Overview

overview

10

Static

static

10

a444fc3ab2...7N.exe

windows7-x64

10

a444fc3ab2...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 21:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a444fc3ab26aefc4b10cdafa754b75d4677396f2ca92a4d670ee78f51c0e80e7N.exe

  • Size

    952KB

  • MD5

    33070246887bc29db6b8b0a07808cc10

  • SHA1

    6f29033bd3d2f3be700b77c6bd40ffafd9888ac3

  • SHA256

    a444fc3ab26aefc4b10cdafa754b75d4677396f2ca92a4d670ee78f51c0e80e7

  • SHA512

    2f11ec5ad30c036437de720700f97f620b7e58b7eb3785e964f5b804931be8a9b9e1d0f776fe955cc1c8da1ab0719f485c4de91ce5af664c66a8a5b7e80ea587

  • SSDEEP

    24576:2+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:R8/KfRTK

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 28 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 36 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a444fc3ab26aefc4b10cdafa754b75d4677396f2ca92a4d670ee78f51c0e80e7N.exe
    "C:\Users\Admin\AppData\Local\Temp\a444fc3ab26aefc4b10cdafa754b75d4677396f2ca92a4d670ee78f51c0e80e7N.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4944
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wSyy7aYSYn.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4116
        • C:\Users\Admin\AppData\Local\Temp\a444fc3ab26aefc4b10cdafa754b75d4677396f2ca92a4d670ee78f51c0e80e7N.exe
          "C:\Users\Admin\AppData\Local\Temp\a444fc3ab26aefc4b10cdafa754b75d4677396f2ca92a4d670ee78f51c0e80e7N.exe"
          3⤵
          • Modifies WinLogon for persistence
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4524
          • C:\Users\Admin\AppData\Local\Temp\a444fc3ab26aefc4b10cdafa754b75d4677396f2ca92a4d670ee78f51c0e80e7N.exe
            "C:\Users\Admin\AppData\Local\Temp\a444fc3ab26aefc4b10cdafa754b75d4677396f2ca92a4d670ee78f51c0e80e7N.exe"
            4⤵
            • Modifies WinLogon for persistence
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1416
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yZhDpTH4Hf.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4028
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:3572
                • C:\Windows\System32\miutils\RuntimeBroker.exe
                  "C:\Windows\System32\miutils\RuntimeBroker.exe"
                  6⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\HandwritingSystemToastIcon.contrast-white\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:116
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\PerfLogs\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Internal.Security.Attestation.DeviceAttestation\WaaSMedicAgent.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2340
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Documents and Settings\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4188
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\sbservicetrigger\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\tcblaunch\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\miutils\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3484
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Management.InprocObjects\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\HalExtPL080\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\PerfLogs\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1684

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PerfLogs\lsass.exe
        Filesize

        952KB

        MD5

        3ee71d21964319d9d61bbc4959babb5f

        SHA1

        2c27f228652664d9ed3e73f054293f42e63833d7

        SHA256

        3c81198f569eff593180aa6c211f6bcaf9b383d01e64e5fde3d2f1b165f11a12

        SHA512

        87c87b968f4b222918ea55abc167cd7b2f5962301dbf2ff927941e00df1b6d7399b52f29c83c8136fa2d6423553dfd087e25fc999559d2487101a879200f3118

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a444fc3ab26aefc4b10cdafa754b75d4677396f2ca92a4d670ee78f51c0e80e7N.exe.log
        Filesize

        1KB

        MD5

        7f3c0ae41f0d9ae10a8985a2c327b8fb

        SHA1

        d58622bf6b5071beacf3b35bb505bde2000983e3

        SHA256

        519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

        SHA512

        8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RCX95F7.tmp
        Filesize

        952KB

        MD5

        33070246887bc29db6b8b0a07808cc10

        SHA1

        6f29033bd3d2f3be700b77c6bd40ffafd9888ac3

        SHA256

        a444fc3ab26aefc4b10cdafa754b75d4677396f2ca92a4d670ee78f51c0e80e7

        SHA512

        2f11ec5ad30c036437de720700f97f620b7e58b7eb3785e964f5b804931be8a9b9e1d0f776fe955cc1c8da1ab0719f485c4de91ce5af664c66a8a5b7e80ea587

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wSyy7aYSYn.bat
        Filesize

        267B

        MD5

        b2454fea61a281232323f1fa5fa23f4f

        SHA1

        a04c5d5a01f87e7843e082e868a2af6d3de0e0ad

        SHA256

        5e958d0ce8532795cfb621531994e56773a9c66a07a59969532cec3e29b43650

        SHA512

        32c5a05562c48da51af0c829194e3c54cb94e7cb645828e29574381bd2d0323fbd5c4dbea01b2e931b92fb2416da948bd54b971d9eee4d6abba23b5d282c2b2f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\yZhDpTH4Hf.bat
        Filesize

        209B

        MD5

        415c8c7999548b1ec064ea696cc81ebb

        SHA1

        e025bff7248aabb2f3caec0db322781371842615

        SHA256

        14f78695e0680aa9c22dc6ae06920cc427b10b46f7eb6568dbbd67124e967894

        SHA512

        8454deff945cb40d4e8b05b42b269372f64dd028518edfd7c22c40d854a54ea57a377b9544e7ca38c367f45e22364625a0f546865b4ef491c2fdf7a80f08facd

        Download Submit

      • memory/4944-3-0x0000000002630000-0x0000000002640000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4944-6-0x00000000026D0000-0x00000000026DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4944-7-0x0000000002670000-0x000000000267A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4944-8-0x0000000002680000-0x0000000002688000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4944-10-0x00000000026C0000-0x00000000026CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4944-9-0x00000000026B0000-0x00000000026BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4944-11-0x00000000026E0000-0x00000000026EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4944-5-0x0000000002690000-0x000000000269A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4944-0-0x00007FFCD46A3000-0x00007FFCD46A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4944-64-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4944-4-0x0000000002640000-0x0000000002650000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4944-2-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4944-1-0x00000000004E0000-0x00000000005D4000-memory.dmp

        Filesize

        976KB

        Download