Overview

overview

10

Static

static

3

b067ce7566...f2.exe

windows7-x64

10

b067ce7566...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 04:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b067ce756638b4266dc38d81abb68af2.exe

  • Size

    1.9MB

  • MD5

    b067ce756638b4266dc38d81abb68af2

  • SHA1

    a5dfa0b07ddc85b5bf3ab0a1027bb6fef3470f37

  • SHA256

    5c445f99c3c151573f373b65e070381d96df9260169433a01e7a7fab04ad88fe

  • SHA512

    3f49947ee3b8436a09a027496cd5e6a0ff0ae56f811d74e17b2f166f4da5cfddbf9a8d33926c8a4c228edbe53d05b6bcd1507aba064a56e31e688d91b4d677ed

  • SSDEEP

    49152:qcbzAoVVRaWf4aEqGaU5XBkvRdLtkdbW0qmxKghiX:qcbx9dtxu5arZkdX1K

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b067ce756638b4266dc38d81abb68af2.exe
    "C:\Users\Admin\AppData\Local\Temp\b067ce756638b4266dc38d81abb68af2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Users\Admin\AppData\Local\Temp\1.exe
        1.exe -pOIUTRGROID8IRGD7GD6UG
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:792
        • C:\Users\Admin\AppData\Local\Temp\portwebhost_protected.exe
          "C:\Users\Admin\AppData\Local\Temp\portwebhost_protected.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1576
          • C:\Program Files\7-Zip\services.exe
            "C:\Program Files\7-Zip\services.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\odt\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3208
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1688
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\taskhostw.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SchCache\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1876
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\unsecapp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2608
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Setup\State\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\odt\taskhostw.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:216
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4380
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\SppExtComObj.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3016
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4716
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\unsecapp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3572
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1136
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3200
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\TextInputHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2372
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Pictures\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4892
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2996
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2720
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4968
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\odt\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1104

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\services.exe
          Filesize

          1.5MB

          MD5

          f65cc7ac632006f36da65555ac55ce83

          SHA1

          59ab98b973cf37f5aa096b65677f282d24382e64

          SHA256

          f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e

          SHA512

          4a10a9b8d1dba01a0dc284c8c3f6c396e3632931fa188c1c6b74dd92d46ab1958b8d09e621fc1461ace4e2ce84c7b9be4e3e6f006dc35647b39b668b02b47e31

          Download Submit

        • C:\Program Files\7-Zip\services.exe
          Filesize

          1.5MB

          MD5

          f65cc7ac632006f36da65555ac55ce83

          SHA1

          59ab98b973cf37f5aa096b65677f282d24382e64

          SHA256

          f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e

          SHA512

          4a10a9b8d1dba01a0dc284c8c3f6c396e3632931fa188c1c6b74dd92d46ab1958b8d09e621fc1461ace4e2ce84c7b9be4e3e6f006dc35647b39b668b02b47e31

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1.bat
          Filesize

          46B

          MD5

          485b1f288e5f5e8cf3765a001ad83b90

          SHA1

          c7df06ea8734b550d90f810d84fd8a54c2fedaee

          SHA256

          0267d5b9766a69fc65b9cb2ae5945bc5d42e85d9f155c8f4a15786f27ca84e95

          SHA512

          95ccb456b58249f80fb6a5d0910bb7fd1c83734fac76be0479b238f05f7b5bfed1227656aef3287c956878d1dd6a9dceaea93b482de272aa5764088941700272

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1.exe
          Filesize

          1.8MB

          MD5

          db26634068f2b0c596b1b029f1763792

          SHA1

          883814f09c8462194ea45991e9dbdc499da14709

          SHA256

          37b21ed3b707757ffe29f249a9a47c6729a8354ce9940c4d4a11b0bfb1d24f30

          SHA512

          1c3c7fa7db6dbaf8585eae46b57ea12d5e16ea02b22f499bff49275102f91f09a7ccffa58f9d6adddfc39512e0e3484925c152f799cd77a6ba1118b8fecb364a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1.exe
          Filesize

          1.8MB

          MD5

          db26634068f2b0c596b1b029f1763792

          SHA1

          883814f09c8462194ea45991e9dbdc499da14709

          SHA256

          37b21ed3b707757ffe29f249a9a47c6729a8354ce9940c4d4a11b0bfb1d24f30

          SHA512

          1c3c7fa7db6dbaf8585eae46b57ea12d5e16ea02b22f499bff49275102f91f09a7ccffa58f9d6adddfc39512e0e3484925c152f799cd77a6ba1118b8fecb364a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\portwebhost_protected.exe
          Filesize

          1.5MB

          MD5

          f65cc7ac632006f36da65555ac55ce83

          SHA1

          59ab98b973cf37f5aa096b65677f282d24382e64

          SHA256

          f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e

          SHA512

          4a10a9b8d1dba01a0dc284c8c3f6c396e3632931fa188c1c6b74dd92d46ab1958b8d09e621fc1461ace4e2ce84c7b9be4e3e6f006dc35647b39b668b02b47e31

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\portwebhost_protected.exe
          Filesize

          1.5MB

          MD5

          f65cc7ac632006f36da65555ac55ce83

          SHA1

          59ab98b973cf37f5aa096b65677f282d24382e64

          SHA256

          f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e

          SHA512

          4a10a9b8d1dba01a0dc284c8c3f6c396e3632931fa188c1c6b74dd92d46ab1958b8d09e621fc1461ace4e2ce84c7b9be4e3e6f006dc35647b39b668b02b47e31

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\portwebhost_protected.exe
          Filesize

          1.5MB

          MD5

          f65cc7ac632006f36da65555ac55ce83

          SHA1

          59ab98b973cf37f5aa096b65677f282d24382e64

          SHA256

          f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e

          SHA512

          4a10a9b8d1dba01a0dc284c8c3f6c396e3632931fa188c1c6b74dd92d46ab1958b8d09e621fc1461ace4e2ce84c7b9be4e3e6f006dc35647b39b668b02b47e31

          Download Submit

        • memory/1576-30-0x00000000007E0000-0x0000000000C1E000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1576-25-0x0000000003800000-0x0000000003810000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1576-26-0x00000000065E0000-0x0000000006B84000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1576-29-0x0000000006350000-0x00000000063B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1576-23-0x00000000007E0000-0x0000000000C1E000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1576-24-0x00000000746C0000-0x0000000074E70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1576-22-0x00000000007E0000-0x0000000000C1E000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1576-71-0x00000000746C0000-0x0000000074E70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1576-69-0x00000000007E0000-0x0000000000C1E000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1840-70-0x0000000000CE0000-0x000000000111E000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1840-66-0x0000000000CE0000-0x000000000111E000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1840-72-0x0000000000CE0000-0x000000000111E000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1840-73-0x00000000746C0000-0x0000000074E70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1840-74-0x0000000000CE0000-0x000000000111E000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1840-76-0x00000000746C0000-0x0000000074E70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1840-81-0x00000000746C0000-0x0000000074E70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1840-82-0x0000000000CE0000-0x000000000111E000-memory.dmp

          Filesize

          4.2MB

          Download