Overview

overview

10

Static

static

10

c3362d8d6d...ee.exe

windows7-x64

10

c3362d8d6d...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 11:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c3362d8d6d23a7f24debfc53b02358ee.exe

  • Size

    2.2MB

  • MD5

    c3362d8d6d23a7f24debfc53b02358ee

  • SHA1

    1e1eb6fe56af7c4d1d0b7fb772f333195c27762a

  • SHA256

    2ffc02c44e0a4dcd173828c287b46380e713a75012b951ce511b5e4c7244e300

  • SHA512

    3f1ef88eaad485ac394f6a0b389a596588811cd0f71b550b775a3836797b96485f1fc76098397498c91efb8f263a626e050223ee0b0f102e9cacbe58d0580df2

  • SSDEEP

    24576:JUhducpSbCC/RotMBqeT1zeQlTpqNi3581wr/1eeehtSH3Nh1dLq3mX318uWB5OQ:JUhqWqTkSTai3b/wrG1du381TWD9CDI

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 28 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
    persistence
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 18 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3362d8d6d23a7f24debfc53b02358ee.exe
    "C:\Users\Admin\AppData\Local\Temp\c3362d8d6d23a7f24debfc53b02358ee.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HWARE\6Tf0Hz.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\HWARE\SvgDehbZk2JBCLwPk.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Users\Admin\AppData\Roaming\HWARE\.NET Framework.exe
          "C:\Users\Admin\AppData\Roaming\HWARE\.NET Framework.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4504
          • C:\Users\Public\Videos\WmiPrvSE.exe
            "C:\Users\Public\Videos\WmiPrvSE.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4536
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\odt\SppExtComObj.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3048
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1176
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4236
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:964
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2388
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\SppExtComObj.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\WmiPrvSE.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Videos\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3288
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4400
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\swidtag\fontdrvhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:868
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\apppatch\Custom\cmd.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\apppatch\Custom\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\apppatch\Custom\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1344

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\HWARE\.NET Framework.exe
          Filesize

          829KB

          MD5

          26a0e0de4c8d968891949d52dc3b1650

          SHA1

          3e3bc6949d3a9dfdd326a5483cc1890d11515657

          SHA256

          8d83da80cca510d7c0c05432d4bcc924777a001e1e2388dc475599f0a4593c73

          SHA512

          448a49b41a71d417a880784bf1c3f08631ca569af9036e6f481015180ab4e49c9a308583ae64f70f253cb9ef3fa77d5e48b7c483f1a9a29ea67517efa8089864

          Download Submit

        • C:\Users\Admin\AppData\Roaming\HWARE\6Tf0Hz.vbe
          Filesize

          206B

          MD5

          c16d3ec5e0d150a26f66b914a70cf83a

          SHA1

          8e01b9cb510e039da92d1f1778de9b1444faa439

          SHA256

          8a7c30b06d8a6ef27f41d6c732740e675ec315b35e580ea1e17bc9bc4ad76957

          SHA512

          1d4ce8778e3559699852bea841855f00d3ee3d7ac4761f8ec4a1297ddf34f2b38cad5b878e17c68db908a3cf4131abef3e95eacba180829a4a50260098cf0e4a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\HWARE\SvgDehbZk2JBCLwPk.bat
          Filesize

          36B

          MD5

          859e927f154816d6d7dc32c0123938b2

          SHA1

          da075b72efad27c59fb17a9abbaf5282bf1c4cd7

          SHA256

          7017e572cf71d671c8baca6a3d09d990d4475a1c2e85635f2d25498c6ab7888b

          SHA512

          a96d383a3e82332287a286f49f8ea4d52f871082b37609453657eb774309aa0d33331f6ceee6f1271c7c521258daac28a761cb9870942f2a1adf42e59fa2a97d

          Download Submit

        • memory/4504-14-0x0000000000AB0000-0x0000000000B86000-memory.dmp

          Filesize

          856KB

          Download

        • memory/4504-15-0x00007FFCFFC30000-0x00007FFD006F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4504-16-0x0000000001350000-0x0000000001360000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4504-46-0x00007FFCFFC30000-0x00007FFD006F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4536-47-0x00007FFCFFC30000-0x00007FFD006F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4536-48-0x000000001B300000-0x000000001B310000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4536-50-0x00007FFCFFC30000-0x00007FFD006F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5088-0-0x0000000000110000-0x0000000000546000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/5088-8-0x0000000000110000-0x0000000000546000-memory.dmp

          Filesize

          4.2MB

          Download