Overview

overview

10

Static

static

10

dc/10.exe

windows10-2004-x64

10

dc/12.exe

windows10-2004-x64

7

dc/13.exe

windows10-2004-x64

10

dc/15.exe

windows10-2004-x64

8

dc/16.exe

windows10-2004-x64

10

dc/17.exe

windows10-2004-x64

3

dc/19.exe

windows10-2004-x64

10

dc/22.exe

windows10-2004-x64

10

dc/23.exe

windows10-2004-x64

10

dc/3.exe

windows10-2004-x64

10

dc/4.exe

windows10-2004-x64

3

dc/5.exe

windows10-2004-x64

10

dc/6.exe

windows10-2004-x64

10

dc/7.exe

windows10-2004-x64

9

dc/9.exe

windows10-2004-x64

10

Resubmissions

21-08-2024 01:30

240821-bw3pdsxcnq 10

21-08-2024 01:25

240821-bs432sxbjp 10

Analysis

  • max time kernel
    34s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc/23.exe

  • Size

    1.1MB

  • MD5

    a6f747d35d90c66344698cc5ad1ba21f

  • SHA1

    84961f2e854ce6f65413b194ab77264e006c534e

  • SHA256

    f1a2d62c34c17c712655ee85dbd0012c02d03b4923ad082ee0841fd6d111164a

  • SHA512

    ccadbb90aa4c24af7f2b1915e336adab13052012bc00f9ff773e5012cfea338615ffd7017545444513f39fdf88570c43274f12a57fbb281eec25eb9ba11d276f

  • SSDEEP

    24576:u2G/nvxW3WieCP4wzK8OWUwmGybMwW5TUzcOLpNk:ubA3jP4SOZxk+Dp2

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 16 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc\23.exe
    "C:\Users\Admin\AppData\Local\Temp\dc\23.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\webintonetDhcp\6By9jbeZ0ci3RbuViYKP.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\webintonetDhcp\YOsLzEpQjjTAejnwxyE.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1848
        • C:\webintonetDhcp\brokermonitor.exe
          "C:\webintonetDhcp\brokermonitor.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1352
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bzfCM1iGQ9.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:472
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\webintonetDhcp\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\webintonetDhcp\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\webintonetDhcp\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\cmd.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2956
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TextInputHost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bzfCM1iGQ9.bat
      Filesize

      194B

      MD5

      bf1ea7824c27862218fa4d5ce76e07f2

      SHA1

      8948a8daa5b173bacea8ade08c64e22573800590

      SHA256

      f23e8b46a4f43c36ec4946e2f51bd3d2b492a06eb4a903880f82fbd42dc0076f

      SHA512

      1434b5d6d883eca674729ac0544affdd25c8447f08bc33d100cdb995d742d9e5a7e82fef5ef83eec4cdd1d9a702791fbc4dd93a9588ccd2db6ac603fbe8cc802

      Download Submit

    • C:\webintonetDhcp\6By9jbeZ0ci3RbuViYKP.vbe
      Filesize

      210B

      MD5

      1a9649093867d14e14d4ab4a294936d4

      SHA1

      bca08d2a098219c2c33e0b3962f8ab02b5a39224

      SHA256

      4d6e6394d5f8af070751a0d83d5ae104775279f4bf842485d8a837d80f62b222

      SHA512

      47f00cb643a3a72e1d0f012484f7163e082a50db2927df3c5e613b6444a3bec96d332f4aeab8ca8c4ca71695151cf3df0fd194a010fb56b7417ede6069692197

      Download Submit

    • C:\webintonetDhcp\YOsLzEpQjjTAejnwxyE.bat
      Filesize

      37B

      MD5

      3d792304add88ea6ad91e9eb81e04d63

      SHA1

      329e95644d9bb8b1793a601ae66f4d265e4e1550

      SHA256

      7551a1eafb4564a5411a032d42c188a23843534fafbf383531dff5ea7378c03f

      SHA512

      cd3a7fb5e74f0c943360aabb44481571652ff56fe1c8d5c334d950710b789895eb773543dc2bb0b88d170b4149f2a2d18da84fb37dea56a1fe8df766e0627fa9

      Download Submit

    • C:\webintonetDhcp\brokermonitor.exe
      Filesize

      828KB

      MD5

      4fb3bba4614135065400c023cd91f419

      SHA1

      4aaece828ae405cfb61c79b9d00d44e868c8bb6c

      SHA256

      a9f7e225ab3a7a9c8539fbdd69b7285667ae442e9373a43b9857897963ae38a6

      SHA512

      3d4a1a84210cdffcea6065942081c62f7aaf30e5578062dd65a8ea984111956beb5dcfe61740af9d9379386585eb37f647ab1d83df55c78f0d2f057e9ff91376

      Download Submit

    • memory/1352-12-0x00007FFF5B823000-0x00007FFF5B825000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1352-13-0x0000000000380000-0x0000000000456000-memory.dmp

      Filesize

      856KB

      Download