Overview

overview

10

Static

static

10

B1A3E0CF07...0B.exe

windows7-x64

10

B1A3E0CF07...0B.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 23:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    B1A3E0CF075438056659B4FBAEE9F80B.exe

  • Size

    2.4MB

  • MD5

    b1a3e0cf075438056659b4fbaee9f80b

  • SHA1

    73c9bd7cd9e48b7ae22b397f538933f8c49b4674

  • SHA256

    c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

  • SHA512

    ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f

  • SSDEEP

    24576:GeJKuHmdcCw7sUL/4cIG5IuUegPImmW7ayqCwviBwyLBIShZgGaiCkX4GLP1L61+:JJKFdaMcQLBxW8qiTN

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
    rat
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\B1A3E0CF075438056659B4FBAEE9F80B.exe
    "C:\Users\Admin\AppData\Local\Temp\B1A3E0CF075438056659B4FBAEE9F80B.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ta0t2z30\ta0t2z30.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES891D.tmp" "c:\Windows\System32\CSCD3F9CAD4F6CF45D49F56EB74A0DFDED.TMP"
        3⤵
          PID:2664
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wVPiBJF10N.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2232
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:316
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2292
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "B1A3E0CF075438056659B4FBAEE9F80BB" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\B1A3E0CF075438056659B4FBAEE9F80B.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "B1A3E0CF075438056659B4FBAEE9F80B" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\B1A3E0CF075438056659B4FBAEE9F80B.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1408
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "B1A3E0CF075438056659B4FBAEE9F80BB" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\B1A3E0CF075438056659B4FBAEE9F80B.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1764
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\tracing\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1992
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:700
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1668
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1252

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe
          Filesize

          2.4MB

          MD5

          b1a3e0cf075438056659b4fbaee9f80b

          SHA1

          73c9bd7cd9e48b7ae22b397f538933f8c49b4674

          SHA256

          c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

          SHA512

          ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES891D.tmp
          Filesize

          1KB

          MD5

          af97582fb121f60f9017d2403ff8c95e

          SHA1

          d27dadd0b2d5a856f499f0a7a5028e69145ae45d

          SHA256

          d76a554d895b1fbb728f3278e0f810eb817de794f60bfd06ce6711cfc144f018

          SHA512

          99b7e2387417539f4f094076567a4d62c78a7c2b2b4f284f37f9ca9a1682eb930159bab75b288fd7e284f49e30121dfc1370e67fe38552dac422bb58c2e66868

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wVPiBJF10N.bat
          Filesize

          206B

          MD5

          a39fefb2d67560634970af8cec972bac

          SHA1

          34894d42484b6479cc8fc6f6a014c5fd1ba748d2

          SHA256

          c73c724e867765ffd50c4d575a248558c2b69eca44e98e0de80f548aadde0b6f

          SHA512

          6f2f43851a27e9242307488fb64e1c2cef2fd2ad820b2cf07ee456ea54c7f3e0779d6cac026e4b1d05b7d3771f6fb2ccfe23b4e2775c5002c83b32c90b08accf

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\ta0t2z30\ta0t2z30.0.cs
          Filesize

          393B

          MD5

          28fe64cc05d534a6e5e11ae6e83b90ae

          SHA1

          2a22f4e67c1468702f4bc7525b52edb9c1234591

          SHA256

          d9b2b6c58aae8498cee7c472c80b669a2d17706771cc17bed3f91de73c56c083

          SHA512

          9c24eb37fe8129fe5aec15a0c40b17d162f5f39b1f13306fd43bec34cff95f80f1bf09930b852cc75e6f9e6f632f2ae9030285fd028798ac778da0025897bf19

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\ta0t2z30\ta0t2z30.cmdline
          Filesize

          235B

          MD5

          d53b3cc87969516fecd753253572058c

          SHA1

          b0d81fee604d22ac26413e6828df2e4f26521b4a

          SHA256

          0007930d5ecfc1ac65656f830cf3c0fed92443041d48e1afac48b971615673f4

          SHA512

          bed951bdf859ac2b2a778bed96170c1d0de0f93ef0f2eb6626290cd49c65be01a1fa28382000339e23e60f27c582f500a708772da4897ea4b44e9992363b5d7b

          Download Submit

        • \??\c:\Windows\System32\CSCD3F9CAD4F6CF45D49F56EB74A0DFDED.TMP
          Filesize

          1KB

          MD5

          b74f131aab310dc6e37b43e729c24199

          SHA1

          bade4cf35d7e80e79880396c1fdd518d9ab78bdf

          SHA256

          5fdff2a34cc18e36619ff327b292a8255286dc102d85074b7fc625ccbdbe1858

          SHA512

          733cb12c94d0a8bedc9a38c073dff2fc46553854d7e835767aaa749b4754beef77fa3bc8232eab21c92bc808c08b150cafe5c035bb33d82292fbf76fec55d885

          Download Submit

        • memory/2380-14-0x00000000020F0000-0x0000000002100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2380-36-0x0000000002160000-0x000000000216E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2380-10-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-12-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-18-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-26-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-25-0x0000000002140000-0x000000000214E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2380-23-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-22-0x0000000002110000-0x0000000002120000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2380-20-0x0000000002100000-0x0000000002110000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2380-17-0x0000000002120000-0x0000000002138000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2380-15-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2380-28-0x0000000002310000-0x0000000002322000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2380-30-0x0000000002150000-0x0000000002160000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2380-32-0x0000000002330000-0x0000000002346000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2380-34-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2380-11-0x0000000000490000-0x00000000004AC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2380-38-0x0000000002170000-0x0000000002180000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2380-40-0x00000000023F0000-0x0000000002400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2380-42-0x000000001AE20000-0x000000001AE7A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2380-44-0x0000000002500000-0x000000000250E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2380-46-0x0000000002510000-0x0000000002520000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2380-48-0x000000001A9A0000-0x000000001A9AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2380-50-0x000000001A9D0000-0x000000001A9E8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2380-52-0x000000001AF90000-0x000000001AFDE000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2380-9-0x0000000002080000-0x000000000209C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2380-7-0x0000000000480000-0x000000000048E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2380-5-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-4-0x00000000004B0000-0x00000000004D6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2380-2-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-80-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2380-1-0x0000000000880000-0x0000000000AEE000-memory.dmp

          Filesize

          2.4MB

          Download