Overview

overview

10

Static

static

10

4ddb779755...fN.exe

windows7-x64

10

4ddb779755...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ddb7797555a3ef167e8f92a38af954448bb303a319335146a97038292a663afN.exe

  • Size

    1.7MB

  • MD5

    2da02537301e59b652c96c905ec3e250

  • SHA1

    4c870b03f24d82b4e84ce6fd9a13ed53aac35373

  • SHA256

    4ddb7797555a3ef167e8f92a38af954448bb303a319335146a97038292a663af

  • SHA512

    57e0c44dc636c775c01ac2416689277bd597d1a225e4dc00c6c34b1069aa275cb9f2f35771894f0d76d749a581013f028a948bde6829c91afe6f1957083b8199

  • SSDEEP

    24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:tgwuuEpdDLNwVMeXDL0fdSzAG

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ddb7797555a3ef167e8f92a38af954448bb303a319335146a97038292a663afN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ddb7797555a3ef167e8f92a38af954448bb303a319335146a97038292a663afN.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3012
    • C:\Users\Default\System.exe
      "C:\Users\Default\System.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b81ca72-354c-434e-a46a-f92b048003d8.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Users\Default\System.exe
          C:\Users\Default\System.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2928
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e02b2ba4-94e2-487c-b9ac-a844f0518c43.vbs"
        3⤵
          PID:2760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5b81ca72-354c-434e-a46a-f92b048003d8.vbs
      Filesize

      703B

      MD5

      3d04c41761fa36b8c34addcfb0c01eaf

      SHA1

      4cb6565944c1bf19c0eefdf5722d7ca743f80185

      SHA256

      3422b778501e853dfff20dd468b6b92d252740469066f66fc7bf3da325294ff4

      SHA512

      269aa91c33ab4892b44422741b9ecb799997bde6476d9b90ff1666465b46e743019ad7a0910754f893505eed3bfd5f6a63b3ae1b956b3f56f12801060abaacdb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RCXC830.tmp
      Filesize

      1.7MB

      MD5

      2da02537301e59b652c96c905ec3e250

      SHA1

      4c870b03f24d82b4e84ce6fd9a13ed53aac35373

      SHA256

      4ddb7797555a3ef167e8f92a38af954448bb303a319335146a97038292a663af

      SHA512

      57e0c44dc636c775c01ac2416689277bd597d1a225e4dc00c6c34b1069aa275cb9f2f35771894f0d76d749a581013f028a948bde6829c91afe6f1957083b8199

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\e02b2ba4-94e2-487c-b9ac-a844f0518c43.vbs
      Filesize

      479B

      MD5

      251be02355d6fff7e6e41223c0e7771b

      SHA1

      a4feedb90d010853caa971de5a09a5bac1350f37

      SHA256

      1657df79004c6660ef6055673812ba9965630eef1a5d70694a6c09db7ab07761

      SHA512

      1e88765057f6ee9989a5227e999d541bd52051b5a10347c94df459b091bf3fdebe596a7d9b69f2f84075dd4684e2d33ff427916a9b953111e39c4dd1dd69a0e4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      690ca3ff12bea0bfe461b84d7f40b088

      SHA1

      fc916b83aad28b33a2778275adaf25360df1e341

      SHA256

      e2b320e1ddbc1a505b2703bc30bf36fbc2b86109527fdc3fc31b3ce654bad964

      SHA512

      29f256c69d3646b36e6d94284860cb705a14436084dfd36af9c434d4e34fd8b37b3d6759f760355018ed67b881790595af6ccd21dab2570f70b353cd8f3ba7c8

      Download Submit

    • memory/1660-133-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1660-97-0x0000000001100000-0x00000000012B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1756-87-0x0000000001D20000-0x0000000001D28000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2156-7-0x0000000000960000-0x0000000000972000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2156-0-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2156-9-0x0000000002030000-0x000000000203C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2156-10-0x00000000020D0000-0x00000000020D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2156-12-0x0000000002160000-0x000000000216C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2156-13-0x0000000002170000-0x000000000217C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2156-16-0x00000000021A0000-0x00000000021AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2156-15-0x0000000002190000-0x0000000002198000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2156-14-0x0000000002180000-0x000000000218A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2156-17-0x00000000021B0000-0x00000000021BC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2156-20-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2156-8-0x00000000020C0000-0x00000000020D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2156-6-0x0000000000940000-0x0000000000956000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2156-1-0x0000000000970000-0x0000000000B26000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2156-5-0x0000000000480000-0x0000000000490000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2156-4-0x0000000000470000-0x0000000000478000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2156-3-0x0000000000450000-0x000000000046C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2156-134-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2156-2-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2776-86-0x000000001B760000-0x000000001BA42000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2928-145-0x00000000000B0000-0x0000000000266000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2928-146-0x00000000003D0000-0x00000000003E2000-memory.dmp

      Filesize

      72KB

      Download