Overview

overview

10

Static

static

7

Mydoom/00b...f7.exe

windows11-21h2-x64

1

Mydoom/055...81.exe

windows11-21h2-x64

Mydoom/0b7...c5.exe

windows11-21h2-x64

8

Mydoom/0d5...64.exe

windows11-21h2-x64

10

Mydoom/176...9c.exe

windows11-21h2-x64

7

Mydoom/1fe...81.exe

windows11-21h2-x64

7

Mydoom/233...98.exe

windows11-21h2-x64

7

Mydoom/252...03.exe

windows11-21h2-x64

7

Mydoom/2af...b2.exe

windows11-21h2-x64

7

Mydoom/3d9...64.exe

windows11-21h2-x64

7

Mydoom/3db...e5.exe

windows11-21h2-x64

7

Mydoom/493...dc.exe

windows11-21h2-x64

7

Mydoom/4d6...08.exe

windows11-21h2-x64

7

Mydoom/564...2a.exe

windows11-21h2-x64

7

Mydoom/6c3...4c.exe

windows11-21h2-x64

7

Mydoom/6c3...c3.exe

windows11-21h2-x64

7

Mydoom/771...20.exe

windows11-21h2-x64

7

Mydoom/7bc...61.exe

windows11-21h2-x64

7

Mydoom/8e9...88.exe

windows11-21h2-x64

7

Mydoom/9a7...60.exe

windows11-21h2-x64

7

Mydoom/9e0...f3.exe

windows11-21h2-x64

7

Mydoom/Myd...06.exe

windows11-21h2-x64

10

Mydoom/Myd...5c.exe

windows11-21h2-x64

6

Mydoom/Myd...fc.exe

windows11-21h2-x64

10

Mydoom/Myd...59.exe

windows11-21h2-x64

1

Mydoom/Myd...64.exe

windows11-21h2-x64

7

Mydoom/Myd...76.exe

windows11-21h2-x64

10

Mydoom/a9a...0f.exe

windows11-21h2-x64

7

Mydoom/b4a...95.exe

windows11-21h2-x64

7

Mydoom/c03...ef.exe

windows11-21h2-x64

8

Mydoom/c45...24.exe

windows11-21h2-x64

7

Mydoom/d42...06.exe

windows11-21h2-x64

7

Resubmissions

12-06-2024 08:28

240612-kcy2jawckj 10

10-06-2024 17:27

240610-v1ktxsvbpk 10

Analysis

  • max time kernel
    28s
  • max time network
    36s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-06-2024 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mydoom/0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

  • Size

    9.4MB

  • MD5

    813b749967045532f86e6442447bcd8b

  • SHA1

    8d0615e7f7ba672a3fc94c05a9451f9d08797af7

  • SHA256

    0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464

  • SHA512

    47c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877

  • SSDEEP

    24576:GYx7SFGwWG8/Ad5kybgeK8uQY2ZqR7NlaDbTxnVhv2MMLdGIhJ:IFFbK8q2ZhDbTNv2MuV

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 6 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mydoom\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
    "C:\Users\Admin\AppData\Local\Temp\Mydoom\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2228
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3040
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:4008
    • C:\Users\Admin\AppData\Local\Temp\Mydoom\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
      "C:\Users\Admin\AppData\Local\Temp\Mydoom\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"
      2⤵
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:916
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4620
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1588
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1292
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2060
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\OfficeClickToRun.exe'" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1192
      • C:\Windows\InputMethod\CHT\OfficeClickToRun.exe
        "C:\Windows\InputMethod\CHT\OfficeClickToRun.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout 1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4540
          • C:\Windows\SysWOW64\timeout.exe
            timeout 1
            5⤵
            • Delays execution with timeout.exe
            PID:3124
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout 1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Windows\SysWOW64\timeout.exe
            timeout 1
            5⤵
            • Delays execution with timeout.exe
            PID:3924
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout 1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3912
          • C:\Windows\SysWOW64\timeout.exe
            timeout 1
            5⤵
            • Delays execution with timeout.exe
            PID:4724
        • C:\Windows\InputMethod\CHT\OfficeClickToRun.exe
          "C:\Windows\InputMethod\CHT\OfficeClickToRun.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4652
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1752
          4⤵
          • Program crash
          PID:1992
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1196
      2⤵
      • Program crash
      PID:2784
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4976 -ip 4976
    1⤵
      PID:4304
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1480 -ip 1480
      1⤵
        PID:1704

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe
        Filesize

        9.4MB

        MD5

        813b749967045532f86e6442447bcd8b

        SHA1

        8d0615e7f7ba672a3fc94c05a9451f9d08797af7

        SHA256

        0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464

        SHA512

        47c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877

        Download Submit
      • memory/3824-6-0x0000000000400000-0x0000000000538000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3824-7-0x0000000005EE0000-0x0000000005F46000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3824-9-0x0000000006CE0000-0x0000000006D72000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4976-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4976-1-0x0000000000940000-0x000000000129C000-memory.dmp
        Filesize

        9.4MB

        Download
      • memory/4976-2-0x0000000005CF0000-0x0000000005D8C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4976-3-0x0000000006FE0000-0x0000000007126000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/4976-4-0x0000000074BB0000-0x0000000075361000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4976-5-0x000000000B440000-0x000000000B9E6000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4976-8-0x0000000074BB0000-0x0000000075361000-memory.dmp
        Filesize

        7.7MB

        Download