Overview

overview

10

Static

static

10

B1A3E0CF07...0B.exe

windows7-x64

10

B1A3E0CF07...0B.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    B1A3E0CF075438056659B4FBAEE9F80B.exe

  • Size

    2.4MB

  • MD5

    b1a3e0cf075438056659b4fbaee9f80b

  • SHA1

    73c9bd7cd9e48b7ae22b397f538933f8c49b4674

  • SHA256

    c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

  • SHA512

    ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f

  • SSDEEP

    24576:GeJKuHmdcCw7sUL/4cIG5IuUegPImmW7ayqCwviBwyLBIShZgGaiCkX4GLP1L61+:JJKFdaMcQLBxW8qiTN

Score
10/10
dcratinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\B1A3E0CF075438056659B4FBAEE9F80B.exe
    "C:\Users\Admin\AppData\Local\Temp\B1A3E0CF075438056659B4FBAEE9F80B.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xg0edldq\xg0edldq.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E26.tmp" "c:\Windows\System32\CSC9754A83E7AEF4088ACA4275EE4538E82.TMP"
        3⤵
          PID:1200
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hymKjDN7uf.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2408
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:4280
            • C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe
              "C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:880
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:844
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Default\sysmon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2252
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3192
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2344
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3516
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4328
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3096

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Recovery\WindowsRE\RuntimeBroker.exe
          Filesize

          2.4MB

          MD5

          b1a3e0cf075438056659b4fbaee9f80b

          SHA1

          73c9bd7cd9e48b7ae22b397f538933f8c49b4674

          SHA256

          c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

          SHA512

          ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES8E26.tmp
          Filesize

          1KB

          MD5

          010418e98075c0517f3bbc10cb2ce130

          SHA1

          c940a5211a4d88e3c4815214d9b750838d6492fa

          SHA256

          c445f4a7a47516e9739c0238b33fd043f78aa5eb98834b3b075786e18f1920a9

          SHA512

          5da796989bac184d0a9f7a32c641c7559d751e6c170f0bdbca3614762d9243284a2edc79f12818c4f812e921e7a7c4871fed85fea76b6d27239c74cee0a9323a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\hymKjDN7uf.bat
          Filesize

          243B

          MD5

          3bef06085d31cc45ba459f3db84e6fc2

          SHA1

          297cafb62c77680e7daa782fb7a913d089bec95e

          SHA256

          a20a935f3c80a9742c2e83f1bf63d6645d4379d2a9436ce9744cac391ab38c7a

          SHA512

          a81b4d141709fc2a2c71cdb23412d5b2ea1496e9434554f99966a2877698bd26bfeaedc96d64e865033beb8834ee64af950ed18ac9a23f420a1de0fa97548374

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\xg0edldq\xg0edldq.0.cs
          Filesize

          399B

          MD5

          d149dc21ad12ed15fe3f8c3415ae9f2e

          SHA1

          6646ee017cc3d1fe4bec9b72e0bd09c691fcc6a7

          SHA256

          c29925fa9730840451be1c949ceac5bc6ab6e12d65a77dcbe92fa6183a6cf6e3

          SHA512

          b2f492c794f60ae1efddfaff08147ebbbf350bf3d8ef81bb647fab5c08cb2de864141af7e4e0636bc445d5c2d88338424ae1f99b0e279787c8b967edc201d925

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\xg0edldq\xg0edldq.cmdline
          Filesize

          235B

          MD5

          8b8a55dc1046cbb386f50d91a820efb5

          SHA1

          a58ee8ffd5e30eb43508993327d19b8d76158bb2

          SHA256

          98d482793daab659f8597e0dd1e3a5947647f596d3b2fe700c7f357b163943f5

          SHA512

          1e05e8b8f4fcbfe63f8d9581c438245077a4fab0faa3281ebf0783292e8070adfa6bab7235bc07f068c8f28801801f2d6f47c8a3adf98bdc0648b0c8d4de9fb3

          Download Submit

        • \??\c:\Windows\System32\CSC9754A83E7AEF4088ACA4275EE4538E82.TMP
          Filesize

          1KB

          MD5

          034b083b6729ade0b138a24cbdd66c6d

          SHA1

          299c5a9dd91498cfc4226a5fe6d52ea633c2d148

          SHA256

          8e3aa7a68c0bfea6cae11fe40e79aa1483bc2e43c4c3fd11fcebca1f7bcea0d2

          SHA512

          43f68ec3211f2d1eb3a095713b3988a5b45a6fb03136876431edd3b25b628f904079557cbb60d0107c0444551db274c8e6817d63a543e8a7e390206af64d1cc3

          Download Submit

        • memory/880-109-0x000000001C260000-0x000000001C32D000-memory.dmp

          Filesize

          820KB

          Download

        • memory/880-110-0x000000001B860000-0x000000001B868000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4856-37-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4856-41-0x000000001B820000-0x000000001B830000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4856-15-0x00000000014D0000-0x00000000014E8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4856-17-0x00000000014B0000-0x00000000014C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4856-18-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4856-20-0x00000000014C0000-0x00000000014D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4856-23-0x0000000002E50000-0x0000000002E5E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4856-21-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4856-25-0x000000001B7C0000-0x000000001B7D2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4856-27-0x0000000002E60000-0x0000000002E70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4856-28-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4856-30-0x000000001B7E0000-0x000000001B7F6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4856-31-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4856-33-0x000000001B800000-0x000000001B812000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4856-0-0x00007FFC0F4F3000-0x00007FFC0F4F5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4856-39-0x0000000002E80000-0x0000000002E90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4856-42-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4856-13-0x0000000001450000-0x0000000001460000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4856-36-0x0000000002E70000-0x0000000002E7E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4856-34-0x000000001BFA0000-0x000000001C4C8000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4856-44-0x000000001BAD0000-0x000000001BB2A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/4856-46-0x000000001B830000-0x000000001B83E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4856-48-0x000000001B840000-0x000000001B850000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4856-50-0x000000001B850000-0x000000001B85E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4856-52-0x000000001BA90000-0x000000001BAA8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4856-54-0x000000001BB80000-0x000000001BBCE000-memory.dmp

          Filesize

          312KB

          Download

        • memory/4856-11-0x000000001B770000-0x000000001B7C0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4856-10-0x0000000001490000-0x00000000014AC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4856-9-0x00000000014B0000-0x00000000014CC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4856-6-0x0000000001440000-0x000000000144E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4856-7-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4856-82-0x000000001C940000-0x000000001CA0D000-memory.dmp

          Filesize

          820KB

          Download

        • memory/4856-4-0x0000000001460000-0x0000000001486000-memory.dmp

          Filesize

          152KB

          Download

        • memory/4856-84-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4856-2-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4856-1-0x0000000000910000-0x0000000000B7E000-memory.dmp

          Filesize

          2.4MB

          Download