Overview

overview

10

Static

static

10

terminal.exe

windows7-x64

10

terminal.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2024 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    terminal.exe

  • Size

    2.9MB

  • MD5

    200451026a7f2be02adb274026dc827a

  • SHA1

    655f5cff899d319975dfd43b1902e6318a0944f6

  • SHA256

    88953240e260b3ca53b4563afa657ee6d414b887a972e8862b12ca46e0a5853d

  • SHA512

    1054e3b258fab5f496cea9e156b0b17b9e5b1f4f5b049a4308df1b200d89534c88ec1ff11e6612a2b0961842984fe31d7d38b8077c14fd9bb388a03e7d0c3ac8

  • SSDEEP

    49152:1bA3PlN3nP+YscRfII1f8CReMT1Um7GWw/N0TOu09gqpBuuDqtmAP:1buN3nrsc5fdRfTr7GWw/ayl9RIuDqtZ

Score
10/10
dcratdiscoveryevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\terminal.exe
    "C:\Users\Admin\AppData\Local\Temp\terminal.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containercomponentfontruntime\qhSOQkLJ6CCd.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\containercomponentfontruntime\XmZE9.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\containercomponentfontruntime\portdrivernet.exe
          "C:\containercomponentfontruntime\portdrivernet.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2712
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6AeBC68ZhB.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2120
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2360
              • C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe
                "C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:2432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "portdrivernetp" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\portdrivernet.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "portdrivernet" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\portdrivernet.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "portdrivernetp" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\portdrivernet.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1152
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\containercomponentfontruntime\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\containercomponentfontruntime\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\containercomponentfontruntime\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "portdrivernetp" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\portdrivernet.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "portdrivernet" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\portdrivernet.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "portdrivernetp" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\portdrivernet.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2328

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6AeBC68ZhB.bat
      Filesize

      222B

      MD5

      bf6212301360bc712eab52e6c1cf78bc

      SHA1

      ac44623b505f82f889103a73b7c6a5824b30432b

      SHA256

      5c741a120519f31d540efe9b6f6d2472a9e2ad2d07299c4c1780be0f7e264ae6

      SHA512

      c9abe7b2336ec3c21b2a9fd9d3f66c08c2d66891719006304fe14ea7fc43056fca9f7e7517dc9c52c7a9ea9454688afac8a28a140762c37d996adcfa7acc3c4f

      Download Submit

    • C:\containercomponentfontruntime\XmZE9.bat
      Filesize

      52B

      MD5

      7f19dde92420e1112fb9ef25b0c56e38

      SHA1

      9da19ead2fccc172a39171f026eed2623229d2b7

      SHA256

      697ad5724417463eb1e37c6e173bc24ca4416b3c064036b06b5c05bc6c33742a

      SHA512

      6a184f7e5fb90e302fbdc92eff043b84cab803e741abea94a7a06e1c3f502babd60b95e75b705ae8cd27430dc0bf3873d4ff9b719ea28648f50e080ebef79268

      Download Submit

    • C:\containercomponentfontruntime\qhSOQkLJ6CCd.vbe
      Filesize

      211B

      MD5

      8ac77355599fe3bfb19415a591c62148

      SHA1

      ca5b38c7525b454144d6dfb681a7d5b7c8afd807

      SHA256

      993cc8867a308e64cb94b89206c6632cc1e160a5de372e29686b86a7eb9b318b

      SHA512

      38c7bce3490a171bda26f482e1ef50cdd5cbe8f59f9ce5bafbc452fb8f3b878b9e72a3358489765e8b30ca19e8dba9cb9ffed92f24267a7ba0aab5311416b2b6

      Download Submit

    • \containercomponentfontruntime\portdrivernet.exe
      Filesize

      2.7MB

      MD5

      718e0805d80d7e040a20b5aeda4f877d

      SHA1

      c83f6d2c1ec158e20af2bf54f4d7aeb465cbe58e

      SHA256

      cb1189a7b059346d31cca7596357609eb52e9e518ef59a7659a0e061602f7c0b

      SHA512

      d3854ad4a29732f802a5087c320ca8b85cf46a818f5d283ab612254e9b495e4019c58cc1c8fe7d9f369e070a025d367d6226cf92343b1cafdc8f4aab9fb38cc9

      Download Submit

    • memory/2432-52-0x0000000000530000-0x0000000000542000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2432-51-0x00000000004E0000-0x0000000000536000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2432-50-0x0000000000B40000-0x0000000000DF4000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/2712-22-0x0000000000780000-0x0000000000788000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2712-26-0x00000000009C0000-0x00000000009CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2712-19-0x00000000006D0000-0x00000000006D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2712-20-0x0000000000790000-0x000000000079A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2712-21-0x00000000007A0000-0x00000000007F6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2712-17-0x00000000006C0000-0x00000000006D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2712-23-0x0000000000970000-0x0000000000982000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2712-24-0x00000000009A0000-0x00000000009A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2712-25-0x00000000009B0000-0x00000000009B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2712-18-0x0000000000760000-0x0000000000776000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2712-27-0x00000000009D0000-0x00000000009DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2712-28-0x00000000009E0000-0x00000000009EC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2712-29-0x00000000009F0000-0x00000000009FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2712-30-0x0000000000A00000-0x0000000000A0C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2712-16-0x0000000000410000-0x0000000000418000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2712-15-0x00000000006A0000-0x00000000006BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2712-14-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2712-13-0x0000000000140000-0x00000000003F4000-memory.dmp

      Filesize

      2.7MB

      Download