Overview

overview

10

Static

static

10

73eaa27083...15.exe

windows7-x64

10

73eaa27083...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15.exe

  • Size

    952KB

  • MD5

    dc100730c11f4a70e5324f4a0a0358f2

  • SHA1

    561a80a6284540fe9f3c30a2495f51c9e1077ab0

  • SHA256

    73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15

  • SHA512

    d8f497520b432fa8ebd07d39a8b922b38f1dc9a954ad9646ec46c456e4476a1e856826497a23525a33690ce464796c65db9714a86e9d6af922aecc8ee85772e6

  • SSDEEP

    24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXn:Z8/KfRTKN

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 21 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
    persistence
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15.exe
    "C:\Users\Admin\AppData\Local\Temp\73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2084
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RGF3DZxQvm.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:348
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2020
        • C:\Users\Admin\AppData\Local\Temp\73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15.exe
          "C:\Users\Admin\AppData\Local\Temp\73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15.exe"
          3⤵
          • Modifies WinLogon for persistence
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2416
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Uo3TO9spmL.bat"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1092
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              5⤵
                PID:2924
              • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                5⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\sppnp\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2224
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2240
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\sdchange\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\es-ES\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1036

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15.exe
        Filesize

        952KB

        MD5

        dc100730c11f4a70e5324f4a0a0358f2

        SHA1

        561a80a6284540fe9f3c30a2495f51c9e1077ab0

        SHA256

        73eaa2708311d2ac31d2a440146fccf8c44d4cf3f2413620aaad7ff096a8fe15

        SHA512

        d8f497520b432fa8ebd07d39a8b922b38f1dc9a954ad9646ec46c456e4476a1e856826497a23525a33690ce464796c65db9714a86e9d6af922aecc8ee85772e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RCX898B.tmp
        Filesize

        952KB

        MD5

        dc33393b307bd0e4092fba53020cf2b0

        SHA1

        9341b0a2c621e016142f7c78569b0321da0b85f8

        SHA256

        600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bd

        SHA512

        7b7c6a5c2d5b143ef850603fdde43e455fae8eb1913b644029779348d2247d90efd72c58e623712057051ab30107bfa8beb62dd9b3c89c0a6389b4547ad8a3af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RGF3DZxQvm.bat
        Filesize

        266B

        MD5

        8d0e3e239666d6d4fbbe831b023d0b24

        SHA1

        830fcf334a378bd1fca60d99b3175be5de515d8a

        SHA256

        895e6e9f45776479f6f940f6b8ad5009668e3d021a295d5735840ffd3319d62d

        SHA512

        7703227070d0280aa3349f7ee6af05396a275df2c9117206eefc5957eb944db65b37d6131fa9988559bdd0744d8a04ecc6c92173e8f9180b6c9adeee306a881d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Uo3TO9spmL.bat
        Filesize

        224B

        MD5

        aad3230a2e9f8162fd2e3303eda4441d

        SHA1

        2f80ed2b5880dd48dfcec45c2f37c7a5df4eb5eb

        SHA256

        87a309256015c76a3c43b8e10c6f6ba747bd72b8584f7bf8f4f56a914021470d

        SHA512

        b5a931afa26e58fd424a61df32965f7efb9d52847091ceb363b088eabb3f57265b4ec71b4df004845bf26b38a4d9c861f04f41fb0cb1b742f17127b77fe4beb7

        Download Submit

      • memory/952-110-0x0000000000350000-0x0000000000444000-memory.dmp

        Filesize

        976KB

        Download

      • memory/2084-4-0x0000000000670000-0x0000000000680000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2084-5-0x00000000006B0000-0x00000000006BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2084-7-0x0000000000680000-0x000000000068A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2084-9-0x00000000006E0000-0x00000000006EA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2084-8-0x00000000006A0000-0x00000000006A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2084-11-0x0000000000730000-0x000000000073C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2084-10-0x0000000000710000-0x000000000071C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2084-6-0x0000000000660000-0x000000000066C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2084-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2084-76-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2084-3-0x00000000002D0000-0x00000000002E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2084-1-0x0000000000360000-0x0000000000454000-memory.dmp

        Filesize

        976KB

        Download

      • memory/2084-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2416-78-0x0000000000AC0000-0x0000000000BB4000-memory.dmp

        Filesize

        976KB

        Download