Overview

overview

10

Static

static

10

f554f85e09...22.exe

windows7-x64

10

f554f85e09...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522.exe

  • Size

    2.5MB

  • MD5

    e71b100ba4895671392bebdb6940b58a

  • SHA1

    3f0cc8aad3fa8041b5ba40ac4c3e9d9d2d909d25

  • SHA256

    f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522

  • SHA512

    24d99c32e2b275aa2554225932e73c319169cbe87811ab4d08861e44a43f0e7984690e1e83200405321062680d7ec679eea7ab7d09b633700b1edcf73dc68191

  • SSDEEP

    49152:UbA30JB27p9ftg4mUnKbgHns5D6RL1gVHrl+ZraG9LOgwddVyB7pe:Ub3a9fmbgMN8qLYxasqDncq

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522.exe
    "C:\Users\Admin\AppData\Local\Temp\f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Webreviewcrt\ipDh6jR2mcTwtep.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Webreviewcrt\kcPcB.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Webreviewcrt\bridgeComComponent.exe
          "C:\Webreviewcrt\bridgeComComponent.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3228
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJzwh9DHgr.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1148
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4784
              • C:\Recovery\WindowsRE\wininit.exe
                "C:\Recovery\WindowsRE\wininit.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4944
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Webreviewcrt\file.vbs"
        2⤵
          PID:4004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1628
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\odt\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Provisioning\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1228
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4692
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1284
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\odt\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2376

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\WindowsRE\wininit.exe
        Filesize

        2.2MB

        MD5

        3905ef3502b9ddbda1c2b244450b672a

        SHA1

        73ab0e08aae09d3248d47d387b5c971a72e46abd

        SHA256

        8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

        SHA512

        8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

        Download Submit

      • C:\Recovery\WindowsRE\wininit.exe
        Filesize

        2.2MB

        MD5

        3905ef3502b9ddbda1c2b244450b672a

        SHA1

        73ab0e08aae09d3248d47d387b5c971a72e46abd

        SHA256

        8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

        SHA512

        8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

        Download Submit

      • C:\Recovery\WindowsRE\wininit.exe
        Filesize

        2.2MB

        MD5

        3905ef3502b9ddbda1c2b244450b672a

        SHA1

        73ab0e08aae09d3248d47d387b5c971a72e46abd

        SHA256

        8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

        SHA512

        8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\UJzwh9DHgr.bat
        Filesize

        198B

        MD5

        570ae354d482fa42ce3eeeeb68de0e4d

        SHA1

        92bdd19288a723d9bdf9f98c2a01e9b3b6c483d5

        SHA256

        c6b1712961bb3457012cf161f9e6687b6d449631a245fe38af1c856342b3baea

        SHA512

        8d389764687f32f9699e8d564171ca31870e44d71f4960d4d25eba20bdcbb3f34ca2f86af7e0c2a64c131bfd4498591b86a72f9750c3f9e97c2f2488bc4136f5

        Download Submit

      • C:\Webreviewcrt\bridgeComComponent.exe
        Filesize

        2.2MB

        MD5

        3905ef3502b9ddbda1c2b244450b672a

        SHA1

        73ab0e08aae09d3248d47d387b5c971a72e46abd

        SHA256

        8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

        SHA512

        8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

        Download Submit

      • C:\Webreviewcrt\bridgeComComponent.exe
        Filesize

        2.2MB

        MD5

        3905ef3502b9ddbda1c2b244450b672a

        SHA1

        73ab0e08aae09d3248d47d387b5c971a72e46abd

        SHA256

        8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

        SHA512

        8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

        Download Submit

      • C:\Webreviewcrt\file.vbs
        Filesize

        34B

        MD5

        677cc4360477c72cb0ce00406a949c61

        SHA1

        b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

        SHA256

        f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

        SHA512

        7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

        Download Submit

      • C:\Webreviewcrt\ipDh6jR2mcTwtep.vbe
        Filesize

        194B

        MD5

        fc850c6d24758438279181729066a815

        SHA1

        f3145e372180f4116efb393aee5dd529c726fb52

        SHA256

        0b23b06e5c8bc58f169f794bf9730566ce19ec5be3194bd38fd153493e7f6bc6

        SHA512

        9a094a0bf414279ffe512ab2926c5bd6250ce5832534297138b468ea238355b30f1928ff062bf5f1a0bd17f97750276c7fde4eba2dda575f09df7570492362d4

        Download Submit

      • C:\Webreviewcrt\kcPcB.bat
        Filesize

        40B

        MD5

        5fa60759170284b04b907dede9ec02fc

        SHA1

        a642c3173654b61888e6d523a16406201054964d

        SHA256

        738a5ee2597722bce53cc2137b528873aee86a3b52ccc162de3ac4e8f234f99c

        SHA512

        19ced211450f2201611f4b56ff3f29426f5173444791ddec7e87b1a32e089cffd5540c319371aa01b6fff0ee37151e41be0afb7c2923869bfda525e1edd6a585

        Download Submit

      • memory/3228-18-0x00007FFC792D0000-0x00007FFC79D91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3228-44-0x00007FFC792D0000-0x00007FFC79D91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3228-23-0x000000001B5F0000-0x000000001B646000-memory.dmp

        Filesize

        344KB

        Download

      • memory/3228-24-0x00000000024A0000-0x00000000024AE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3228-26-0x000000001B690000-0x000000001B698000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3228-25-0x0000000002600000-0x0000000002608000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3228-21-0x000000001B640000-0x000000001B690000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3228-22-0x00000000025E0000-0x00000000025F6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3228-20-0x00000000025C0000-0x00000000025DC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3228-19-0x0000000000C90000-0x0000000000CA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3228-17-0x0000000000140000-0x0000000000378000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4944-49-0x00007FFC792D0000-0x00007FFC79D91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4944-50-0x000000001B930000-0x000000001B940000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4944-51-0x0000000002CC0000-0x0000000002D16000-memory.dmp

        Filesize

        344KB

        Download

      • memory/4944-53-0x00007FFC792D0000-0x00007FFC79D91000-memory.dmp

        Filesize

        10.8MB

        Download