Overview

overview

10

Static

static

10

3b8b335bab...48.exe

windows7-x64

10

3b8b335bab...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/04/2024, 16:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b8b335babae9d4a73824efe54aa2148.exe

  • Size

    1.2MB

  • MD5

    3b8b335babae9d4a73824efe54aa2148

  • SHA1

    ebb36ea7e8702f50272952071c18f362b0888003

  • SHA256

    4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354

  • SHA512

    d110697dcfa249f71fe0b5097d83351285c3f4440d82aa39080d016e0202572b229612a2778aac34b26791aadfe0ce7c89b663ee2d2a83ef43bb7cf0c9fac83e

  • SSDEEP

    24576:NR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:TJaDKf4p4UD1v

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b8b335babae9d4a73824efe54aa2148.exe
    "C:\Users\Admin\AppData\Local\Temp\3b8b335babae9d4a73824efe54aa2148.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1728
    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe
      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1008
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\661c4cac-afac-43f9-a09c-31e8b2a00860.vbs"
        3⤵
          PID:544
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6be7b570-71d4-4477-b6bc-05915ed4af25.vbs"
          3⤵
            PID:1180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:328
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2440
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2744
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\en-US\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2888
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\en-US\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:616
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:2812

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\661c4cac-afac-43f9-a09c-31e8b2a00860.vbs
          Filesize

          747B

          MD5

          69409721663a35992982c6522eea770d

          SHA1

          31ba2830e99bc276bc4c6f6ec93b1ad9dcace0b3

          SHA256

          da469b3bbb9fcff4fa8d1f94352cb9b5062bf83ca4eb1b26f83597b95d113f85

          SHA512

          d6cc50534ceb5600926812add1373af1e9f3a3078db9868c5f7820fbc541721e18f2c735fa883cbd9e78567a336c7dff619c854008b8b633d7761208b3af13d6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6be7b570-71d4-4477-b6bc-05915ed4af25.vbs
          Filesize

          523B

          MD5

          46dcca421a50e693f24748d4ddf9a5a0

          SHA1

          e5f1868d47d4f78fc3f14dc410a39832228c2fb4

          SHA256

          3bbf44ca6d9e8faf1b447c7049f63af510e4c7d67ae9ef5a12d2a95491e45932

          SHA512

          622843d1643ea11e93b0883317602f2b6dc073c3019669c2f959c2444ddf40435c44734fd352faa83058605d843295ed148a71f100c4fb256cb60d9a4b4466ba

          Download Submit

        • C:\Windows\PolicyDefinitions\en-US\RCX3661.tmp
          Filesize

          1.2MB

          MD5

          bbd5124dbe0b4d8ebf24756acf9ca1f0

          SHA1

          ec97c1d53a478f521e2b20703722e49987eb59b4

          SHA256

          57e062a7fe7903fcc4cca6466e12aac8af23a34ccb1bdec9aa28bf02588e3a11

          SHA512

          ab806d1077e9be403e10acd7291c2c5b7dc18a3140bcbbdf3885be787ed9d4b32c3f0e475f2150bca4fe21e49aec7f99882414eb14c268beb6001d1f95a723d5

          Download Submit

        • C:\Windows\PolicyDefinitions\en-US\smss.exe
          Filesize

          1.2MB

          MD5

          3b8b335babae9d4a73824efe54aa2148

          SHA1

          ebb36ea7e8702f50272952071c18f362b0888003

          SHA256

          4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354

          SHA512

          d110697dcfa249f71fe0b5097d83351285c3f4440d82aa39080d016e0202572b229612a2778aac34b26791aadfe0ce7c89b663ee2d2a83ef43bb7cf0c9fac83e

          Download Submit

        • memory/1008-88-0x000000001B200000-0x000000001B280000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1008-87-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1008-77-0x000000001B200000-0x000000001B280000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1008-74-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1008-76-0x0000000000F00000-0x000000000103A000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1728-7-0x00000000005D0000-0x00000000005D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1728-20-0x00000000009C0000-0x00000000009CC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1728-11-0x0000000000720000-0x0000000000728000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1728-12-0x0000000000730000-0x000000000073C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1728-13-0x0000000000740000-0x000000000074C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1728-14-0x0000000000750000-0x0000000000758000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1728-15-0x0000000000760000-0x000000000076A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1728-16-0x0000000000770000-0x000000000077E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1728-17-0x0000000000780000-0x000000000078C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1728-18-0x00000000009A0000-0x00000000009A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1728-19-0x00000000009B0000-0x00000000009BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1728-10-0x0000000000710000-0x000000000071C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1728-9-0x0000000000700000-0x000000000070C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1728-8-0x00000000006F0000-0x00000000006FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1728-75-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1728-0-0x00000000001D0000-0x000000000030A000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1728-6-0x00000000005B0000-0x00000000005C6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1728-5-0x0000000000330000-0x0000000000340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1728-4-0x00000000001C0000-0x00000000001C8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1728-3-0x0000000000310000-0x000000000032C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1728-2-0x000000001B020000-0x000000001B0A0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1728-1-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

          Filesize

          9.9MB

          Download