Overview

overview

10

Static

static

10

8b0b1728b6...1c.exe

windows7-x64

10

8b0b1728b6...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b0b1728b6bcac3675b0e14ec262c061252bb9be0ac121d4342ac790ac96d51c.exe

  • Size

    682KB

  • MD5

    054590792d65d5db6a5270d6ad965b93

  • SHA1

    bd04bb88a8ee09284e3e0eba53677f6b999d1b46

  • SHA256

    8b0b1728b6bcac3675b0e14ec262c061252bb9be0ac121d4342ac790ac96d51c

  • SHA512

    818e9a0ee0fa54874b811cd6fd5f61fc014508c84ec8f09f4d53b52a1f12a15a1b1cc516c35189352bc328c2cde659f969dfc6741b1319ba91689a2a19dce07e

  • SSDEEP

    12288:RqnO3mwJNoGFAgHCRvp1i/fjqJRYFInDrX/xTU3JgXDV6blx1wgtra7B:R+O3mwJnCRvEMxnDVSwgY

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 15 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b0b1728b6bcac3675b0e14ec262c061252bb9be0ac121d4342ac790ac96d51c.exe
    "C:\Users\Admin\AppData\Local\Temp\8b0b1728b6bcac3675b0e14ec262c061252bb9be0ac121d4342ac790ac96d51c.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2696
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3lYyUGgIBs.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2272
        • C:\Users\Public\Music\Sample Music\dwm.exe
          "C:\Users\Public\Music\Sample Music\dwm.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\normnfc\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\eudcedit\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\quser\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1992

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Uninstall Information\taskhost.exe
      Filesize

      682KB

      MD5

      054590792d65d5db6a5270d6ad965b93

      SHA1

      bd04bb88a8ee09284e3e0eba53677f6b999d1b46

      SHA256

      8b0b1728b6bcac3675b0e14ec262c061252bb9be0ac121d4342ac790ac96d51c

      SHA512

      818e9a0ee0fa54874b811cd6fd5f61fc014508c84ec8f09f4d53b52a1f12a15a1b1cc516c35189352bc328c2cde659f969dfc6741b1319ba91689a2a19dce07e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3lYyUGgIBs.bat
      Filesize

      206B

      MD5

      0fbcfb80fab5945c6dd0f2bb05d1125a

      SHA1

      d4fc826cf19fb85da5ded0abf1a595183d5f1960

      SHA256

      4bb726fcbc53e2758ce0a88b637f192256cc3defa3fb68bd087c3edefa207322

      SHA512

      3e3433c8c1288614bf739b0c4e334fcb5b756ad6337d06f0c86ff6f29b363bbc141a5c0ce00249c9035c7cc2e35c8d02c539ab2c07773cf2be0ee8914117fb37

      Download Submit

    • memory/2408-117-0x0000000000DE0000-0x0000000000E92000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2696-3-0x0000000000150000-0x0000000000160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2696-4-0x0000000000160000-0x000000000016C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2696-5-0x0000000000170000-0x000000000017C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2696-6-0x00000000003E0000-0x00000000003EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2696-8-0x0000000000570000-0x000000000057C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2696-7-0x00000000003D0000-0x00000000003D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2696-0-0x000007FEF66F3000-0x000007FEF66F4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2696-2-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2696-114-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2696-1-0x0000000000E30000-0x0000000000EE2000-memory.dmp

      Filesize

      712KB

      Download