Overview

overview

10

Static

static

3

477DB3DE46...2C.exe

windows7-x64

10

477DB3DE46...2C.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2024 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    477DB3DE46B7779B63495A8BDB279F2C.exe

  • Size

    1.6MB

  • MD5

    477db3de46b7779b63495a8bdb279f2c

  • SHA1

    77dc3f7d83728294c49298db82dd0e668adc3a73

  • SHA256

    8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

  • SHA512

    4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956

  • SSDEEP

    24576:/KEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6:/p1JAz5cjb6k4cFdaNjTXfa/

Score
10/10
dcratdiscoveryexecutioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe
    "C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ttvgp3iw\ttvgp3iw.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF31.tmp" "c:\Windows\System32\CSC26FF3A8F59224AB6A9F3899E497A7997.TMP"
        3⤵
          PID:2836
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\ja-JP\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\winlogon.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\taskhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1856
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\OSPPSVC.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gwcbsFDSjL.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1536
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2100
          • C:\Program Files\Windows Sidebar\ja-JP\csrss.exe
            "C:\Program Files\Windows Sidebar\ja-JP\csrss.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2508
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\ja-JP\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2332
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\taskhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2928
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:848
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "477DB3DE46B7779B63495A8BDB279F2C4" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1828
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "477DB3DE46B7779B63495A8BDB279F2C" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "477DB3DE46B7779B63495A8BDB279F2C4" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\477DB3DE46B7779B63495A8BDB279F2C.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1936

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Windows Sidebar\ja-JP\csrss.exe
        Filesize

        1.6MB

        MD5

        477db3de46b7779b63495a8bdb279f2c

        SHA1

        77dc3f7d83728294c49298db82dd0e668adc3a73

        SHA256

        8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366

        SHA512

        4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESCF31.tmp
        Filesize

        1KB

        MD5

        378cbd673524ff184cb8a4cb1f3d512c

        SHA1

        0a30ad4710a0500cb525cbe1ef7ed766b3ae085f

        SHA256

        09b79f3b973e1aa5389377b3161e99c250d6846bce29b421a97cde9b42145953

        SHA512

        8ed524e2554818781826d1ab72b6bce45e55a1b49a4800198de35688e516e2c036560d9eabc6ddcb1631a6931d9624daf89bbd014598c9275b998cabae835ccb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gwcbsFDSjL.bat
        Filesize

        176B

        MD5

        f61641095060aea013ca103abe5deac6

        SHA1

        af9fd5f28956dc3ceb5bd35c20748e9e1192bebe

        SHA256

        d9d8ff265ed5dec51b4d737598f92db5519ce4e4c34431b2c49729ccf3a9b483

        SHA512

        79c0c308c2788862c2e8821a476ce20f0a29fe163005d540c6e42418023f35f79f93d7d723225b218628e812efc06b9b4a37e198513796360a9fabafa513ecf8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        75f87a5697cf274fed3cdb37724c01b2

        SHA1

        7405fb5fc74c29a39685d8d7d92b02e52fd0755b

        SHA256

        37c78519a51250b11eb5ff26963c0fb549640eebff2f51310c5761d62f3c219c

        SHA512

        848ee90e4db071ae6622f4b27e7ca05a1e9280e7a58d83f1a8c413d3010110bf6fd0077648618b6109eb3df45b5df514b61478c93ba93afc5e5d7110e5820e79

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ttvgp3iw\ttvgp3iw.0.cs
        Filesize

        380B

        MD5

        a510387f9e67bfc47873697d6ba91848

        SHA1

        b1256813f7496b3ead97be4fffab3ad425248c5a

        SHA256

        a82c7c2d8b52fb6b0d99182fc2e6546e0773fcaabef84ffe4aa50d5447c1cfaf

        SHA512

        62d28c2b986ba333a645781d6b3c77edd1e2ce3d31a304dab90040ed37b6aaca6de83a0b640bdfb263e58952b55cc8f2d2c48ee0e9c1d02fd15f124b5ddd2ac3

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ttvgp3iw\ttvgp3iw.cmdline
        Filesize

        235B

        MD5

        6823545616b03569a19a2f91f2c87aef

        SHA1

        4fd033150601e22cac7c1d5b0394072fd30f1202

        SHA256

        f262f4d679887d76e1e24040f31802ef17059f0d96ef2ba8d0afa5336a269b57

        SHA512

        53889e41501c6ea878ee7a337e897d42ad2dc8ac33df14681376f94a1669b448fd1179baf27a9a97c3e653ebd103bac3cd45d14762965f185bc3c71822953fe3

        Download Submit

      • \??\c:\Windows\System32\CSC26FF3A8F59224AB6A9F3899E497A7997.TMP
        Filesize

        1KB

        MD5

        332eb1c3dc41d312a6495d9ea0a81166

        SHA1

        1d5c1b68be781b14620d9e98183506f8651f4afd

        SHA256

        bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2

        SHA512

        2c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440

        Download Submit

      • memory/748-60-0x0000000001D20000-0x0000000001D28000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1948-53-0x000000001B620000-0x000000001B902000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1976-11-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1976-9-0x0000000000320000-0x000000000032C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1976-10-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1976-7-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1976-6-0x0000000000280000-0x000000000028E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1976-4-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1976-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-3-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1976-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1976-61-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1976-1-0x0000000001230000-0x00000000013DA000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2508-74-0x0000000000920000-0x0000000000ACA000-memory.dmp

        Filesize

        1.7MB

        Download