Overview

overview

10

Static

static

10

1a030d2d68...5c.exe

windows7-x64

10

1a030d2d68...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2023, 11:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1a030d2d68a966877a377cf8c888115c.exe

  • Size

    1.1MB

  • MD5

    1a030d2d68a966877a377cf8c888115c

  • SHA1

    b0d0fe9953ca03954fe6951d3fda35b08a045359

  • SHA256

    07fa9ac4502b2a0ba83036450abbe28d6656c8941abf5180e81650550aa50a4e

  • SHA512

    9b8d1336c207f5a6b34aecd1389405012ba33abc842a32d4de40a359abfe3314224e4154221bbeffaeb18987821dc150fc9010fb9b64b39b173546d47193da1e

  • SSDEEP

    24576:U2G/nvxW3Ww0tKUVvRF5tWgTkvP0fA7HD56:UbA30KUVv+gwvsfA0

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a030d2d68a966877a377cf8c888115c.exe
    "C:\Users\Admin\AppData\Local\Temp\1a030d2d68a966877a377cf8c888115c.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\msAgentfont\7lZlduUKZRZBZkfNKew7tkV4l.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\msAgentfont\wycqJUldl1G9TitsOOqPbv.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\msAgentfont\Mscomponentdhcp.exe
          "C:\msAgentfont\Mscomponentdhcp.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3992
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QWBRySn29l.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3776
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3852
              • C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe
                "C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:3588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\de-DE\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2192
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\de-DE\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\odt\TextInputHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Libraries\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4920

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe
            Filesize

            829KB

            MD5

            c3a26c0b9b0ce9f3b31c145e52738b83

            SHA1

            2879f4807b934535cd9911b92d63b29e35abb6ef

            SHA256

            6c2ad2d3ab11bebf0af68754a2f7da5dc9199ee7b1d13a5b6ef46d544b52723a

            SHA512

            ac8b19325294ef22dfcfb33caeeaebf78100c464df64b230b838ee83a5996ef1b28f36e81f7a87cda9dda26bc135637738dc3e7ac6db1a3e68b8428ace6b1661

            Download Submit

          • C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe
            Filesize

            829KB

            MD5

            c3a26c0b9b0ce9f3b31c145e52738b83

            SHA1

            2879f4807b934535cd9911b92d63b29e35abb6ef

            SHA256

            6c2ad2d3ab11bebf0af68754a2f7da5dc9199ee7b1d13a5b6ef46d544b52723a

            SHA512

            ac8b19325294ef22dfcfb33caeeaebf78100c464df64b230b838ee83a5996ef1b28f36e81f7a87cda9dda26bc135637738dc3e7ac6db1a3e68b8428ace6b1661

            Download Submit

          • C:\Recovery\WindowsRE\sysmon.exe
            Filesize

            829KB

            MD5

            c3a26c0b9b0ce9f3b31c145e52738b83

            SHA1

            2879f4807b934535cd9911b92d63b29e35abb6ef

            SHA256

            6c2ad2d3ab11bebf0af68754a2f7da5dc9199ee7b1d13a5b6ef46d544b52723a

            SHA512

            ac8b19325294ef22dfcfb33caeeaebf78100c464df64b230b838ee83a5996ef1b28f36e81f7a87cda9dda26bc135637738dc3e7ac6db1a3e68b8428ace6b1661

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\QWBRySn29l.bat
            Filesize

            227B

            MD5

            bd50e69a66a943950073e751ab00b3a1

            SHA1

            ac6b0187d5517c7eb077d7ac59aa88f0c81c3792

            SHA256

            5dd5beb9e6f9fee59e825a46d28821e38f6ac0a11d75bbffc91216c91676e983

            SHA512

            a8a396586914cc2803e1126050f0f028617d23de03802a1e3d6f716f2f5bc93e2ac28f28d667931d948ab882b95e81dffd60985e720e4fc5782dbc7f7ee6e8ec

            Download Submit

          • C:\msAgentfont\7lZlduUKZRZBZkfNKew7tkV4l.vbe
            Filesize

            211B

            MD5

            6cc8bbce5319ea246e1c28be8af35250

            SHA1

            812bb66ac1f7eb9fe1485a2e1c02caae4958054b

            SHA256

            b7abb57921741fcad9163030c4dfcc51316dac186682d37994e390342bad318c

            SHA512

            302bc1d85caee6e8e0f91b8cf790b7db2b99ae551930c07ef345a0bd1c73e6362a9faf87b6680b47bbb26251d4204159c3020567929b1b220d3f162d9c4003cd

            Download Submit

          • C:\msAgentfont\Mscomponentdhcp.exe
            Filesize

            829KB

            MD5

            c3a26c0b9b0ce9f3b31c145e52738b83

            SHA1

            2879f4807b934535cd9911b92d63b29e35abb6ef

            SHA256

            6c2ad2d3ab11bebf0af68754a2f7da5dc9199ee7b1d13a5b6ef46d544b52723a

            SHA512

            ac8b19325294ef22dfcfb33caeeaebf78100c464df64b230b838ee83a5996ef1b28f36e81f7a87cda9dda26bc135637738dc3e7ac6db1a3e68b8428ace6b1661

            Download Submit

          • C:\msAgentfont\Mscomponentdhcp.exe
            Filesize

            829KB

            MD5

            c3a26c0b9b0ce9f3b31c145e52738b83

            SHA1

            2879f4807b934535cd9911b92d63b29e35abb6ef

            SHA256

            6c2ad2d3ab11bebf0af68754a2f7da5dc9199ee7b1d13a5b6ef46d544b52723a

            SHA512

            ac8b19325294ef22dfcfb33caeeaebf78100c464df64b230b838ee83a5996ef1b28f36e81f7a87cda9dda26bc135637738dc3e7ac6db1a3e68b8428ace6b1661

            Download Submit

          • C:\msAgentfont\wycqJUldl1G9TitsOOqPbv.bat
            Filesize

            36B

            MD5

            4978f7e13658c4f051f27be121f2c19e

            SHA1

            02f183ee8c15761badc2baf12d5392689fedfb09

            SHA256

            e9b60d2b6cfdbff864e589072556784300778f70aefd8e8eb5b51d1a1b13557a

            SHA512

            6bfda393b93aab7c57e217bbe49af1944f284bf030b0561c4fb53ea41cff9d5c838c76cdd7a8052e40a1952184448e1f00565ca7f00b0a623fce37771877da32

            Download Submit

          • memory/3588-55-0x0000000001790000-0x00000000017A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3588-54-0x00007FF8F5130000-0x00007FF8F5BF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3588-53-0x00007FF8F5130000-0x00007FF8F5BF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3992-14-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3992-49-0x00007FF8F5130000-0x00007FF8F5BF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3992-13-0x00007FF8F5130000-0x00007FF8F5BF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3992-12-0x0000000000560000-0x0000000000636000-memory.dmp

            Filesize

            856KB

            Download