Overview

overview

10

Static

static

10

f7d1ba849b...0b.exe

windows7-x64

10

f7d1ba849b...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7d1ba849bec5c9f1761a6b420f793fa7c350be0e66d40788cde74650bf8a20b.exe

  • Size

    952KB

  • MD5

    2e9644402e12601f1d8161857c48a3ad

  • SHA1

    43b55976d438bc8273932f12a12b7f248165e8a9

  • SHA256

    f7d1ba849bec5c9f1761a6b420f793fa7c350be0e66d40788cde74650bf8a20b

  • SHA512

    4e1efd2ef2a9e9f062c3a9321cb28c34a56edc9b398e857eb3f14ecc6ded5660249a4523b8c21eccf3db524625b05ab1b075d7be20f68d0e27f91e7b403a1662

  • SSDEEP

    24576:Q+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:z8/KfRTK

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 7 IoCs
    persistence
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 15 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7d1ba849bec5c9f1761a6b420f793fa7c350be0e66d40788cde74650bf8a20b.exe
    "C:\Users\Admin\AppData\Local\Temp\f7d1ba849bec5c9f1761a6b420f793fa7c350be0e66d40788cde74650bf8a20b.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:2784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3240
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputCommon\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1380
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\UevAppMonitor\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:524
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\cflapi\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Documents and Settings\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\mdmregistration\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\backgroundTaskHost.exe
    Filesize

    952KB

    MD5

    81f62c3f346312bad632dcbfb84d3137

    SHA1

    453a0f09bfcc83e583403e6613bf9a724256f09d

    SHA256

    926ee7b3ce9e966bd2a0aa341f3f877f2ea2a356a4a48c4af26700cb75f00c99

    SHA512

    420730ca19057640d3829aa1cf3c4839e60a47bdcef2a4728476767c017d5d69841c2ebc8a061bbf6fdd433db6374a16c7d40aa7e0487df94bf5f2650d4d763c

    Download Submit

  • C:\Windows\System32\UevAppMonitor\sihost.exe
    Filesize

    952KB

    MD5

    0e8332028cbcd666a336279ca90d23f8

    SHA1

    1e9cf9a8ed4071157357bb822bf35ca3f3386397

    SHA256

    5eec7df988c28c5efd931dca389a3e9a32096cff3292b639d30802b6dbff94b8

    SHA512

    ddfe71616128e2d02797362eeb79e082fde81ab76e253d08cadc6bba7d0655a8813ca37cbde33f4f0be22f22527dd26b2a52a2d49fa912a767caf1939d093fe0

    Download Submit

  • C:\Windows\System32\cflapi\dllhost.exe
    Filesize

    952KB

    MD5

    2e9644402e12601f1d8161857c48a3ad

    SHA1

    43b55976d438bc8273932f12a12b7f248165e8a9

    SHA256

    f7d1ba849bec5c9f1761a6b420f793fa7c350be0e66d40788cde74650bf8a20b

    SHA512

    4e1efd2ef2a9e9f062c3a9321cb28c34a56edc9b398e857eb3f14ecc6ded5660249a4523b8c21eccf3db524625b05ab1b075d7be20f68d0e27f91e7b403a1662

    Download Submit

  • C:\Windows\System32\cflapi\dllhost.exe
    Filesize

    952KB

    MD5

    91d3a24b67e5195aa7403cd6d0643b63

    SHA1

    bf2b9b5fc40b63e4587c07091311e1b0c198d2f8

    SHA256

    0ca47786840e395b95fda5b7e9cbb44caea47b979e9edff923114f04e52c029a

    SHA512

    491f1858f00cd8969214de41c687d18b38e318bbbdc1af930207feafa7e76b5b20b6183847331c096c71b8b34e713889124aa73cdd79ab7be9c3661377c598e8

    Download Submit

  • memory/2784-4-0x0000000000B50000-0x0000000000B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2784-5-0x0000000000B30000-0x0000000000B3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2784-6-0x0000000000B40000-0x0000000000B4C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2784-7-0x0000000000B60000-0x0000000000B6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2784-10-0x0000000002780000-0x000000000278C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2784-9-0x0000000002770000-0x000000000277A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2784-11-0x000000001AF80000-0x000000001AF8C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2784-8-0x0000000002760000-0x0000000002768000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2784-0-0x00007FF96A283000-0x00007FF96A285000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2784-3-0x0000000000B10000-0x0000000000B20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2784-2-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2784-1-0x0000000000380000-0x0000000000474000-memory.dmp

    Filesize

    976KB

    Download

  • memory/2784-118-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

    Filesize

    10.8MB

    Download