Overview

overview

10

Static

static

10

7a1a339724...2e.exe

windows7-x64

10

7a1a339724...2e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe

  • Size

    827KB

  • MD5

    759b333fd8d1eedb5666fdea1da25b25

  • SHA1

    b66fc861196561f793062622b88cdb1065e35459

  • SHA256

    7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e

  • SHA512

    831006157773f5a30dbf07dcbfd484f49a978c077f8e132d33c8e044f8141462bb890c344724b23c3144488c1c406d576b7009c1205772a503ce6cc92692aec3

  • SSDEEP

    12288:M+B2ad7F/Jf2xm1/nNfkOV+0Z3+5DlpAXdet4y5+q:gad7PuxmRn60Zu7xtZp

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
    "C:\Users\Admin\AppData\Local\Temp\7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PN219sj1of.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1064
        • C:\Recovery\WindowsRE\fontdrvhost.exe
          "C:\Recovery\WindowsRE\fontdrvhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\WindowsRE\fontdrvhost.exe
      Filesize

      827KB

      MD5

      759b333fd8d1eedb5666fdea1da25b25

      SHA1

      b66fc861196561f793062622b88cdb1065e35459

      SHA256

      7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e

      SHA512

      831006157773f5a30dbf07dcbfd484f49a978c077f8e132d33c8e044f8141462bb890c344724b23c3144488c1c406d576b7009c1205772a503ce6cc92692aec3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\PN219sj1of.bat
      Filesize

      202B

      MD5

      d5b643e60a9169e5a5d8e2668ef65370

      SHA1

      231cf4b480f3109ab43777e53cc5b1a30c608ccf

      SHA256

      8837ebbde7343868ce357638585c1d83d2eb8236323f3bed775e8c439510d379

      SHA512

      8b77a70aeb6cdc57866e37ed304b781acf4aaa5600f8348603bf672e4427c7e420dbcebe963c4e30141b540b764d7184b8977534cc294a7586ef5761fe515500

      Download Submit

    • memory/1468-0-0x00007FFBC4243000-0x00007FFBC4245000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1468-1-0x0000000000810000-0x00000000008E6000-memory.dmp

      Filesize

      856KB

      Download

    • memory/1468-4-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1468-15-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

      Filesize

      10.8MB

      Download