Overview

overview

10

Static

static

10

6b6db8b011...fc.exe

windows7-x64

10

6b6db8b011...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b6db8b011dd68c40548c8ee860610a61fd6832914f25ffe631d0af51675a5fc.exe

  • Size

    2.1MB

  • MD5

    3a32de4764e961e8726b94606a07b57a

  • SHA1

    8489600185b3ce974e4003f9ee37abde5a0f5da2

  • SHA256

    6b6db8b011dd68c40548c8ee860610a61fd6832914f25ffe631d0af51675a5fc

  • SHA512

    e97a903b23d8d18553f7f7bbb474644f1ef89c5122822d404bcb4e740cbc9763d504b4241367a5beaa49ec6f6181734ae59c8bfba2119ba6e632866816434f08

  • SSDEEP

    24576:zZxyxNwUMrdtki6lbi5YH63JUKUwcp4TOQdXzzBNhL+Ll8HOiD7Kl4kup3B2ngov:SHwLrdtkbaCwcp4RXL7D764zB2qHG

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b6db8b011dd68c40548c8ee860610a61fd6832914f25ffe631d0af51675a5fc.exe
    "C:\Users\Admin\AppData\Local\Temp\6b6db8b011dd68c40548c8ee860610a61fd6832914f25ffe631d0af51675a5fc.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XU5y39xM3o.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1824
        • C:\Windows\System32\mfc120esn\smss.exe
          "C:\Windows\System32\mfc120esn\smss.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2264
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\iassam\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\mfc120esn\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2244
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\rpcss\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\ja-JP\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XU5y39xM3o.bat
      Filesize

      202B

      MD5

      5cbcda05aa84c0b7a8f1538dc9c5ccd4

      SHA1

      51a19cbe8a6f5587e283b2340426e5d8eaac52d1

      SHA256

      94c98898389e83d6608c33c3e3d662ab1fc373d201567b178181f22ac5a970c1

      SHA512

      a9fae6030cba457d21270a1d88c337896cf0c6374b16e41f9fd9b6e3dfa73fa8bdb6d67374946dd682d353402ed3ff9882cec1f319953a44f5baa3e2b9306dfd

      Download Submit

    • C:\Windows\System32\rpcss\lsm.exe
      Filesize

      2.1MB

      MD5

      3a32de4764e961e8726b94606a07b57a

      SHA1

      8489600185b3ce974e4003f9ee37abde5a0f5da2

      SHA256

      6b6db8b011dd68c40548c8ee860610a61fd6832914f25ffe631d0af51675a5fc

      SHA512

      e97a903b23d8d18553f7f7bbb474644f1ef89c5122822d404bcb4e740cbc9763d504b4241367a5beaa49ec6f6181734ae59c8bfba2119ba6e632866816434f08

      Download Submit

    • memory/876-32-0x0000000000410000-0x0000000000418000-memory.dmp

      Filesize

      32KB

      Download

    • memory/876-30-0x0000000000190000-0x000000000019E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/876-36-0x0000000000B00000-0x0000000000B0C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/876-34-0x0000000000630000-0x0000000000638000-memory.dmp

      Filesize

      32KB

      Download

    • memory/876-27-0x0000000001110000-0x0000000001332000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/876-28-0x0000000000140000-0x000000000014C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/876-29-0x0000000000150000-0x0000000000158000-memory.dmp

      Filesize

      32KB

      Download

    • memory/876-35-0x0000000000650000-0x0000000000658000-memory.dmp

      Filesize

      32KB

      Download

    • memory/876-31-0x00000000001B0000-0x0000000000206000-memory.dmp

      Filesize

      344KB

      Download

    • memory/876-33-0x00000000004A0000-0x00000000004A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3060-0-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3060-2-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3060-1-0x0000000000870000-0x0000000000A92000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3060-23-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

      Filesize

      9.9MB

      Download