Overview

overview

10

Static

static

10

119ede06af...f4.exe

windows7-x64

10

119ede06af...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    119ede06afc1b721278e8955fe8338f4.exe

  • Size

    1.1MB

  • MD5

    119ede06afc1b721278e8955fe8338f4

  • SHA1

    3917c6cfd13689a83e8410c157f54c0e05550bcf

  • SHA256

    ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0

  • SHA512

    72193ded81941ecef91da566d47e22667e98d927a18cbe06be3e4cbea6c1504664a7569fd9531ddbf1b4b019a953e53deb8da34938d1b879b4d74902eff3be78

  • SSDEEP

    24576:AMYPCI+q+U4cIG409ozWucypk1Nd4AX+iB/YjuM6kyh+:ABPZ0Kr1FXHB/guM6k+

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\119ede06afc1b721278e8955fe8338f4.exe
    "C:\Users\Admin\AppData\Local\Temp\119ede06afc1b721278e8955fe8338f4.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxKS4C7dQ8.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2524
        • C:\Windows\ShellComponents\upfc.exe
          "C:\Windows\ShellComponents\upfc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellComponents\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\ShellComponents\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2304

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cxKS4C7dQ8.bat
      Filesize

      200B

      MD5

      e0c5830c4543938dcacf1097f71226c8

      SHA1

      8c126933a198b14bf2f73c9a4a3a7d8384d3c8d1

      SHA256

      8bccd6eded46f662242c4a3fb375de86c3838af4aa5ce38608d339dd08083167

      SHA512

      2b39914d5e0d8d033dd78714ccfd48089625d64df34bf1f1e8e022dbb3479479e254052cda551e2834bfd1703268e582f942529ed7f756193a354ebd202cec1f

      Download Submit

    • C:\Windows\bcastdvr\dllhost.exe
      Filesize

      1.1MB

      MD5

      119ede06afc1b721278e8955fe8338f4

      SHA1

      3917c6cfd13689a83e8410c157f54c0e05550bcf

      SHA256

      ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0

      SHA512

      72193ded81941ecef91da566d47e22667e98d927a18cbe06be3e4cbea6c1504664a7569fd9531ddbf1b4b019a953e53deb8da34938d1b879b4d74902eff3be78

      Download Submit

    • memory/1996-30-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5044-3-0x00007FFB0A650000-0x00007FFB0B111000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5044-5-0x0000000001820000-0x0000000001832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5044-4-0x000000001BBB0000-0x000000001BC00000-memory.dmp

      Filesize

      320KB

      Download

    • memory/5044-6-0x000000001C9D0000-0x000000001CEF8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/5044-7-0x0000000003290000-0x000000000329E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5044-8-0x00000000032A0000-0x00000000032A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5044-0-0x00007FFB0A653000-0x00007FFB0A655000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5044-25-0x00007FFB0A650000-0x00007FFB0B111000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5044-2-0x00000000017F0000-0x000000000180C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/5044-1-0x0000000000F00000-0x000000000102E000-memory.dmp

      Filesize

      1.2MB

      Download