Overview

overview

10

Static

static

10

8e9ebe22d1...8N.exe

windows7-x64

10

8e9ebe22d1...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    24s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e9ebe22d1b2b3c07bee3524ec09d4d657134d78ad27491397b6d73d83b1e3f8N.exe

  • Size

    1.7MB

  • MD5

    6025a571157fca934b0a10a53c112bd0

  • SHA1

    e6abd828d62fe816a316ba2c3ff4ae8b2033be33

  • SHA256

    8e9ebe22d1b2b3c07bee3524ec09d4d657134d78ad27491397b6d73d83b1e3f8

  • SHA512

    aa527ab4bda8490db528ccad1511fc8412988f65b2c9cd63de72430c803050beb9c0bf5438e0c58e0344daf65775f4cc7269a547b2aee303bd0cb57ee7169840

  • SSDEEP

    24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e9ebe22d1b2b3c07bee3524ec09d4d657134d78ad27491397b6d73d83b1e3f8N.exe
    "C:\Users\Admin\AppData\Local\Temp\8e9ebe22d1b2b3c07bee3524ec09d4d657134d78ad27491397b6d73d83b1e3f8N.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2852
        • C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe
          "C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd6799a4-cd5f-4b56-8d7b-cf5defbeb9d8.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:844
            • C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe
              "C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1224
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5c5c00e-661f-4c15-9d60-6ef6aebd5e16.vbs"
            4⤵
              PID:816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe'" /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2260
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2864
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2744
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe
        Filesize

        1.7MB

        MD5

        bdaf42ef77d51c4ca2da859370e608d5

        SHA1

        f0d57ad8d8cf54d7eb3c4dc2171692800b70173b

        SHA256

        82563756ac205242d0734ab096f24ba20b71a4b58eb646d8ae14ba2b2b23cd6e

        SHA512

        6019824dbf49050824bfc76ec5527ee421b91106d2f0ff7d87eb8adc392353940ee40d79b529c7f9a08b82625a317a29a968a3bd49857e8b0fc6a0c56c20d5d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RCXC11E.tmp
        Filesize

        1.7MB

        MD5

        6025a571157fca934b0a10a53c112bd0

        SHA1

        e6abd828d62fe816a316ba2c3ff4ae8b2033be33

        SHA256

        8e9ebe22d1b2b3c07bee3524ec09d4d657134d78ad27491397b6d73d83b1e3f8

        SHA512

        aa527ab4bda8490db528ccad1511fc8412988f65b2c9cd63de72430c803050beb9c0bf5438e0c58e0344daf65775f4cc7269a547b2aee303bd0cb57ee7169840

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat
        Filesize

        235B

        MD5

        2dc45aa75a7320466d2de3c700399b91

        SHA1

        049932323d9efdfe5bee6faa3b974f010552dce3

        SHA256

        6360a14d0b174d6159fe72d8ce2dcb955af5a1d358f4b11d9c0019d2f1eadb1a

        SHA512

        7352f58585dbbce9367ecef0a33a24df282ec21f2c6eb8680b79a1704157c1ca353ac8be8f2f470151aa80ab2354dcec71c5415a6090884d98d1f008a02eddbf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a5c5c00e-661f-4c15-9d60-6ef6aebd5e16.vbs
        Filesize

        522B

        MD5

        8aa9729de88688318c5ca348161bc000

        SHA1

        bb51b78d6d53367928f1d92a78f59c11bcccdc9c

        SHA256

        a9fc0a7af046d4e0bdbf0bc0f07345d752108e661a5ca5b88d3494f02bc9ecb2

        SHA512

        7a1bec5b18f7ec24529f29cb2688c90033256a7ba1132dfc8937ac06ed438785583cd07d13d77140b3aa4e12a5ba495ec568066eec785b81ef7733f3594bc74a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fd6799a4-cd5f-4b56-8d7b-cf5defbeb9d8.vbs
        Filesize

        746B

        MD5

        147f4a3892753ac72063df12877bfa97

        SHA1

        83016ac59e82ab060a677fbe507bdf96812e4037

        SHA256

        2bf3677e24260dade8eb6a50822efde55544906ac34da0736b94386b2abee57c

        SHA512

        d5d28e08059fb6fe2b8a46efe199b43d3c4966f1a8591ccd6250e247884b7e41b7c0fea17be81c5b305e092fc2332a8896a909c46cd844c9aba4081e4fe7e3d8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        942377d5abeaf3604b422bd0bcc20a89

        SHA1

        7464d11d42fb231f8dd8690143ef7cbf34d55bc6

        SHA256

        cda5e59ad3d7b0d05f947c2caee518f1f7e6d7b67f85eaf6cf44968dc0fb84e8

        SHA512

        558c6927708f503ad3809b21dd885fabd9067cad4bec4ae90e8de924256f2f8ae1ab95294ed57e2018e24fd794d9363f2a841863272bfcb40cbe27d4da0b5a07

        Download Submit

      • memory/1160-85-0x000000001B520000-0x000000001B802000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1160-89-0x0000000002800000-0x0000000002808000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1224-157-0x0000000001170000-0x0000000001326000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1900-146-0x0000000000690000-0x00000000006A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1900-145-0x0000000000AA0000-0x0000000000C56000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2412-6-0x0000000000480000-0x0000000000496000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2412-9-0x0000000000630000-0x000000000063C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2412-16-0x00000000006A0000-0x00000000006AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2412-15-0x0000000000690000-0x0000000000698000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2412-14-0x0000000000680000-0x000000000068A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2412-17-0x00000000006B0000-0x00000000006BC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2412-18-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2412-12-0x0000000000660000-0x000000000066C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2412-10-0x0000000000640000-0x0000000000648000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2412-13-0x0000000000670000-0x000000000067C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2412-8-0x0000000000650000-0x0000000000660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2412-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2412-132-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2412-7-0x00000000004A0000-0x00000000004B2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2412-5-0x0000000000470000-0x0000000000480000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2412-4-0x0000000000430000-0x0000000000438000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2412-3-0x0000000000450000-0x000000000046C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2412-2-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2412-1-0x0000000001070000-0x0000000001226000-memory.dmp

        Filesize

        1.7MB

        Download