Overview

overview

10

Static

static

10

6a424fb046...73.exe

windows7-x64

10

6a424fb046...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 23:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe

  • Size

    2.6MB

  • MD5

    0163b78fa3d6908eb367abed8f3e9e94

  • SHA1

    240609d82a62a8017ad3d81ac4271cd7606b5573

  • SHA256

    6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773

  • SHA512

    f0258f74d10b9d1f3cfab6c36afe7e411b9c3cea7641529b5fc3e62706787c9685b6dfccf3fdde708102b43f517a734572da77407f9f4f1d94754fdec1554748

  • SSDEEP

    49152:Z35SQwOGHHy3Gv6KelFCGDZPU542T5eYfn4jmnHwDKni5JsJ:ZpSQEHIKqFCGDZs54+5eYfnCMQ+i5Ja

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
    "C:\Users\Admin\AppData\Local\Temp\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1872
    • C:\Windows\L2Schemas\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
      "C:\Windows\L2Schemas\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\debug\WIA\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2224
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2148
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2660
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2644
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e817736" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773" /sc ONLOGON /tr "'C:\Windows\L2Schemas\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2492
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e817736" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1880
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:604
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\system\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3052
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\plugins\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2284
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2408
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2532
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\it-IT\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2616
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Reference Assemblies\winlogon.exe
    Filesize

    2.6MB

    MD5

    c774e205a598de085abc97863657f7e9

    SHA1

    8dd8360b2c041004aad94170bfc292fea74c48ee

    SHA256

    cd96d81312602fffa501a8d2a8993acbf3b8af9898fe8f7713fb4841127e1bb2

    SHA512

    d0e71e5638024f8a61485f82876c92267e94ca236e44700a14b02b18f83e35eda275d6520ea0d1209618bb8e0bda99b6a78a3c6f1cc0ae9b107828466943508a

    Download Submit

  • C:\Program Files (x86)\Uninstall Information\explorer.exe
    Filesize

    2.6MB

    MD5

    0163b78fa3d6908eb367abed8f3e9e94

    SHA1

    240609d82a62a8017ad3d81ac4271cd7606b5573

    SHA256

    6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773

    SHA512

    f0258f74d10b9d1f3cfab6c36afe7e411b9c3cea7641529b5fc3e62706787c9685b6dfccf3fdde708102b43f517a734572da77407f9f4f1d94754fdec1554748

    Download Submit

  • C:\Program Files\VideoLAN\VLC\plugins\RCXCD33.tmp
    Filesize

    2.6MB

    MD5

    7917e5d3815aad26fe12e60c95f4f922

    SHA1

    94358af86a03a9d2ed94d239810e9efd42fe3614

    SHA256

    f969ff948ac424f0add5ecd094a5dda0a7cf82e431d02f1c1491ccd8df81dc57

    SHA512

    cef2858374355e9a962cc2fed622c0e67d2c45041bd087f5a4cb9d6ee52a925136f0865014136de9e5e62e11983f2eac401895dd615e7c372c0316019cede3e7

    Download Submit

  • memory/1872-12-0x00000000023D0000-0x00000000023E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1872-13-0x00000000023E0000-0x00000000023E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1872-5-0x00000000003E0000-0x00000000003E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1872-6-0x00000000006C0000-0x00000000006D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1872-8-0x00000000021B0000-0x00000000021B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1872-7-0x0000000002190000-0x00000000021A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1872-9-0x00000000022C0000-0x00000000022CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1872-10-0x000000001AE00000-0x000000001AE56000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1872-11-0x00000000021C0000-0x00000000021C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1872-0-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1872-14-0x000000001ABE0000-0x000000001ABE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1872-4-0x00000000006A0000-0x00000000006BC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1872-15-0x000000001ABF0000-0x000000001ABFC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1872-16-0x000000001AC00000-0x000000001AC0E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1872-17-0x000000001AC10000-0x000000001AC1C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1872-18-0x000000001AE50000-0x000000001AE5A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1872-3-0x00000000003C0000-0x00000000003CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1872-2-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1872-1-0x00000000003F0000-0x0000000000698000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1872-188-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1872-196-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2328-195-0x00000000010D0000-0x0000000001378000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2328-197-0x0000000000AD0000-0x0000000000B26000-memory.dmp

    Filesize

    344KB

    Download