Overview

overview

10

Static

static

10

7adf09fdd8...e0.exe

windows7-x64

10

7adf09fdd8...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 21:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe

  • Size

    2.2MB

  • MD5

    9216216496e6c197b4e285475c9bebac

  • SHA1

    8594c011aae6acc0d656e99217df04a046608962

  • SHA256

    7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0

  • SHA512

    618884f78c133a55bbdc5c230f4459c587b79ccbe94e856e371fca7a9266b8a8f627ce63c63ca35f79e65788748c2837893f14efb8365b39e1ed3e520b512a17

  • SSDEEP

    49152:ubA3jith94T3QphlQ5Tye/90Ytxj5rP6PFAfpG:ubb7jhi5ee/mYt55JhG

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 10 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
    "C:\Users\Admin\AppData\Local\Temp\7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe"
    1⤵
    • DcRat
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\System32\eVQQIZLpFYxcw09smsiF15.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Windows\System32\5IlRwyXLFi3608ayPXHnvGiekNy.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\WindowsUpdate.exe
          "C:\Windows\System32\WindowsUpdate.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XUAQK5QDPN.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Windows\System32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1208
              • C:\Windows\System32\CertEnrollUI\smss.exe
                "C:\Windows\System32\CertEnrollUI\smss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\cmpbk32\conhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\CertEnrollUI\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\cofiredm\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-service-core-l1-1-0\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-core-memory-l1-1-0\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XUAQK5QDPN.bat
      Filesize

      205B

      MD5

      0f91d2bedc9c244fe3e25bc2290ccfbb

      SHA1

      7a361aae9aa2172489179142f0b10f505f1cf5b3

      SHA256

      636de517eab415a39318bf6fb247b0c676c6c4942ee5b886ffb3d6dd20f2f4b4

      SHA512

      3d95ee5e57a07b2e802a91c9bce12ac795406f18ce83bec13dc28b1519b66f58657179049ede22bdb1f120affc82592df0cf32851564c01f433ef4bebbd76329

      Download Submit

    • C:\Windows\SysWOW64\5IlRwyXLFi3608ayPXHnvGiekNy.bat
      Filesize

      39B

      MD5

      960aba1530cf2920700e5389231b8a2c

      SHA1

      5606d622b604f299e91fb34e0b4e95c1cfcd8914

      SHA256

      eda5637d6f9db3bfb443f16c6f2886759a071a9b580f30d32c5b5806a93d820b

      SHA512

      8ea4fac1bf54aadd73a3c3e5c8ff187368dd5373ae6c9bc24a31eeec87c9a979007594a0da83f7a08ca55b3e787f9b614df315726c13c0b6c4a101e5ba4556f0

      Download Submit

    • C:\Windows\SysWOW64\WindowsUpdate.exe
      Filesize

      1.9MB

      MD5

      7db2fa8fcff97c80b1bffcb46afddba3

      SHA1

      6209e62e125d8ac986d34e7d14a91c9a37228ac6

      SHA256

      fa885be755063269ce486c1581494ca5dd97f9cfbfeab6a023586388b29e80e6

      SHA512

      9a94070dbf687c076a5f48221b81675c67a6036f7021a0d37fe100254aed7909dabc70c3ae36f95993c363ee815cedd9be7d6161784d6689fa6293f78938320d

      Download Submit

    • C:\Windows\SysWOW64\eVQQIZLpFYxcw09smsiF15.vbe
      Filesize

      221B

      MD5

      df873359d9d515276e32023a0b0b15f1

      SHA1

      0f1cb6b83622af36cd097e314680d318620e0136

      SHA256

      3537382bc74be14a9085c5d354021266e7e0c15ccd05e0c272a4639dfcdbacb4

      SHA512

      955611adb8ef73aea9dffb234b54d2e6216194ebde54b973a304b5d57f409b11d27fd7dc6632f15ae0508554e43daa7585b7f2d182343c617bfa1335c9e54e02

      Download Submit

    • memory/1940-37-0x00000000000F0000-0x00000000002E0000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1940-38-0x0000000000330000-0x0000000000338000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1940-39-0x0000000000340000-0x0000000000396000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1940-41-0x00000000004A0000-0x00000000004A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1940-40-0x0000000000390000-0x0000000000398000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2704-13-0x00000000010F0000-0x00000000012E0000-memory.dmp

      Filesize

      1.9MB

      Download