Overview

overview

10

Static

static

10

3E30BD01F2...E8.exe

windows7-x64

10

3E30BD01F2...E8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3E30BD01F2053EE82162F5ECA0FAEFE8.exe

  • Size

    1.3MB

  • MD5

    3e30bd01f2053ee82162f5eca0faefe8

  • SHA1

    e5859be6a67c8d33a34707df9c13c8ddce6cc690

  • SHA256

    85768ff86e86155faadff2443ea1c9656fc479ffa5f0ae90c9b738bf31ff1080

  • SHA512

    ede7e3f18f0add3744b64955744067654a147e2f4dc33d7d4b9e82d02c7698ea3654ea4623a424729f1e6528314049e102aa2f74b223b16638276e758c5bb9e5

  • SSDEEP

    24576:A3HWfVXWNnnOtB3c20/vtKMpw7fuWppvKoxdO3zFuI:g2fWnnwa2qhcN/5xM

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3E30BD01F2053EE82162F5ECA0FAEFE8.exe
    "C:\Users\Admin\AppData\Local\Temp\3E30BD01F2053EE82162F5ECA0FAEFE8.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3672
    • C:\Program Files (x86)\Google\Update\1.3.36.371\Idle.exe
      "C:\Program Files (x86)\Google\Update\1.3.36.371\Idle.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4692
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a03ef14-b039-4020-a79d-e7246a035a83.vbs"
        3⤵
          PID:316
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2145f382-24d0-4ba1-bdbf-915a93786a03.vbs"
          3⤵
            PID:4744
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3492
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\Basebrd\es-ES\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\es-ES\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\Basebrd\es-ES\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2936

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.371\Idle.exe
        Filesize

        1.3MB

        MD5

        3e30bd01f2053ee82162f5eca0faefe8

        SHA1

        e5859be6a67c8d33a34707df9c13c8ddce6cc690

        SHA256

        85768ff86e86155faadff2443ea1c9656fc479ffa5f0ae90c9b738bf31ff1080

        SHA512

        ede7e3f18f0add3744b64955744067654a147e2f4dc33d7d4b9e82d02c7698ea3654ea4623a424729f1e6528314049e102aa2f74b223b16638276e758c5bb9e5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2145f382-24d0-4ba1-bdbf-915a93786a03.vbs
        Filesize

        508B

        MD5

        189090147c6a610153235018f0a80d9a

        SHA1

        e72d2f05e63ba07aec240fe6fbc32d425919462a

        SHA256

        a4e0f9f9ca66e26464effc3843707fa2f2bc347152f55b800d52186e0df17301

        SHA512

        1a1aff3a598fa97ac4f02f75c9263548dcb98c3b4db44abb4cb6ce31bf493e6ffafa9246d81ab761f2fafe7da7cf2fdf496883200def8a054092fd1ef1067da9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\8a03ef14-b039-4020-a79d-e7246a035a83.vbs
        Filesize

        732B

        MD5

        47b3b37cc893e0f40592aed9f4cd572f

        SHA1

        94a61a37d44fe95b7d86a867acba68cc38a8dbe6

        SHA256

        60d7270876cb66860839f015079aec442550ac752f519ae65a2fac6c28d44f33

        SHA512

        127476d91c3150ce870530813b85c431a93c0f2e2cb27898ab3861d9e79afbd9274a5f0746126c6cbb5ddca355c965c62175bdcc090a6f6042f728f26bd91c4f

        Download Submit

      • memory/3672-10-0x0000000002C50000-0x0000000002C5A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3672-12-0x0000000002C70000-0x0000000002C7E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3672-5-0x0000000002B80000-0x0000000002B88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3672-6-0x0000000002BE0000-0x0000000002BE8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3672-7-0x0000000002C20000-0x0000000002C2A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3672-8-0x0000000002C30000-0x0000000002C3C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3672-9-0x0000000002C40000-0x0000000002C4C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3672-0-0x00007FFBC48C3000-0x00007FFBC48C5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3672-11-0x0000000002C60000-0x0000000002C6E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3672-4-0x0000000001270000-0x000000000127E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3672-13-0x0000000002C80000-0x0000000002C88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3672-3-0x0000000001260000-0x000000000126E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3672-31-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3672-2-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3672-1-0x0000000000950000-0x0000000000A9A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4692-41-0x000000001D6C0000-0x000000001D882000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4692-42-0x000000001DFC0000-0x000000001E4E8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4692-43-0x000000001D5F0000-0x000000001D698000-memory.dmp

        Filesize

        672KB

        Download