e501359b687e85550d408f08491f7559d2

      SHA256

      66dc9d6eadaff46e3bdb9aa46b5352e4b981526dc0bbde3ccc2668e3b9a5944a

      SHA512

      d191727338eb23f698257062679985e945866e03eb882745114ee56d8a48d1004b4ad785d180a06c604955e6d2b997bcf121569c9a195c3f6431c75e9871353b

      Download Submit

    • C:\ComponentWebSvc\file.vbs
      Filesize

      34B

      MD5

      677cc4360477c72cb0ce00406a949c61

      SHA1

      b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

      SHA256

      f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

      SHA512

      7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

      Download Submit

    • C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe
      Filesize

      2.4MB

      MD5

      c96ab99f9e455ca8998df8b93a0d0ec2

      SHA1

      3be467577bf802731e0900f3e32fbb2747a23b84

      SHA256

      8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

      SHA512

      d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

      Download Submit

    • memory/752-189-0x00007FFF00380000-0x00007FFF00E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/752-191-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/752-192-0x00007FFF00380000-0x00007FFF00E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/752-193-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3000-153-0x000000001CAD0000-0x000000001CFF8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3000-152-0x000000001BF00000-0x000000001BF10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3000-151-0x00007FFF00380000-0x00007FFF00E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3000-150-0x0000000000F60000-0x00000000011CC000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/3000-190-0x00007FFF00380000-0x00007FFF00E41000-memory.dmp

      Filesize

      10.8MB

      Download