Overview

overview

10

Static

static

3

450db49649...6a.exe

windows7-x64

10

450db49649...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 00:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    450db4964978e42ce9403a9dd174586a.exe

  • Size

    505KB

  • MD5

    450db4964978e42ce9403a9dd174586a

  • SHA1

    2ea8411c00fd913b54c0ec19824beee5a3256a9c

  • SHA256

    17911103687aab297d51b99468b26da38ea4331c6b7c5d2fe36d33c066f7b076

  • SHA512

    59cdd260f0348ae5eaa966e70d3751553021c1e025c5c9442b9d606acee7f6aba4a3e4db394931228ebe22c2fa0377eaa856d77d9d97d6254c7aece5ff443482

  • SSDEEP

    12288:rs9sZu3LQWKvXcCf4G3yXFUajm4aqYDHdstYKnKMHClGX:rcNqkCfNGFUa1aqYDHdstPT

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\450db4964978e42ce9403a9dd174586a.exe
    "C:\Users\Admin\AppData\Local\Temp\450db4964978e42ce9403a9dd174586a.exe"
    1⤵
      PID:4332
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ERROR REPORT.txt
        2⤵
          PID:2828
        • C:\Users\Admin\AppData\Local\Temp\WindowsProtect.exe
          "C:\Users\Admin\AppData\Local\Temp\WindowsProtect.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4644
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\reviewWinMonitornet\eBsNFS4M1Cr6.vbe"
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:456
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\reviewWinMonitornet\bd5em.bat" "
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2956
      • C:\reviewWinMonitornet\reviewWinMonitornetwinref.exe
        "C:\reviewWinMonitornet\reviewWinMonitornetwinref.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4352
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l5GkgtmYxi.bat"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4888
          • C:\Windows\System32\WerEnc\spoolsv.exe
            "C:\Windows\System32\WerEnc\spoolsv.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2780
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\conhost.exe'" /rl HIGHEST /f
          2⤵
          • Creates scheduled task(s)
          PID:4652
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\WerEnc\spoolsv.exe'" /rl HIGHEST /f
          2⤵
          • Creates scheduled task(s)
          PID:3332
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
          2⤵
          • Creates scheduled task(s)
          PID:3412
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\iasacct\conhost.exe'" /rl HIGHEST /f
          2⤵
          • Creates scheduled task(s)
          PID:1852
      • C:\Windows\system32\PING.EXE
        ping -n 5 localhost
        1⤵
        • Runs ping.exe
        PID:4376
      • C:\Windows\system32\chcp.com
        chcp 65001
        1⤵
          PID:2948

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\ERROR REPORT.txt
                Filesize

                617B

                MD5

                292806f9ebd655b601d4fe9e9c482d9f

                SHA1

                be73ffc844d1071a6a98131861c39e29ca5b8d8c

                SHA256

                c7c19f3cb0e3c8f820c36fa809d20ed776d2312314b81e1ccb6098fdc541c55e

                SHA512

                a3468990b4867f3722de1040cdd720cc72cfa590b3643db1aa6a8d5293e4a09f73c5f9f7f5914cd2bf5d0a1cdc6283e9396bfd90574a41003d8397fa67bcc6dd

                Download Submit

              • C:\reviewWinMonitornet\bd5em.bat
                Filesize

                54B

                MD5

                9df63e9c561f81f79b3497b58c3828ed

                SHA1

                6ab555ba50d36da8c90f1f3f0bca8cc8c6dadc8f

                SHA256

                1d4287b2d55274c4bd758558adf7441b0a97036db08073d00f153488c2f4af24

                SHA512

                43f9c25bb45f84629cfec6778a083c0166cd63564f5d89493ee80facbf5f0a04e776691332e75c21a78ddf4276d483966f7ff678d0240a1eac1f9870bdf9ae02

                Download Submit

              • memory/2780-49-0x00007FFF91D20000-0x00007FFF927E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2780-52-0x00007FFF91D20000-0x00007FFF927E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2780-50-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4332-2-0x0000000074D90000-0x0000000075341000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/4332-0-0x0000000074D90000-0x0000000075341000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/4332-14-0x0000000074D90000-0x0000000075341000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/4332-1-0x00000000011A0000-0x00000000011B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4352-28-0x0000000000B80000-0x0000000000C2A000-memory.dmp

                Filesize

                680KB

                Download

              • memory/4352-45-0x00007FFF91D20000-0x00007FFF927E1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4352-30-0x0000000001520000-0x0000000001530000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4352-29-0x00007FFF91D20000-0x00007FFF927E1000-memory.dmp

                Filesize

                10.8MB

                Download