Overview

overview

10

Static

static

3

352bb05902...e9.exe

windows7-x64

10

352bb05902...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2024 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe

  • Size

    426KB

  • MD5

    2d94c0a9c700f4a1552a1e2fe2cd33e2

  • SHA1

    7dfe6f390ea59bc8d53431cd3a4756c109e201ee

  • SHA256

    352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9

  • SHA512

    4add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4

  • SSDEEP

    12288:mDLfHXFL+Kfcos8Us9s4R1d4j7nwlmyAgn/fT:mtyUAQnR+7wlmy7/7

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
    "C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o5pxmjvc\o5pxmjvc.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD08E.tmp" "c:\Windows\System32\CSC791AC351FDFF4B8C936A4AC6185CE116.TMP"
        3⤵
          PID:4448
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VKxnCoQCqb.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1468
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4776
          • C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
            "C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2164
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\reports\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3508
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\reports\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1164
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3328
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Searches\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3444
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4888
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3252
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1296

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\WindowsRE\winlogon.exe
        Filesize

        426KB

        MD5

        2d94c0a9c700f4a1552a1e2fe2cd33e2

        SHA1

        7dfe6f390ea59bc8d53431cd3a4756c109e201ee

        SHA256

        352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9

        SHA512

        4add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe.log
        Filesize

        1KB

        MD5

        23e95ec462ffa2c6ca8cab1cb8724ab1

        SHA1

        ee3f5e815831cf925c4f00195cc8f336b6112862

        SHA256

        c6ed38229b96cfb59e61de06854a1a99a9d6c3285a6b8511a7b60d64caa6979c

        SHA512

        b92242ea8d3dbcd3de11725995c22f0a747b820cfff7cf44217589289621bdc2a25bb4db0e1f385bd6bc84c15d893fa5dad544e6bab89f072ccb822cd8bd08dd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESD08E.tmp
        Filesize

        1KB

        MD5

        373b819a29aff51f19373364bfa110b4

        SHA1

        9c30a6db23665b4fd5ad2eeb9eca317dce50895f

        SHA256

        6f1533257ab8edd9ff5483d017bb568c7cc8e6b9dfcc3ad860bb632b153adead

        SHA512

        494c1ace0b6f672715ad6a9d03a7e4636c7bffa2c80bd967282fa0dbeab9a9f984fd9dc4002a744b3d364e7f0413b9f0b38776b5b2034533d7eb95c893be503b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\VKxnCoQCqb.bat
        Filesize

        230B

        MD5

        72f760dbf17f72f7631cd082eb7470ef

        SHA1

        fb85b45f5e299d39d921f53d92784ffb555e8c05

        SHA256

        e8f6208b83aeab0495d07a060c7ec9d3410cf5c2cb1fe2c3901c7f7050c8749e

        SHA512

        eefa82f087a1601603672704482735d4adf062d6eb5f54470102d55c23a843fbaa87936cc588237085e47990b16e74eebcd98d9da15dd3f8222269479a8aa587

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\o5pxmjvc\o5pxmjvc.0.cs
        Filesize

        366B

        MD5

        1ccdb4dd1f2bf152ae30b47e1bcf29de

        SHA1

        3698d25cab191f3c449a8f5519fe75d66318c1d1

        SHA256

        deb214fc067d80df042212fd103732bcb38ceea291749c4cc132a0943a0d00a0

        SHA512

        f8e8b1eb62cbf12f8a2c40aa06377f0117c94996980d72c8d2cbe9c450da867e1eca152d5084c5a9844f60222773a013f697fc4005dbb406a139c3a3a22ea703

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\o5pxmjvc\o5pxmjvc.cmdline
        Filesize

        235B

        MD5

        71889cf8a9750f90c183c1ebf8e0c178

        SHA1

        fb37e2982d75dc4363f39a0ad01800cdbfe50d59

        SHA256

        8f2fd040c33a0734df68a61ae33e942fd0de976b091034c9c8ba440cd9241337

        SHA512

        13f208e07a5536833bc6395744f8aad69f014f256a5e35db5a46856642fdcfbb7394db64b199e3a8569546ab61d1c64d9e8a3d65e5d5c374870ab1039087a77c

        Download Submit

      • \??\c:\Windows\System32\CSC791AC351FDFF4B8C936A4AC6185CE116.TMP
        Filesize

        1KB

        MD5

        034b083b6729ade0b138a24cbdd66c6d

        SHA1

        299c5a9dd91498cfc4226a5fe6d52ea633c2d148

        SHA256

        8e3aa7a68c0bfea6cae11fe40e79aa1483bc2e43c4c3fd11fcebca1f7bcea0d2

        SHA512

        43f68ec3211f2d1eb3a095713b3988a5b45a6fb03136876431edd3b25b628f904079557cbb60d0107c0444551db274c8e6817d63a543e8a7e390206af64d1cc3

        Download Submit

      • memory/1128-5-0x00000000021F0000-0x00000000021FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1128-48-0x00007FFBFAEE0000-0x00007FFBFB9A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1128-15-0x000000001ADD0000-0x000000001ADDC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1128-32-0x00007FFBFAEE0000-0x00007FFBFB9A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1128-16-0x00007FFBFAEE0000-0x00007FFBFB9A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1128-2-0x0000000002310000-0x00000000023E2000-memory.dmp

        Filesize

        840KB

        Download

      • memory/1128-3-0x00007FFBFAEE0000-0x00007FFBFB9A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1128-13-0x00007FFBFAEE0000-0x00007FFBFB9A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1128-8-0x000000001BA40000-0x000000001BA90000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1128-10-0x000000001AE00000-0x000000001AE18000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1128-7-0x000000001ADE0000-0x000000001ADFC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1128-0-0x00007FFBFAEE3000-0x00007FFBFAEE5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1128-31-0x00007FFBFAEE0000-0x00007FFBFB9A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1128-12-0x000000001ADC0000-0x000000001ADCE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1128-1-0x0000000000180000-0x0000000000188000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4684-50-0x000000001AEB0000-0x000000001AF82000-memory.dmp

        Filesize

        840KB

        Download

      • memory/4684-56-0x000000001B6A0000-0x000000001B6A8000-memory.dmp

        Filesize

        32KB

        Download