Overview

overview

10

Static

static

3

1b9e9cca2d...3f.exe

windows7-x64

10

1b9e9cca2d...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2024, 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b9e9cca2dcab6f35d56f397ad17aaf66dbdb7984834b9f8c26f094a2f0f763f.exe

  • Size

    608KB

  • MD5

    63144ff5a65e776313c9cb44da25a200

  • SHA1

    31e41d70fc55af771446bf4f879afbd809b6a7df

  • SHA256

    1b9e9cca2dcab6f35d56f397ad17aaf66dbdb7984834b9f8c26f094a2f0f763f

  • SHA512

    a32bbcb9b8799fc542cb1b0a5a1b6fceec3471d996fdeae965aa2a3860914fdaa4a64725f02221959d0a0a26fc13d8f23edf392baca4e04f34d0d2e6054c52cb

  • SSDEEP

    12288:jpoIY///1UFAe3kB0xazM6WZuS20IFpdO4WrzJjPt4mFBYU:CIY/YSQOjWZuWI84uJjhBY

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b9e9cca2dcab6f35d56f397ad17aaf66dbdb7984834b9f8c26f094a2f0f763f.exe
    "C:\Users\Admin\AppData\Local\Temp\1b9e9cca2dcab6f35d56f397ad17aaf66dbdb7984834b9f8c26f094a2f0f763f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\Nursultan alpha.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan alpha.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Blockcontainernet\W43Bcik1fetwz8mb03Kl4Wsl.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Blockcontainernet\AR9N8DWDPuNq5i9PvFB6SJq5vZat0J.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2584
          • C:\Blockcontainernet\reviewbroker.exe
            "C:\Blockcontainernet\reviewbroker.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Users\Default User\explorer.exe
              "C:\Users\Default User\explorer.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1880
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2176
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2208
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2376
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1172
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2148
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Blockcontainernet\AR9N8DWDPuNq5i9PvFB6SJq5vZat0J.bat
    Filesize

    39B

    MD5

    5d93d13cd1a016e3f5f76b5b67ce7b35

    SHA1

    f2b28b545989d846663f23febdcb80383264f248

    SHA256

    fa28c368016672804e3d1efbd51cbbd0147af38960f9d60731da9fbeb61d6439

    SHA512

    61bebca915e256db05f08bdf4847a01e682eb594fca5cf180a8f596325f14962e6e869ecc6bb0d0c64b7c441bf03795025781b7c92c503c9414767015c4302bc

    Download Submit

  • C:\Blockcontainernet\W43Bcik1fetwz8mb03Kl4Wsl.vbe
    Filesize

    224B

    MD5

    3981990d1923b76df9db376e9d2cbbc5

    SHA1

    a07ce24994557da63deefb8a7db94054235c1993

    SHA256

    459538eb075aad8ac5fda45baabedbf7889ed2162feed9011efcb9490cff89f1

    SHA512

    b80bbdfd2e21ae5cd64e97d6841e769e7e3500d1eb17f4f76ca6a1f74e7d8cabc16ebfae12495e6dca4d488da5e9e0d82830813a20038231d2ae704604f04899

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Nursultan alpha.exe
    Filesize

    1.1MB

    MD5

    e2a02eaf1de2c2750f025172adec7b3f

    SHA1

    346ccaed629d5f90f59673e4dd8bfc455e4648d2

    SHA256

    e2ceba1c620fa9167b68e137d00c94f7b19b9dc9ab23e2e0d99c7e537482add3

    SHA512

    587454f4190d91599351f490a1c9514a20b993a3da825550ea58030137d92c84a912aa51586877263e7cd85ce7a7b35fb4e15cb987f56ae21b0e866c830f363b

    Download Submit

  • \Blockcontainernet\reviewbroker.exe
    Filesize

    829KB

    MD5

    ebec19ac8397c7016e1ca22f9f5eaf69

    SHA1

    e153837afcf24bb8a5790751fc2d4661c751f8ad

    SHA256

    d3fc1234ce59c9e43749ce9ce14e212512f9e85267aee52a569ee78e51d68c17

    SHA512

    a73065178db0117f4664de676307823ab72ea0c62ca427af12338f83a7497b6ca92b404a9df7fb81188461b43bd711e41f62d4d9e65a7f1abfd99a648ca0045c

    Download Submit

  • memory/1392-47-0x00000000003B0000-0x0000000000486000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2648-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2648-1-0x0000000000F90000-0x000000000102E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2648-9-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2648-48-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2676-24-0x0000000000330000-0x0000000000406000-memory.dmp

    Filesize

    856KB

    Download