Overview

overview

10

Static

static

1

D1DAC6E0CF...4D.exe

windows7-x64

10

D1DAC6E0CF...4D.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe

  • Size

    1.2MB

  • MD5

    d1dac6e0cf79a43434f1ac4c84b9ef4d

  • SHA1

    35a0db7e5548b32fa4a44eb897beb9fbbdcc7962

  • SHA256

    9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd

  • SHA512

    43c1df1b5ea8d477977577e5a2a683e0c6621db649709a1447c783540e2e019053d288898fc255c2c27dedc20df595176a3b5a70c58a6a994f9b83192cc8989f

  • SSDEEP

    24576:9sayvYwy9cCAiDSeqgpkcqK0QrmU9cPVbGI61T7Kamt:WayQfSeXqK5Z9gsI6dud

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe
    "C:\Users\Admin\AppData\Local\Temp\D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Users\Admin\AppData\Local\Temp\D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe
      "C:\Users\Admin\AppData\Local\Temp\D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Users\Admin\AppData\Roaming\vnD8iKFufA.exe
        "C:\Users\Admin\AppData\Roaming\vnD8iKFufA.exe"
        3⤵
        • Executes dropped EXE
        PID:2876
      • C:\Users\Admin\AppData\Roaming\irrK2Y1tMN.exe
        "C:\Users\Admin\AppData\Roaming\irrK2Y1tMN.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4152
        • C:\Program Files\Crashpad\reports\dwm.exe
          "C:\Program Files\Crashpad\reports\dwm.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:448
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 252
      2⤵
      • Program crash
      PID:116
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2812 -ip 2812
    1⤵
      PID:4300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Setup\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\uk-UA\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\uk-UA\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\DESIGNER\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3304
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\DESIGNER\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Java\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\irrK2Y1tMN.exe
      Filesize

      716KB

      MD5

      2ea728129d813b8a99509cc009968d2e

      SHA1

      4705bf7c666dceb4db384cb487d796557583d107

      SHA256

      384773df6081637cd1d36872cace14b1df5e5d59cb9bed47512b0618185ca8fd

      SHA512

      9a67df09a331602e6a9176bbc6277cf7908085e768b9da2e13f6ba99934020d46823073d8e19b6cb2dd19ee0c75407a67c5095fb33068679a7ab5d760764db39

      Download Submit

    • C:\Users\Admin\AppData\Roaming\vnD8iKFufA.exe
      Filesize

      18KB

      MD5

      f3edff85de5fd002692d54a04bcb1c09

      SHA1

      4c844c5b0ee7cb230c9c28290d079143e00cb216

      SHA256

      caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

      SHA512

      531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

      Download Submit

    • memory/2812-0-0x0000000000183000-0x0000000000185000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3756-27-0x0000000000400000-0x00000000004F0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3756-3-0x0000000000400000-0x00000000004F0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3756-2-0x0000000000400000-0x00000000004F0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3756-5-0x0000000000060000-0x000000000018B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3756-4-0x0000000000400000-0x00000000004F0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3756-1-0x0000000000400000-0x00000000004F0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4152-31-0x0000000000790000-0x000000000084A000-memory.dmp

      Filesize

      744KB

      Download

    • memory/4152-30-0x00007FFB24733000-0x00007FFB24735000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4152-32-0x00007FFB24730000-0x00007FFB251F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4152-33-0x0000000002930000-0x000000000294C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4152-36-0x00000000027C0000-0x00000000027D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4152-35-0x000000001B4A0000-0x000000001B4B6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4152-34-0x000000001BA20000-0x000000001BA70000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4152-60-0x00007FFB24730000-0x00007FFB251F1000-memory.dmp

      Filesize

      10.8MB

      Download