Overview

overview

10

Static

static

10

2f77b6ba0d...99.exe

windows7-x64

10

2f77b6ba0d...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    29/06/2024, 22:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2f77b6ba0d6b4cf6cb232c0e5aa2f999.exe

  • Size

    1.2MB

  • MD5

    2f77b6ba0d6b4cf6cb232c0e5aa2f999

  • SHA1

    4bb0d8a5c6e42374d1a58b8b025bbf99cda42b77

  • SHA256

    d5e776aa38d141a5621e492af32685568f2c527864caa72dad17ec08172bd223

  • SHA512

    d434e987bcd3f8ee09501e2c4b600b7781d228bc465e54d0d016ae086d2eef18500832ebd78e1b7d75956ffb3ad621c77bb3cca45ca0dc57b00826aa2f2e8e8a

  • SSDEEP

    24576:GiRX4ONyMaJtHAWwIh1zunez5ma3Z1tzVSzWdPnG:GiRX4jMD7R/a3Z1hf

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 15 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f77b6ba0d6b4cf6cb232c0e5aa2f999.exe
    "C:\Users\Admin\AppData\Local\Temp\2f77b6ba0d6b4cf6cb232c0e5aa2f999.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m5CkcR6d4r.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1756
        • C:\Users\Public\Music\dllhost.exe
          "C:\Users\Public\Music\dllhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "2f77b6ba0d6b4cf6cb232c0e5aa2f9992" /sc MINUTE /mo 13 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\2f77b6ba0d6b4cf6cb232c0e5aa2f999.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "2f77b6ba0d6b4cf6cb232c0e5aa2f999" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\2f77b6ba0d6b4cf6cb232c0e5aa2f999.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "2f77b6ba0d6b4cf6cb232c0e5aa2f9992" /sc MINUTE /mo 7 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\2f77b6ba0d6b4cf6cb232c0e5aa2f999.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Music\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1312

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
            Filesize

            1.2MB

            MD5

            2f77b6ba0d6b4cf6cb232c0e5aa2f999

            SHA1

            4bb0d8a5c6e42374d1a58b8b025bbf99cda42b77

            SHA256

            d5e776aa38d141a5621e492af32685568f2c527864caa72dad17ec08172bd223

            SHA512

            d434e987bcd3f8ee09501e2c4b600b7781d228bc465e54d0d016ae086d2eef18500832ebd78e1b7d75956ffb3ad621c77bb3cca45ca0dc57b00826aa2f2e8e8a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\m5CkcR6d4r.bat
            Filesize

            198B

            MD5

            8fc42d563dc9ab51bfb4bbf40bc7631d

            SHA1

            a8c3f5f5a020f05884237fa3d43f26938a9a49fa

            SHA256

            465c142e671003dac7f8d286ef9e802ac3c6fbe77db67ec97c48d3942e8a2d7f

            SHA512

            19ace08a088574e3d2c6de5d3844131d91697019b315341859ea488df1179cc73e55138e5f2070cad7e0bfad1a871083586851b6097e9dfa924cdb043f3a0f79

            Download Submit

          • memory/316-25-0x00000000008A0000-0x00000000009D4000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2540-0-0x000007FEF59D3000-0x000007FEF59D4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2540-1-0x0000000000920000-0x0000000000A54000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2540-2-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2540-3-0x00000000008E0000-0x00000000008FC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2540-5-0x00000000005C0000-0x00000000005CC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2540-4-0x0000000000900000-0x0000000000916000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2540-8-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2540-21-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

            Filesize

            9.9MB

            Download