Overview

overview

10

Static

static

10

B1A3E0CF07...0B.exe

windows7-x64

10

B1A3E0CF07...0B.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 23:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    B1A3E0CF075438056659B4FBAEE9F80B.exe

  • Size

    2.4MB

  • MD5

    b1a3e0cf075438056659b4fbaee9f80b

  • SHA1

    73c9bd7cd9e48b7ae22b397f538933f8c49b4674

  • SHA256

    c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

  • SHA512

    ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f

  • SSDEEP

    24576:GeJKuHmdcCw7sUL/4cIG5IuUegPImmW7ayqCwviBwyLBIShZgGaiCkX4GLP1L61+:JJKFdaMcQLBxW8qiTN

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\B1A3E0CF075438056659B4FBAEE9F80B.exe
    "C:\Users\Admin\AppData\Local\Temp\B1A3E0CF075438056659B4FBAEE9F80B.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jpmdejyn\jpmdejyn.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3128
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB21A.tmp" "c:\Windows\System32\CSC924E95882E1C45D0BCA25D03140BB91.TMP"
        3⤵
          PID:2872
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gB932iUQnR.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1516
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:592
          • C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe
            "C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\SppExtComObj.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1252
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\sihost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4764
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2764
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\sihost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3144
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4104

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\MSBuild\sihost.exe
        Filesize

        2.4MB

        MD5

        b1a3e0cf075438056659b4fbaee9f80b

        SHA1

        73c9bd7cd9e48b7ae22b397f538933f8c49b4674

        SHA256

        c95e4d5e7d22991fdc472c95d1d042a44ded78ae9c654d7cebb30dad823d813b

        SHA512

        ba37ffb6a906736cfe490a7934b9b1481c9cfcd59044d5333bb0193cbf39ae8c0d22599a0d38bd0b124d0fbb17701f41ac46b361f1bcf9f810c33d673633461f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESB21A.tmp
        Filesize

        1KB

        MD5

        e144fc91bc6115cdf18262c35c66c313

        SHA1

        cef8082cab1fe8c5d9f46b0df68152df85a726bf

        SHA256

        33e902813595adf2d63b6fc48dac3eb1bf798d252750c7a793c104c36accfc69

        SHA512

        0075ba0a0b7b34d50e459cece7e3a835384cdc27474f11bd7ef1703d5a7def0217e286f174cade5747af8b8eeb887cbbcf1a30e366f397cc91092e4d51cfe69b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gB932iUQnR.bat
        Filesize

        190B

        MD5

        fdd422e50f60a4ea011f3a09e9312904

        SHA1

        2558cec257e9b68180fc337e228450134f4d58dd

        SHA256

        fdca80527bfa849845a52c5929a6b650aded6eac843180fbdc8e35a2e4107815

        SHA512

        3fe4af2d211e57c836c224da6be929bcfc139869829b04c437f63856b3b6e69255f8bfccf0a88d2f4a8b8db14672cc9f6dcb5b751b18b2d195294f9dbabd2046

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\jpmdejyn\jpmdejyn.0.cs
        Filesize

        365B

        MD5

        bb09eec6af1de93c7be5f8da90553263

        SHA1

        07bb7c9f6701268cbdf5ea56a3d50ab6f2059501

        SHA256

        dd61784b4547f2e32d0b81d1a3b4275d30f6b7c54a5dca2c19d5b410bcbdd5be

        SHA512

        58949670af998ea8640a34be7cf09cc1bb263ceb220e8873552c3633ef96080506cefe184394acb506848964db4d52f8916abd36c7bb612741c2a8cdeb55ef02

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\jpmdejyn\jpmdejyn.cmdline
        Filesize

        235B

        MD5

        a66606d809e9a0341fe82d22a4baadaf

        SHA1

        d26a6a11db55f32bba9942fe5bfdde9067a7865d

        SHA256

        1f6f7652a16c957d907c06eece176c03416d170b4e645f4ff0057f4b8055c936

        SHA512

        e38d805926e345ec6235efd4a68916fec7d7dd275bfe8b4f4db63a817a9a13f482d5842efa571d457f2cd95e20777e3e0d320d869b901a6e7b5fadd6a21bc68f

        Download Submit

      • \??\c:\Windows\System32\CSC924E95882E1C45D0BCA25D03140BB91.TMP
        Filesize

        1KB

        MD5

        7bbfaf1199741b237d2493615c95c6d7

        SHA1

        86d466217c4dc1e0808f83ceda8f4b4df948b5dc

        SHA256

        e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476

        SHA512

        2eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c

        Download Submit

      • memory/544-109-0x000000001B910000-0x000000001B9B9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3396-33-0x000000001BCD0000-0x000000001BCE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-40-0x000000001BAD0000-0x000000001BAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3396-12-0x000000001BC40000-0x000000001BC90000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3396-14-0x00000000014C0000-0x00000000014D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3396-16-0x0000000003090000-0x00000000030A8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3396-18-0x00000000016B0000-0x00000000016C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3396-19-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-21-0x00000000016C0000-0x00000000016D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3396-23-0x00000000016D0000-0x00000000016DE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3396-24-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-26-0x000000001BAB0000-0x000000001BAC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3396-29-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-31-0x000000001BCB0000-0x000000001BCC6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3396-0-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3396-34-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-28-0x00000000030B0000-0x00000000030C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3396-35-0x000000001C220000-0x000000001C748000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3396-11-0x0000000001680000-0x000000000169C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3396-38-0x00000000030C0000-0x00000000030CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3396-36-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-42-0x000000001BC30000-0x000000001BC40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3396-44-0x000000001BD50000-0x000000001BDAA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/3396-46-0x000000001BC90000-0x000000001BC9E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3396-48-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3396-50-0x000000001BCF0000-0x000000001BCFE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3396-52-0x000000001BD20000-0x000000001BD38000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3396-54-0x000000001BE00000-0x000000001BE4E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3396-10-0x0000000001630000-0x000000000164C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3396-8-0x00000000014B0000-0x00000000014BE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3396-6-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-5-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-4-0x00000000014D0000-0x00000000014F6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3396-82-0x000000001C150000-0x000000001C1F9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3396-84-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-2-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-1-0x0000000000BA0000-0x0000000000E0E000-memory.dmp

        Filesize

        2.4MB

        Download