Overview

overview

10

Static

static

10

DCRatBuild.exe

windows7-x64

10

DCRatBuild.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 22:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.1MB

  • MD5

    4c40088e4f1835614a5a1088056699e2

  • SHA1

    4b78a9fad74e75b67cb6626679166f611171a161

  • SHA256

    e51f8d90fb3698bd568b693c41927bdee20c799e823bd4630a061454d3264309

  • SHA512

    2717db3fa71493bfee3acb5b6a40a15ba5f9522be230ac5376f1317b964cc29050d84b9bdd2a84066d9d7b96cbcd7f73faebfad3d21b2a8172c548b4c1a8f685

  • SSDEEP

    24576:U2G/nvxW3Ww0t2onGju9hMij7DTA9LX9GmN6ya4+o:UbA30Vd9aqM9Lbai

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\MsReviewsession\yO3BOIbzunvfadK9o.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\MsReviewsession\iOUbd.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\MsReviewsession\PortWeb.exe
          "C:\MsReviewsession\PortWeb.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1208
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\smBCqns3su.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2768
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2860
              • C:\Program Files\Common Files\Services\taskhost.exe
                "C:\Program Files\Common Files\Services\taskhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\fr-FR\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1236
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2060

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MsReviewsession\iOUbd.bat
            Filesize

            32B

            MD5

            f2c01fc7f2af46de03aae93540aa68e0

            SHA1

            914395bb0d9b16f3af93eff925f3b518950bbd35

            SHA256

            f1265433eed8e39b8969eb0bfdff53079a2fb414c552bc16d2e6b9c2b7ddf467

            SHA512

            5b6b68db4ecfac92ae6bb6b57b9eb402ae416090c384c88737bcc4280343eebcdc4715627f6cce39965e0ac26147771bc2be329778b1bb3d4c300d75cd1f2fd7

            Download Submit

          • C:\MsReviewsession\yO3BOIbzunvfadK9o.vbe
            Filesize

            197B

            MD5

            4c8b86faed61558028921999a343ef68

            SHA1

            0bffd3004d6421de0a02dc25aaa92bf70f805a90

            SHA256

            028f593ae44a66648497644d987f5fea9ab3ea946a161ca90208115643f45763

            SHA512

            21f032a1c36556e5f7c17f0d8d2c07383d45e19404aefef7515258bc4a40b2369c29765824513d4b1fc7ee0b3a7aa8bdd8ae2f200706492a5f774c510badc461

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\smBCqns3su.bat
            Filesize

            216B

            MD5

            5b2ccbd381afb78fc287d37dcea41cf8

            SHA1

            033c2468c1ac5a90ce1f1f632654e739b4a538b3

            SHA256

            3e98909b1959d43d48e9bfe369098415c50dcbf55713ae943ed9573abb02875e

            SHA512

            4b6f1365419d2522f74f591628cbbe452cafcc621c5da4c4132d7e02355ce9e1cb95b32b0a16601b4c3c9d640e67c625424e1209771fc3906f042c04ed060fd1

            Download Submit

          • \MsReviewsession\PortWeb.exe
            Filesize

            829KB

            MD5

            8b03716cc54bbca6ef5d9a611e57bae8

            SHA1

            c0853a0fbfde846f94dc9aea05908b745f36cac2

            SHA256

            9e11fd15f5cd01ef1abc858da09943a4d10646b495b1b2dcefae2ca61ee1741b

            SHA512

            49961849720f1ee7f2260e1683b046ba26fff6c8ff7abe818d9c158aa3b7f69d83ac9615c8bcffad7512eb900105d2fcea56b1a4fabe527423b332a02c2b3034

            Download Submit

          • memory/1208-13-0x00000000003C0000-0x0000000000496000-memory.dmp

            Filesize

            856KB

            Download

          • memory/2060-34-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/2060-35-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/2760-33-0x00000000002A0000-0x0000000000376000-memory.dmp

            Filesize

            856KB

            Download