Overview

overview

10

Static

static

3

382EAEDC34...00.exe

windows7-x64

10

382EAEDC34...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    382EAEDC34BFC15B7E749FB8A0CFF600.exe

  • Size

    1.8MB

  • MD5

    382eaedc34bfc15b7e749fb8a0cff600

  • SHA1

    d8729997725a187120ee95e1d6068586a13ab678

  • SHA256

    e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a

  • SHA512

    f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b

  • SSDEEP

    24576:nfNh6iTrBgSq+kdkpupwocpF4jGdWWfWanontd7ksYKtAwqgKchGGqGLk6kIv/D5:f3/kGAwaCYO4ngs7wg8UkcX

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\382EAEDC34BFC15B7E749FB8A0CFF600.exe
    "C:\Users\Admin\AppData\Local\Temp\382EAEDC34BFC15B7E749FB8A0CFF600.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g4uez23h\g4uez23h.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CBE.tmp" "c:\Windows\System32\CSC5AE8843693C049FFB0485929853E9F6.TMP"
        3⤵
          PID:2200
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\382EAEDC34BFC15B7E749FB8A0CFF600.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\382EAEDC34BFC15B7E749FB8A0CFF600.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\382EAEDC34BFC15B7E749FB8A0CFF600.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1736
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K6WpQQzDh2.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1548
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:1556
            • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe
              "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1244
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "382EAEDC34BFC15B7E749FB8A0CFF6003" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\382EAEDC34BFC15B7E749FB8A0CFF600.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "382EAEDC34BFC15B7E749FB8A0CFF600" /sc ONLOGON /tr "'C:\Windows\addins\382EAEDC34BFC15B7E749FB8A0CFF600.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2600
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "382EAEDC34BFC15B7E749FB8A0CFF6003" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\382EAEDC34BFC15B7E749FB8A0CFF600.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:992
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1644
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:824
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "382EAEDC34BFC15B7E749FB8A0CFF6003" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\382EAEDC34BFC15B7E749FB8A0CFF600.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2960
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "382EAEDC34BFC15B7E749FB8A0CFF600" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\382EAEDC34BFC15B7E749FB8A0CFF600.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3060
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "382EAEDC34BFC15B7E749FB8A0CFF6003" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\382EAEDC34BFC15B7E749FB8A0CFF600.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2060
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1688
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "382EAEDC34BFC15B7E749FB8A0CFF6003" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\382EAEDC34BFC15B7E749FB8A0CFF600.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1824
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "382EAEDC34BFC15B7E749FB8A0CFF600" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\382EAEDC34BFC15B7E749FB8A0CFF600.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1304
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "382EAEDC34BFC15B7E749FB8A0CFF6003" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\382EAEDC34BFC15B7E749FB8A0CFF600.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2760

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\K6WpQQzDh2.bat
          Filesize

          253B

          MD5

          fc6692bd9357f21a4c289eef87cd6207

          SHA1

          0e8062f2e57c6523c55f7112055f59bcbd8cc257

          SHA256

          29fd83c8ea10dff029e824d6733fe8ab6a098b31e276b66691b6b045b36c2b11

          SHA512

          326b8d42bbffe1a3968ca8b62eb722770f56408cadc211dd5d51ee9eedb013ad3b2a0a3e33b11f89cf9346ed7e852e87ee878da298c8f4361b7869e4a65fa3dd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES7CBE.tmp
          Filesize

          1KB

          MD5

          e7617f8d970362e5320d55cbf7728383

          SHA1

          3670f4f0913889f2092b26c55342ebc30fa65e04

          SHA256

          ae74cda34d77bedb56c59b7e26e394591fe76bf97b2cd90d2df7cb8c1974c17c

          SHA512

          7d6626c805a1a18aac145f7b0ec41b0e53b207cb9e6f8ec222a0eac44211cb1228f8c235dace180512e84c021f73b682772ace53fc1dd061dc2859613af90b5f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1ae551fe5bfc4be187d61a17e90cf7fe

          SHA1

          cb9776618d2de9bd2a00754d9129590b7caf3a00

          SHA256

          6796b8791f44fad232a9fe5cdf0404ba5f20599ac148605ab07e61540259f46b

          SHA512

          8257c4cc97845927dffd0cf8297d915118cbafd5c44819cec36e25fc8162ddd103c47ec17fd2fffcfe6ced59eea28865ce2d1fe6c0d6ac792d791e9a0b977d0d

          Download Submit

        • C:\Windows\addins\382EAEDC34BFC15B7E749FB8A0CFF600.exe
          Filesize

          1.8MB

          MD5

          382eaedc34bfc15b7e749fb8a0cff600

          SHA1

          d8729997725a187120ee95e1d6068586a13ab678

          SHA256

          e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a

          SHA512

          f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\g4uez23h\g4uez23h.0.cs
          Filesize

          386B

          MD5

          1012f0314b94070778947d2fa59b326d

          SHA1

          2a8766b2d9ef24b947bbfbe1ee760a8e353d6d9a

          SHA256

          2c96cbf01686a1c47cb510ebf0a06ccbc6da0b8c2309d7d6effd0c95d9818779

          SHA512

          1b65194020032cf8d381176ea1d4b20709e156b79b581b180e49a1616cb8a99ecaddf5c3a9ed3acd9c67cec187265d0eb19c0fcd7e008f7e94debcbd6187a7a7

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\g4uez23h\g4uez23h.cmdline
          Filesize

          235B

          MD5

          20b13ad3bc312990f4c0aa05d3869c42

          SHA1

          ca0c2cd8533d7d817c1105c7de466b068a1da83d

          SHA256

          d06243094c2ed963cc86065c1a27dc6d0f157db49ea441f0f4f457f931718273

          SHA512

          da52a5785376b4d93f6629ed87113f6f5b4fcefa20b4ddff373f0b1267ae2ed83b168ac648276349e03628e7d4007d05adcf0f0aec2f26e84562149da04e6de5

          Download Submit

        • \??\c:\Windows\System32\CSC5AE8843693C049FFB0485929853E9F6.TMP
          Filesize

          1KB

          MD5

          70046c6c63d509bb29450ef32b59dda3

          SHA1

          26802b73997ee22a7cd3d07ae77016969603cf00

          SHA256

          dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0

          SHA512

          d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

          Download Submit

        • memory/1244-80-0x0000000000900000-0x0000000000ADA000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/1700-6-0x0000000000420000-0x000000000042E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1700-7-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1700-17-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1700-16-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1700-15-0x0000000000430000-0x000000000043C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1700-13-0x0000000000B70000-0x0000000000B88000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1700-10-0x0000000000B50000-0x0000000000B6C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1700-8-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1700-0-0x000007FEF51D3000-0x000007FEF51D4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1700-11-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1700-4-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1700-3-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1700-62-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1700-1-0x0000000000FE0000-0x00000000011BA000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/1700-2-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1720-60-0x000000001B770000-0x000000001BA52000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1720-61-0x00000000027E0000-0x00000000027E8000-memory.dmp

          Filesize

          32KB

          Download