Overview

overview

10

Static

static

3

$RH9VZ2N.exe

windows7-x64

10

$RH9VZ2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    10s
  • max time network
    11s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $RH9VZ2N.exe

  • Size

    1.8MB

  • MD5

    42b89874d3138f40f32285be945f2ceb

  • SHA1

    1766b4c4a040ba19afc4318e9b2eab775fee88d7

  • SHA256

    619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

  • SHA512

    df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

  • SSDEEP

    49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\$RH9VZ2N.exe
    "C:\Users\Admin\AppData\Local\Temp\$RH9VZ2N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxwNap7d7D.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2412
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4264
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\bcastdvr\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "$RH9VZ2N$" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\$RH9VZ2N.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "$RH9VZ2N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\$RH9VZ2N.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "$RH9VZ2N$" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\$RH9VZ2N.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\dllhost.exe
      Filesize

      1.8MB

      MD5

      42b89874d3138f40f32285be945f2ceb

      SHA1

      1766b4c4a040ba19afc4318e9b2eab775fee88d7

      SHA256

      619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

      SHA512

      df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IxwNap7d7D.bat
      Filesize

      184B

      MD5

      c4df44860ac5b614b3950d022bec8c2a

      SHA1

      6e54ba09ebe6baff0067ede4c76030732dac4ead

      SHA256

      cf54503c733202fbf6f4c786e24e4b0e7225eb2dd2145b89aeec6d65ac3e822a

      SHA512

      2d4a0128bd47adc9391301f13ed599896232362132aec14a4d79892361d2fc3c57e72ed2c3b21bea8b92faa9173029e756e11bfd559d5099c3b52700302d8b19

      Download Submit

    • memory/3492-10-0x000000001C0B0000-0x000000001C100000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3492-8-0x00000000031F0000-0x000000000320C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3492-4-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-6-0x0000000003170000-0x000000000317E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3492-9-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-12-0x0000000003210000-0x0000000003228000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3492-0-0x00007FFCC6063000-0x00007FFCC6065000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3492-3-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-2-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-24-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-25-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-26-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-27-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-33-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-34-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3492-1-0x0000000000ED0000-0x00000000010A2000-memory.dmp

      Filesize

      1.8MB

      Download