Overview

overview

10

Static

static

1

1d13a84aa6...43.exe

windows7-x64

10

1d13a84aa6...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 07:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d13a84aa671b75f66f4c7fce8339619291d4a43.exe

  • Size

    775KB

  • MD5

    0ed1f9cb842483e03e36cee538678ffd

  • SHA1

    1d13a84aa671b75f66f4c7fce8339619291d4a43

  • SHA256

    24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc

  • SHA512

    78cb214db0ecbc532a50fc1344a138125e0031485c004e95bc21064165f9fd667fa582cd5196a6e1b4276b6dd7fa1d23dfabfe0c58b0d93fbf8e5329b064a809

  • SSDEEP

    12288:FFg6HIZxWaga+z9e9qJeyLVqlUhqgPXdU2ypi0w8ncqXuvVw4heSNSzLz/:FIrr+h0qJeiqlGVUskcz9w4jI3b

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d13a84aa671b75f66f4c7fce8339619291d4a43.exe
    "C:\Users\Admin\AppData\Local\Temp\1d13a84aa671b75f66f4c7fce8339619291d4a43.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1d13a84aa671b75f66f4c7fce8339619291d4a43.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1468
    • C:\Users\Admin\AppData\Local\Temp\1d13a84aa671b75f66f4c7fce8339619291d4a43.exe
      "C:\Users\Admin\AppData\Local\Temp\1d13a84aa671b75f66f4c7fce8339619291d4a43.exe"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\odbcconf\lsass.exe'" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1408
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2636
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\smss.exe'" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2488
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0\dwm.exe'" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:912
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XWlpt9ANcw.bat"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:680
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1352
        • C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0\dwm.exe
          "C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0\dwm.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XWlpt9ANcw.bat
    Filesize

    221B

    MD5

    36c954531fe8921fe19dd738866763f2

    SHA1

    a0eff0ae5a0569da241c07f0fde1cbf8b6aea605

    SHA256

    9ce4eeb36e66e16991cd1f62a03c34f08d96e1e47a9ad23b8c59ce797da74aec

    SHA512

    22f14c671ff8f1007518fa7f286b34e129d0c57d360b51e53527883fe63d194c1003c0a5d0c63fb0fbed85410d6ae0834ca919315324791a1ff4a8a2cb89f299

    Download Submit

  • \Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0\dwm.exe
    Filesize

    775KB

    MD5

    0ed1f9cb842483e03e36cee538678ffd

    SHA1

    1d13a84aa671b75f66f4c7fce8339619291d4a43

    SHA256

    24f719954fbcfd391426579d7f4965d2771f0d2751bed291e6a8dd26228315cc

    SHA512

    78cb214db0ecbc532a50fc1344a138125e0031485c004e95bc21064165f9fd667fa582cd5196a6e1b4276b6dd7fa1d23dfabfe0c58b0d93fbf8e5329b064a809

    Download Submit

  • memory/656-47-0x0000000001080000-0x0000000001144000-memory.dmp

    Filesize

    784KB

    Download

  • memory/1704-27-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1704-12-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1704-42-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1704-28-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1704-23-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1704-9-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1704-22-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1704-20-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1704-18-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1704-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1704-14-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1704-10-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1740-4-0x00000000748AE000-0x00000000748AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1740-7-0x0000000005210000-0x0000000005290000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1740-24-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1740-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1740-6-0x0000000005170000-0x0000000005210000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1740-5-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1740-3-0x0000000000500000-0x000000000050A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1740-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1740-1-0x0000000000850000-0x0000000000914000-memory.dmp

    Filesize

    784KB

    Download