Overview

overview

10

Static

static

3

e864306092...7a.exe

windows7-x64

10

e864306092...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe

  • Size

    1.8MB

  • MD5

    382eaedc34bfc15b7e749fb8a0cff600

  • SHA1

    d8729997725a187120ee95e1d6068586a13ab678

  • SHA256

    e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a

  • SHA512

    f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b

  • SSDEEP

    24576:nfNh6iTrBgSq+kdkpupwocpF4jGdWWfWanontd7ksYKtAwqgKchGGqGLk6kIv/D5:f3/kGAwaCYO4ngs7wg8UkcX

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe
    "C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\csuvrf5u\csuvrf5u.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5E3.tmp" "c:\Windows\System32\CSCDB76FEA264834E55AC6DC5F5583F45B7.TMP"
        3⤵
          PID:2840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\dwm.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2220
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\OSPPSVC.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2188
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkhc8K8rYY.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1308
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:2300
            • C:\Users\All Users\Package Cache\OSPPSVC.exe
              "C:\Users\All Users\Package Cache\OSPPSVC.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1276
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\de-DE\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2076
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\de-DE\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2560
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2176
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\OSPPSVC.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1104
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2004
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847ae" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847ae" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2408

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Internet Explorer\de-DE\dwm.exe
          Filesize

          1.8MB

          MD5

          382eaedc34bfc15b7e749fb8a0cff600

          SHA1

          d8729997725a187120ee95e1d6068586a13ab678

          SHA256

          e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a

          SHA512

          f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESF5E3.tmp
          Filesize

          1KB

          MD5

          c71567639f61002d2b68f41ea622b6e0

          SHA1

          7a2b45fb900066996d06aebbe4b3d7ada9c564c6

          SHA256

          9cab6a671efbb1d13d1e2ff5bfd442931c93c730847751eade434a84c46620b0

          SHA512

          267b5d5c4e4cf1ea1d3e7dce28ae2e1189bc413230620f503cd2afbf73875e49c95542bbcd34a2594017cd1a4296d28b35b148b5bb5a997de85802cebcdcf41c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jkhc8K8rYY.bat
          Filesize

          220B

          MD5

          a21952921f23f107d0522e27db32c8a0

          SHA1

          f97d1e762901305dc0ace7634cb91ef84d7d02de

          SHA256

          8f86b22ae55621bab48624966ec2b4aa45280f885245733afad23d15cb12f55f

          SHA512

          1df5351ff93608379002d7bb3a06cd70697f2148342acfeb3385e30e1ea0a617208b750683def0ed3dfa24e2bc55bfae169c6d6eb8d33845933519061165beca

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          5730743f0af8a62f882e93338bcb0b36

          SHA1

          325b5f18ad0d9174c311e6a561aafd5110c017b7

          SHA256

          f65294b68800e6df6153b99d75c34ec29455a9dc089f78c8d9b2bbb721e98f50

          SHA512

          fb393752af768a2ee08d41a548aea9528e59d6ed74cf9bb01890b979493766d7be00b3e763f3b693c0b30cbc3ae451401a2af890883c55d71c0db73fccce2111

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\csuvrf5u\csuvrf5u.0.cs
          Filesize

          380B

          MD5

          227523b46063e8b0237d17a3a08b4ea6

          SHA1

          72c6510bb4c12380650b34fc65f327c0136bddc0

          SHA256

          feb4a9804bd7febf8c42211a3fdbd944d6bfdd01f8fabda6060967b0e67da769

          SHA512

          b33b13911eb2bf12bfefc05e4f26ed232476fde8ea575f263fec129685a5c203fa0c039d1ca2b2133a2234dbaeff12db8fa427357ed45a896876de1a551e6f05

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\csuvrf5u\csuvrf5u.cmdline
          Filesize

          235B

          MD5

          3d93a721f40b265ddb362e9d17582325

          SHA1

          45673f917424809aac95f5f75a159e6e337c255c

          SHA256

          7b5156ada8912dbda0e7986fe6eb857ddae2147ae1adcda0cd5381937e32fcb9

          SHA512

          529a69b47f46f199f772116f7a9e6b37514c61705546fbf240cedc71d62f53ac73e806e188f59dbd12a9a6ac70cffc12ae9173106b7b81db1ed80da48ca32e3f

          Download Submit

        • \??\c:\Windows\System32\CSCDB76FEA264834E55AC6DC5F5583F45B7.TMP
          Filesize

          1KB

          MD5

          dcd286f3a69cfd0292a8edbc946f8553

          SHA1

          4d347ac1e8c1d75fc139878f5646d3a0b083ef17

          SHA256

          29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596

          SHA512

          4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

          Download Submit

        • memory/664-59-0x000000001B700000-0x000000001B9E2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1276-80-0x0000000000350000-0x000000000052A000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2116-61-0x0000000001D20000-0x0000000001D28000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2328-9-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2328-8-0x0000000000630000-0x000000000064C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2328-14-0x00000000001A0000-0x00000000001AC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2328-17-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2328-15-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2328-12-0x0000000000650000-0x0000000000668000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2328-10-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2328-16-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2328-0-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2328-6-0x0000000000180000-0x000000000018E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2328-4-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2328-76-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2328-3-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2328-2-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2328-1-0x0000000000800000-0x00000000009DA000-memory.dmp

          Filesize

          1.9MB

          Download