Overview

overview

10

Static

static

10

ad4072aa43...f0.exe

windows7-x64

10

ad4072aa43...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0.exe

  • Size

    1.1MB

  • MD5

    119ede06afc1b721278e8955fe8338f4

  • SHA1

    3917c6cfd13689a83e8410c157f54c0e05550bcf

  • SHA256

    ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0

  • SHA512

    72193ded81941ecef91da566d47e22667e98d927a18cbe06be3e4cbea6c1504664a7569fd9531ddbf1b4b019a953e53deb8da34938d1b879b4d74902eff3be78

  • SSDEEP

    24576:AMYPCI+q+U4cIG409ozWucypk1Nd4AX+iB/YjuM6kyh+:ABPZ0Kr1FXHB/guM6k+

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
    persistence
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 36 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0.exe
    "C:\Users\Admin\AppData\Local\Temp\ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
      "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sppsvc.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2268
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:3064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2984
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1252
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2808
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2688
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2288
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2120
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\0C0A\dllhost.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2164
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\0C0A\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:604
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\0C0A\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2972
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2516
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:3008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:3020
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1996
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\lsm.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:484
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\OSPPSVC.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1620
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1808
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2264
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\audiodg.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2284
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2196
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\dllhost.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0a" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2484
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1192
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0a" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:272
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2132
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:620
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\smss.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2020
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\smss.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\smss.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\dwm.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
    Filesize

    1.1MB

    MD5

    119ede06afc1b721278e8955fe8338f4

    SHA1

    3917c6cfd13689a83e8410c157f54c0e05550bcf

    SHA256

    ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0

    SHA512

    72193ded81941ecef91da566d47e22667e98d927a18cbe06be3e4cbea6c1504664a7569fd9531ddbf1b4b019a953e53deb8da34938d1b879b4d74902eff3be78

    Download Submit

  • memory/1544-52-0x0000000000450000-0x0000000000462000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1544-50-0x0000000001330000-0x000000000145E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2932-51-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2932-6-0x0000000002060000-0x0000000002068000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2932-5-0x0000000000800000-0x000000000080E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2932-4-0x00000000001D0000-0x00000000001E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2932-3-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2932-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2932-1-0x0000000000260000-0x000000000038E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2932-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp

    Filesize

    4KB

    Download