Overview

overview

10

Static

static

3

2308c316e3...a9.exe

windows7-x64

10

2308c316e3...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe

  • Size

    1.9MB

  • MD5

    8fdbd9a0a9390964373271dd09b991ba

  • SHA1

    78a4d4c43b894a8227b25be8f61f7aa6b8315ab7

  • SHA256

    2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9

  • SHA512

    76a6e750adc8c888bea717bdbb74dad5fe10c1688e1e87a9cb9dfb7caf4e4c5cdd9b9f34ef5aa7577f92bf1349797b04a5edac64c772489cd316d5e71ea9291c

  • SSDEEP

    49152:IBJeP7Q9KggbDv7jsn3JzB6lR6jA+knZY5U:yQPihgvs3JzB6lR6jA+k5

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe
    "C:\Users\Admin\AppData\Local\Temp\2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\FontCommonsvc\HyAeUGe8evX8YGRPELkMfoiMVhm6j.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\FontCommonsvc\SvhwgsASCbJysKpoNvm.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\FontCommonsvc\Reviewperf.exe
          "C:\FontCommonsvc/Reviewperf.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aaa2ckww\aaa2ckww.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2844
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AA7.tmp" "c:\Windows\System32\CSCDA70E408B0214BDDB514215CA1E0B5BE.TMP"
              6⤵
                PID:1976
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04rQ2VfD5B.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:688
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3044
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2504
                • C:\FontCommonsvc\Reviewperf.exe
                  "C:\FontCommonsvc\Reviewperf.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2244
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Installer\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2884
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1936
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2420
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ReviewperfR" /sc MINUTE /mo 9 /tr "'C:\FontCommonsvc\Reviewperf.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2360
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Reviewperf" /sc ONLOGON /tr "'C:\FontCommonsvc\Reviewperf.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2240
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ReviewperfR" /sc MINUTE /mo 8 /tr "'C:\FontCommonsvc\Reviewperf.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2352

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\FontCommonsvc\HyAeUGe8evX8YGRPELkMfoiMVhm6j.vbe
        Filesize

        211B

        MD5

        a9a1f7a6b92fba89e3834e2c873adfc4

        SHA1

        772ef9dc691f442e7466668d82db391cdb82b21f

        SHA256

        ffdb923e18a1fb4bc92a8b470a53687b1bf2d639fca4c44ee164a61b24f62665

        SHA512

        c43befd0cd7c3e73fd4539c117819c8634c0c0dc7e89f8fc8ba657d70455aadc1cc06cdfe3a8c4277441a7d48bc260750f3ad16aaca313c09983f6b13177e365

        Download Submit

      • C:\FontCommonsvc\Reviewperf.exe
        Filesize

        1.6MB

        MD5

        571b27201bee78cb5f6adf331098cd85

        SHA1

        8dfb42a7283a61c48fdd0b8ef47e3da2a7f083c6

        SHA256

        401acf64eff7490635859451768f1fb1f2b4198825b210207e0d7b5b619fb052

        SHA512

        a3a7d3bd713b90bbda9350c71c3a08ad7e41acd943f361864a85fcd7b13165b9ccf9635a2d7fc839b2ecbd5751371edc9279f04573028f9c9b988c2cc473ccb5

        Download Submit

      • C:\FontCommonsvc\SvhwgsASCbJysKpoNvm.bat
        Filesize

        92B

        MD5

        7322619f7c34f49e39fd2100b8daaa0f

        SHA1

        de93f7e7ab723964e43a45eea808f8524351cd95

        SHA256

        9f060c6e3fd3bf28f66875ae0c59697d6eafd5b59ed86915f2da227b9177652d

        SHA512

        69b47c3d08aad08308719a215014340e4e60cde09459f8ecb5cce0e6aca7a69d23f4d438609869d317173c6db274180ebc21ccdf8f8280bd8d11a22d3991d92e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\04rQ2VfD5B.bat
        Filesize

        159B

        MD5

        c048e5142411e939388150f78ce8c092

        SHA1

        08c8ebb3b1aeb4420c02c1126e332fb19ce58388

        SHA256

        6aa1f80c51a8479f049c7ee46b85b68f885e64dd2c2246c0f0dd976c4caa0160

        SHA512

        5206f115406e125c6f897b1da71d9367b120152135a7cbfa1df3c587067cc43f1118257b8930114d59eab4acffcfe9d3b47268acdb022c9f15211cb240a8dbff

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES4AA7.tmp
        Filesize

        1KB

        MD5

        8862757b525819e9a5971db45e575190

        SHA1

        4906246f5a196c363718cf8e88aa9556c6fbad1d

        SHA256

        1474289f197131c32ca1d4517338ec7f324b581ae05f7a8f8e80d105aacd7ac0

        SHA512

        49ba2e64b0e1ac548f045963c9bd22dcfd9a2fe23da8eccd4662ce758fe2630a97571c1b68485fcf050d3c65adb9fead37fd01b092ca3206e2a993ada5c364fb

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\aaa2ckww\aaa2ckww.0.cs
        Filesize

        412B

        MD5

        cba854e227f43270ba4dd1798f4cf092

        SHA1

        4600aa99abb8648d0a28d9c52e54282b7342516e

        SHA256

        e463d95fc954d01157e5165056504070d72393df94203fe55fcb12fbb1ae7894

        SHA512

        9dde2cef4baa9d2eb2167675645845a9b59fd290520b64d6a293299cda9fd674fcf68a6604f7d8c45244f1bfdac805d7edbb122ec29fb8df419326c7df8989c9

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\aaa2ckww\aaa2ckww.cmdline
        Filesize

        235B

        MD5

        56d7841b6157e85e555de1a32c9f1976

        SHA1

        9a109b7fad45f7388004680853817f8801915378

        SHA256

        9c5bcbe1783cb64fe707fd624ecdbaf44cc2717ae7e84abc5709770d931398b9

        SHA512

        66ed31eb01e4b44dd1e0005483c9981fb2d793bc8402c303ee786776bfff0080461cf09e9da21af695d2e085d1b4d94704f65564c97216377baa0b71228df42d

        Download Submit

      • \??\c:\Windows\System32\CSCDA70E408B0214BDDB514215CA1E0B5BE.TMP
        Filesize

        1KB

        MD5

        dcd286f3a69cfd0292a8edbc946f8553

        SHA1

        4d347ac1e8c1d75fc139878f5646d3a0b083ef17

        SHA256

        29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596

        SHA512

        4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

        Download Submit

      • memory/1272-45-0x0000000000EA0000-0x0000000001042000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2688-13-0x00000000009E0000-0x0000000000B82000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2688-15-0x00000000009C0000-0x00000000009CE000-memory.dmp

        Filesize

        56KB

        Download