Overview

overview

10

Static

static

3

c53519ff00...af.exe

windows7-x64

10

c53519ff00...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 04:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe

  • Size

    8.4MB

  • MD5

    23e7c44b93cb1b729d816de6e2800888

  • SHA1

    aa0d6d3655991fcc2bee30f2e4002150c3c08c7f

  • SHA256

    c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af

  • SHA512

    78671a96f54348695f839199340cd4fa5f9816c0ab740c8492f877deba6bed3191407e3096f3bd107cde7e65cd12a15140222656c2f53f8d7ece6881ec456fb9

  • SSDEEP

    24576:L+O4Gq8ijgGfy8vWYT0Z3VTaLMo6e7h4su+A3uFDIU2lklx2yDUZFyn7ftR0K1ww:6hJgGfys0DTi7hhcGWn1ZBfY4KGrM

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 26 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
    persistence
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
    "C:\Users\Admin\AppData\Local\Temp\c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9nIpciANN.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1072
        • C:\Users\Admin\AppData\Local\Temp\c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
          "C:\Users\Admin\AppData\Local\Temp\c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:372
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4eLZiUVA1.bat"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1456
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              5⤵
                PID:2872
              • C:\Windows\Fonts\lsass.exe
                "C:\Windows\Fonts\lsass.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\sti_ci\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\sihost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2352
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3676
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\services.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Documents and Settings\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\UpdateAgent\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Fonts\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Help\en-US\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2276

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PerfLogs\services.exe
        Filesize

        8.4MB

        MD5

        23e7c44b93cb1b729d816de6e2800888

        SHA1

        aa0d6d3655991fcc2bee30f2e4002150c3c08c7f

        SHA256

        c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af

        SHA512

        78671a96f54348695f839199340cd4fa5f9816c0ab740c8492f877deba6bed3191407e3096f3bd107cde7e65cd12a15140222656c2f53f8d7ece6881ec456fb9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe.log
        Filesize

        1KB

        MD5

        b7c0c43fc7804baaa7dc87152cdc9554

        SHA1

        1bab62bd56af745678d4e967d91e1ccfdeed4038

        SHA256

        46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

        SHA512

        9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\F4eLZiUVA1.bat
        Filesize

        190B

        MD5

        bd03efdc5fa23a0757e084558298cc73

        SHA1

        398ab4d028bef7b60bceb654205f25b090dd1cdb

        SHA256

        9913b24d2382fbe1152d3afb66b850e8fc6d1f63a0b2ec08a26ae5f45872cd42

        SHA512

        e907dc9dcdc793a5267955cb072b5c9fdbb8f78e065262321c238d10744fea3073a280f1d03a77b527c281402c4d2a9f38f0c79807eaa4496eab64cbe660eb6a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\L9nIpciANN.bat
        Filesize

        266B

        MD5

        bb3ccc1286712483bded885e2297a7e2

        SHA1

        27b8ca66bc856648980c6b54efcff79d839858be

        SHA256

        ee3acacedb4a2c6f13f1474e14b1ac85cc6aeba3c8b4da361f6cc87b08641ead

        SHA512

        96610aaff22f9fcd2108600b34e729c92dbe0a99c962a49da80aaa2eea12353967c4a75e9bffbaac8f135a9b1793f129ef5c946c4990db72a221bb4152966014

        Download Submit

      • memory/1184-4-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1184-1-0x0000000000C90000-0x0000000001504000-memory.dmp

        Filesize

        8.5MB

        Download

      • memory/1184-19-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1184-0-0x00007FFED1093000-0x00007FFED1095000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1500-39-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1500-40-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1500-41-0x000000001BAB0000-0x000000001BABC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1500-43-0x000000001BAD0000-0x000000001BADA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1500-42-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

        Filesize

        32KB

        Download