Overview

overview

10

Static

static

10

5cd4495d7e...7e.exe

windows7-x64

10

5cd4495d7e...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e.exe

  • Size

    783KB

  • MD5

    308e34620e4b48c3ae64e4045a817229

  • SHA1

    d1312c2b2e9941f03f710af23e640cbfec175467

  • SHA256

    5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e

  • SHA512

    bfc03956208d26b6833c4d8a750041ac021f313f2e009ce009a381b6134e72f0003b2cbf8982d748587a21e249a45c3d21fb1daadd48521969830a37e5241d6d

  • SSDEEP

    12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK2:G+OQbpbgsFdAyQvzSqaq8qt

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 12 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e.exe
    "C:\Users\Admin\AppData\Local\Temp\5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2368
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5VUZneG0JE.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1516
        • C:\Windows\System32\scrptadm\dwm.exe
          "C:\Windows\System32\scrptadm\dwm.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\scrptadm\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\dhcpcsvc\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\oleaut32\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1744

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5VUZneG0JE.bat
      Filesize

      200B

      MD5

      f03b8b37dbd10f6b7cfcdf1653a7effe

      SHA1

      a780b93918021051f753c8abdf2ef8009c063c7f

      SHA256

      4e0fb61aee4f3f4e8244bffe8b7e0658095ead94f9d064a4d59e6d07c6697545

      SHA512

      28f80fed95b244258c18531887f07678187d4288f9ccc53444d00afea48a4f005f31920afd419e141d61847087735db90377dc04d467eabe67f958bcaed1ca38

      Download Submit

    • C:\Users\Public\Favorites\spoolsv.exe
      Filesize

      783KB

      MD5

      e7f1e0b3c967dcf351580a0b687e1ac6

      SHA1

      3043b4f7166f7980f2a040fca6b17b9e661e604c

      SHA256

      f09dc145917c05a67eb01d7e801b265f083c6b12ad4048ef70acc073a23b930d

      SHA512

      d5d81848454b8de36edb984cd4a15a931a31a544e013da6140d311b7c2bbf62b640ea4378bcb064296bcae6cf43182648f83831e15c8fccabdc5e39c6c357052

      Download Submit

    • C:\Windows\System32\dhcpcsvc\taskhost.exe
      Filesize

      783KB

      MD5

      308e34620e4b48c3ae64e4045a817229

      SHA1

      d1312c2b2e9941f03f710af23e640cbfec175467

      SHA256

      5cd4495d7ec85110670306ec9a23f14afa8ca4db6249585ce7b543c52250327e

      SHA512

      bfc03956208d26b6833c4d8a750041ac021f313f2e009ce009a381b6134e72f0003b2cbf8982d748587a21e249a45c3d21fb1daadd48521969830a37e5241d6d

      Download Submit

    • memory/1700-97-0x0000000000870000-0x000000000093A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/2368-13-0x00000000001E0000-0x00000000001E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-15-0x0000000000430000-0x0000000000438000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-4-0x0000000000160000-0x0000000000168000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-7-0x0000000000190000-0x000000000019C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2368-8-0x00000000001C0000-0x00000000001CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2368-9-0x00000000001D0000-0x00000000001DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2368-11-0x00000000001F0000-0x00000000001F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-10-0x0000000000200000-0x0000000000208000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-12-0x00000000001B0000-0x00000000001B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-14-0x0000000000210000-0x0000000000218000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-0-0x000007FEF5F53000-0x000007FEF5F54000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2368-17-0x0000000000440000-0x0000000000448000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-16-0x0000000000420000-0x0000000000428000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-5-0x00000000001A0000-0x00000000001B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2368-18-0x0000000000450000-0x0000000000458000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-20-0x0000000000470000-0x0000000000478000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-19-0x0000000000460000-0x0000000000468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-21-0x0000000000480000-0x000000000048C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2368-22-0x0000000000490000-0x0000000000498000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-25-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2368-6-0x0000000000170000-0x0000000000178000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-3-0x0000000000150000-0x0000000000158000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-2-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2368-94-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2368-1-0x0000000000820000-0x00000000008EA000-memory.dmp

      Filesize

      808KB

      Download