Overview

overview

10

Static

static

10

79fa285ef5...9N.exe

windows7-x64

10

79fa285ef5...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79fa285ef5f374a753e3134ea1c6861eabc45eb5ef593ba31ff817f3097ebe39N.exe

  • Size

    783KB

  • MD5

    75bf70525a5c41bbb7d1d85c16e49350

  • SHA1

    02f52ebc09ca1252da8c0f4eca1012a45f1ca3de

  • SHA256

    79fa285ef5f374a753e3134ea1c6861eabc45eb5ef593ba31ff817f3097ebe39

  • SHA512

    41a53d3d7942fffbe80c2d5f666257ad34f5d5595780364c3ff033793d6c08428d5b90755d1366e16ecc1d2a3e0c88a10dc582e11c922317080555dce890bffa

  • SSDEEP

    12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:G+OQbpbgsFdAyQvzSqaq8q

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 16 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\79fa285ef5f374a753e3134ea1c6861eabc45eb5ef593ba31ff817f3097ebe39N.exe
    "C:\Users\Admin\AppData\Local\Temp\79fa285ef5f374a753e3134ea1c6861eabc45eb5ef593ba31ff817f3097ebe39N.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2268
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AOLsz5CLtX.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2816
        • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe
          "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2304
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\sdhcinst\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\WcnEapAuthProxy\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "79fa285ef5f374a753e3134ea1c6861eabc45eb5ef593ba31ff817f3097ebe39N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051910928)\79fa285ef5f374a753e3134ea1c6861eabc45eb5ef593ba31ff817f3097ebe39N.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\icm32\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\bootres\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2216

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\Office14\1033\lsass.exe
      Filesize

      783KB

      MD5

      75bf70525a5c41bbb7d1d85c16e49350

      SHA1

      02f52ebc09ca1252da8c0f4eca1012a45f1ca3de

      SHA256

      79fa285ef5f374a753e3134ea1c6861eabc45eb5ef593ba31ff817f3097ebe39

      SHA512

      41a53d3d7942fffbe80c2d5f666257ad34f5d5595780364c3ff033793d6c08428d5b90755d1366e16ecc1d2a3e0c88a10dc582e11c922317080555dce890bffa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AOLsz5CLtX.bat
      Filesize

      221B

      MD5

      2a1ae4f768dbb52c899b552c91c09926

      SHA1

      d1384cb7eba43521441dcb7d85f500d6ed13ab9a

      SHA256

      41a0242c37a7b532089b302859f1425c57b9b124029cd93b0c90fa7b8509ab5c

      SHA512

      b48350a4c152c3d38526a33087a16f760549582dc14cab4b87e3f9b3efa40833e47f2e9fef16f50c62221f408fcd5d8b23ffc180ce9c19332cf7a187a9ac0aeb

      Download Submit

    • memory/2268-14-0x000000001A590000-0x000000001A598000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-4-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-17-0x000000001A600000-0x000000001A608000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-16-0x000000001A5F0000-0x000000001A5F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-6-0x0000000002010000-0x0000000002018000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-8-0x000000001A560000-0x000000001A56A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2268-7-0x00000000020C0000-0x00000000020CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2268-10-0x0000000002030000-0x0000000002038000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-9-0x0000000002020000-0x000000000202A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2268-13-0x00000000020D0000-0x00000000020D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-12-0x000000001A570000-0x000000001A578000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-11-0x000000001A5B0000-0x000000001A5B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-3-0x0000000000720000-0x0000000000728000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-5-0x0000000002000000-0x0000000002010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2268-15-0x000000001A5E0000-0x000000001A5E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-18-0x000000001A580000-0x000000001A588000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-19-0x000000001A5A0000-0x000000001A5A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-20-0x000000001A5C0000-0x000000001A5C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-21-0x000000001A5D0000-0x000000001A5DC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2268-22-0x000000001A610000-0x000000001A618000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2268-24-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2268-2-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2268-1-0x0000000000380000-0x000000000044A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/2268-93-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2304-96-0x00000000010E0000-0x00000000011AA000-memory.dmp

      Filesize

      808KB

      Download