Overview

overview

10

Static

static

10

410c644c78...3a.exe

windows7-x64

10

410c644c78...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a.exe

  • Size

    828KB

  • MD5

    38cae3e5ad321877f760a30170e1dbd8

  • SHA1

    7ca4a891c40ce36a4533aabe32b4a7c70180f6f8

  • SHA256

    410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a

  • SHA512

    4c2299d27f435f3457c5047b8021b930a4a4d2b8be3dea5d23508499f497d2042b53b67cb071def371f5d6335b372078c362de27533865a09183c3e1fdd9c745

  • SSDEEP

    12288:wzXIzsFQQP9ztnsyyjDO0l4yOaPFXs718A4FuG0tlW+Sro3TVuQ3:wNFQQP3sXDOuHOCFXs71KASroo2

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 47 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 15 IoCs
    persistence
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 28 IoCs
    persistence
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a.exe
    "C:\Users\Admin\AppData\Local\Temp\410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a.exe
      "C:\Users\Admin\AppData\Local\Temp\410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\317xeoslDz.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:2056
          • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
            "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\sppsvc.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Installer\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2428
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\es-ES\lsm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\es-ES\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Pictures\schtasks.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\schtasks.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\schtasks.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\schtasks.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\schtasks.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2244
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\schtasks.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:912

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
      Filesize

      828KB

      MD5

      38cae3e5ad321877f760a30170e1dbd8

      SHA1

      7ca4a891c40ce36a4533aabe32b4a7c70180f6f8

      SHA256

      410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a

      SHA512

      4c2299d27f435f3457c5047b8021b930a4a4d2b8be3dea5d23508499f497d2042b53b67cb071def371f5d6335b372078c362de27533865a09183c3e1fdd9c745

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\317xeoslDz.bat
      Filesize

      236B

      MD5

      19f0699cf1e6b5d40f7760a72a6f9cff

      SHA1

      16f0bc1d375dfbdbc9abe9ac8c71c94731de82dc

      SHA256

      500fa86a513a095baa1703569757f7aded96594308e7fc9ccd1036d81f92414e

      SHA512

      7e64d99211785377e1c29ace66dcd85f5aa7a7b8a340e6dd63f4c42deb9f49088385ab8ac0f79adad7e1f493ad72c3c8ebf852168357c727f6fa69aabbca0d81

      Download Submit
    • memory/2608-44-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2608-45-0x000000001AD00000-0x000000001AD80000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2608-46-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2776-8-0x000000001AFA0000-0x000000001B020000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2776-11-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2776-41-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/3048-0-0x0000000000D00000-0x0000000000DD6000-memory.dmp
      Filesize

      856KB

      Download
    • memory/3048-1-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/3048-2-0x000000001B110000-0x000000001B190000-memory.dmp
      Filesize

      512KB

      Download
    • memory/3048-7-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
      Filesize

      9.9MB

      Download