Overview

overview

10

Static

static

10

21241ffa8c...f3.exe

windows7-x64

10

21241ffa8c...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe

  • Size

    2.6MB

  • MD5

    45777274a1f089648085d8f60a401ec3

  • SHA1

    7edbcea87c3cd17890ad5ad9bb48b96f18ca45fe

  • SHA256

    21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3

  • SHA512

    f8b952594f07a29a782c35e4a412e50dd8d5f532a1598f3fcf3e03ea0d7773835c0848b745c8c8026b77d718e2112056cfc350359224696686cc36edf3223eed

  • SSDEEP

    49152:ubA3jtXf3wo6e1Sp/y+susVvipA7yQlcALZ/jZvaJOBoyI3l04EaJ:ubW3H51Sp+usgK7lcAZjUOKyIV07aJ

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe
    "C:\Users\Admin\AppData\Local\Temp\21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainContainersavesSessiondhcp\JemHIHhpiZI0N8EhV7.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\chainContainersavesSessiondhcp\EeHn5JjD.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\chainContainersavesSessiondhcp\blockprovider.exe
          "C:\chainContainersavesSessiondhcp\blockprovider.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mz5qwuDVGw.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2792
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3240
              • C:\Recovery\WindowsRE\csrss.exe
                "C:\Recovery\WindowsRE\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1608
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\chainContainersavesSessiondhcp\file.vbs"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SchCache\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3304
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2052

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\mz5qwuDVGw.bat
      Filesize

      196B

      MD5

      1e615438c9bc1bff0752c6e694fc1566

      SHA1

      9c96994d98804751390ca700f248a70a7b52b676

      SHA256

      53f77d1d8160ed7f0fd23c10f299774c5ac79411339f1d1e9fae4771be327f5f

      SHA512

      f469743c369ad15f4a9e382a1f84e30cb2b8a0daffad19c7caf9d7a7921ce67c1dc069f1515547e21cb834767e0ef434531b4ec2b622a0ea4c2a2e2156088e90

      Download Submit
    • C:\chainContainersavesSessiondhcp\EeHn5JjD.bat
      Filesize

      53B

      MD5

      63241e29fa7bdf71862d1d91cc65c14e

      SHA1

      682453813e14e493ce0e2d0091bff5dd44f3f058

      SHA256

      c9637ae1ccddaff2f9507633191d455f5f5dba8b65f6ff9e81a7e0f01783c9ca

      SHA512

      ef9272a8b3fd9206a4cc8fc33741da02a7a802c5a920b908833deea7d194fb2716bf174cb4815fa846feef681949a355a7a07cf673b93844ffac7d11e818b9e1

      Download Submit
    • C:\chainContainersavesSessiondhcp\JemHIHhpiZI0N8EhV7.vbe
      Filesize

      216B

      MD5

      623cd030254716a674418adf14747e9d

      SHA1

      fc3bba95a099cb2e286c6b77e7e375b07c3b447b

      SHA256

      9ef90d9d5849910473dd8f0610d5385eda91e64075b1a1756d301770183710eb

      SHA512

      090719e54a3b7b24bd1562c8267b9e66e80baaf4e06262c3d6320d41791a2bbc673d71540ce0e519336160fc8402cdf907724087735855dcddb36d58376fac49

      Download Submit
    • C:\chainContainersavesSessiondhcp\blockprovider.exe
      Filesize

      2.3MB

      MD5

      d61a906f69d0929d8acc146b02e6feb0

      SHA1

      2bf0d2b40cc80db69335bf62bc9ce48e476d2e60

      SHA256

      316b85089ab4ece8d024f3957200f0d1d49738be3bc7588691871a1e5d0fd110

      SHA512

      4e301ced2d3f2cc1a2b572cc71c361192d2f4316297c46b8a9d6b64f5f40ea1d4af6577e3f3d0e9b90f05376237ce8f26d80ab984ad6def3457df345a1b7ea6d

      Download Submit
    • C:\chainContainersavesSessiondhcp\file.vbs
      Filesize

      34B

      MD5

      677cc4360477c72cb0ce00406a949c61

      SHA1

      b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

      SHA256

      f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

      SHA512

      7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

      Download Submit
    • memory/1608-49-0x000000001C9F0000-0x000000001CA02000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1608-48-0x000000001CC00000-0x000000001CC56000-memory.dmp
      Filesize

      344KB

      Download
    • memory/4444-20-0x000000001B560000-0x000000001B576000-memory.dmp
      Filesize

      88KB

      Download
    • memory/4444-21-0x000000001BC30000-0x000000001BC86000-memory.dmp
      Filesize

      344KB

      Download
    • memory/4444-22-0x00000000010E0000-0x00000000010F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4444-23-0x000000001C540000-0x000000001CA68000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4444-24-0x000000001B520000-0x000000001B52E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4444-26-0x000000001B540000-0x000000001B548000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4444-25-0x000000001B530000-0x000000001B538000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4444-19-0x000000001B5B0000-0x000000001B600000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4444-18-0x0000000002C00000-0x0000000002C1C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/4444-17-0x00000000007C0000-0x0000000000A12000-memory.dmp
      Filesize

      2.3MB

      Download