Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-04-2024 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe

  • Size

    1.1MB

  • MD5

    6e6f8bc0dbceec859f9baaff0ebe2811

  • SHA1

    495b4434e34bbf6c432718ee6fac880f16be49a0

  • SHA256

    7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e

  • SHA512

    aab1bba5a4fc395f2d378bfc2bad098ce4efbeadacea47f650e16afd99373d518fd2cf9f8c30422cd34939d04d2e05ac9fc5ee8b48d6f5bc8f7cbb19d1bfeac7

  • SSDEEP

    24576:U2G/nvxW3Ww0tkqV9bjWrJeQfBmAL6PLRr0UeJ:UbA30kqIJR/

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe
    "C:\Users\Admin\AppData\Local\Temp\7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3156
        • C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
          "C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\BlockComponentwebMonitordhcp\fontdrvhost.exe
            "C:\BlockComponentwebMonitordhcp\fontdrvhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\odt\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3876
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4048
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\BlockComponentwebMonitordhcp\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\BlockComponentwebMonitordhcp\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\BlockComponentwebMonitordhcp\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1492
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\BlockComponentwebMonitordhcp\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3544
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\odt\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3152
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\apppatch\AppPatch64\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\apppatch\AppPatch64\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\AppPatch64\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3140
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2536
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\sysmon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3088
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\setup.exe\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3916
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3688
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4716
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:892
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\odt\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1512
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\odt\SearchHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat
    Filesize

    50B

    MD5

    40763ae8cfc178ff43b09dbd8aeb8e24

    SHA1

    81c31ec6a3fb0ccb59bf4ef2e6653405cdc2534c

    SHA256

    7b94af95b84b86d3b7dedd796d45f4ece48521897bfbcda1049002ceb0f27f7c

    SHA512

    a63bc49760984ae681df2663fa0590660036bf4cddfdfa7f634bcd51147c8e94b7d973ef425716bdd58ccc812d44be6a0682636e6faab84f94756b5e97ecb359

    Download Submit

  • C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe
    Filesize

    217B

    MD5

    1efe4b745c309f0d730c394a6d1bd25f

    SHA1

    8831671936036e79c4daa914d14455c8e2808081

    SHA256

    3dca4af9d3b59a3c498492bf9ddd94961df9f95d535836caa2b8ba710aa73f7e

    SHA512

    9c9a4292c96c6a727a7601831a6ec3f2c11968f898996c14c9bc7c1fb4ce66e9fffd2fabec13d9929ad220956263eecaf5c704833dd7f021a805a438f586ca39

    Download Submit

  • C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
    Filesize

    828KB

    MD5

    6b3e49b6d32aca957297d8c71e698737

    SHA1

    73294c085a65af8528ea636ee15132020ba38fe5

    SHA256

    fef594135e18a708750abad999febeba51d6efe9d6d3073f02a1acb12731eed8

    SHA512

    151ce51cbcce1ee4cb8b145b02124efc1cb93ef9320da60321cd179d8544930c7f2aa9af4cd4ddd0a71dc32ef5b0069fd8e6bb5e76359d3286d526ccf7e5510b

    Download Submit

  • memory/2116-60-0x000000001CB30000-0x000000001CB4E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2116-54-0x00007FF87DC90000-0x00007FF87E752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2116-56-0x0000000001A60000-0x0000000001A70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2116-57-0x000000001CAE0000-0x000000001CB26000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2116-58-0x0000000003360000-0x0000000003369000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2116-59-0x00000000033A0000-0x00000000033AD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2116-61-0x000000001CB50000-0x000000001CB5B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2116-67-0x00007FF87DC90000-0x00007FF87E752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2116-68-0x0000000001A60000-0x0000000001A70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2708-13-0x00007FF87DC90000-0x00007FF87E752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2708-14-0x0000000000B40000-0x0000000000B50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2708-55-0x00007FF87DC90000-0x00007FF87E752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2708-12-0x0000000000250000-0x0000000000326000-memory.dmp

    Filesize

    856KB

    Download