Overview

overview

10

Static

static

10

4d9022605a...b5.exe

windows7-x64

10

4d9022605a...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe

  • Size

    952KB

  • MD5

    82ededc8ebe36096a29aeb793260f6c6

  • SHA1

    9bc9ba0e92990015e1ee7d3175506cd850e40f08

  • SHA256

    4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5

  • SHA512

    a94b65efa5a07af586071dad395e7694e30acb5a4ef6ff19f55f8191a11bfacd3c1cfd17e04077949091ace10e573033c4399aaa23264435780e34f081700120

  • SSDEEP

    24576:W+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXl:x8/KfRTKv

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe
    "C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1700
    • C:\Windows\Globalization\explorer.exe
      "C:\Windows\Globalization\explorer.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:1356
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDINMAL\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240708_153054_896\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\C_1142\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2716
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Globalization\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Application Data\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\secpol\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe
    Filesize

    952KB

    MD5

    61880ea5097d5a69c7aede6b8002d648

    SHA1

    1b0bebc288c112a81bec2df06840698bc951644f

    SHA256

    f65623b221d00b5e389f00f813f69c9c6b18ca8e1b1b77eac7f9e265f8fbbbee

    SHA512

    a4fdd7643db9a673bafd928e11d89775a57523813b29b4bec4bb90051cf6a3baba27355ab32e9f6e3759c3d6e2e37d2388e177db8104bf6bb00d1313803a8976

    Download Submit

  • C:\Windows\Globalization\explorer.exe
    Filesize

    952KB

    MD5

    82ededc8ebe36096a29aeb793260f6c6

    SHA1

    9bc9ba0e92990015e1ee7d3175506cd850e40f08

    SHA256

    4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5

    SHA512

    a94b65efa5a07af586071dad395e7694e30acb5a4ef6ff19f55f8191a11bfacd3c1cfd17e04077949091ace10e573033c4399aaa23264435780e34f081700120

    Download Submit

  • C:\Windows\Globalization\explorer.exe
    Filesize

    952KB

    MD5

    32366bb962453297ab6ce4922d537aea

    SHA1

    6675ca58472d326bc30cc2acc1243e2dbe0046ee

    SHA256

    12ca4a825954abac222314b77af6aec35c29a7defb08b72ec4712f3605e71ccb

    SHA512

    009d810e930ad098c6f578753d9a304e8b45da2214c37967e8bf6d52ad7a3e3680703d9d207d55f2f5d89a9f4ec84a91d34c69b87aa7e85abe0a86a726092104

    Download Submit

  • C:\Windows\System32\C_1142\services.exe
    Filesize

    952KB

    MD5

    34a3880b0aea4325d47c6cc1d62e820f

    SHA1

    83ea92f8aab15295955e9062709422f25a51d639

    SHA256

    07936fe48b802edd3dcba73c877c87765d09b6c876a2560401e5d6e67977b460

    SHA512

    d5fe4c05cb69d4c5b5658ebddcf481811128d5bdd5e85fca921483d1be9ddfe5364663733cc0f35a165bc777bf780f9382e5d5bf49ce6bf6428e8e54ca62a354

    Download Submit

  • C:\Windows\System32\KBDINMAL\taskhost.exe
    Filesize

    952KB

    MD5

    9111cc2533e601900762e573be040761

    SHA1

    eac8a0cdc00257beef6d666758a638dc1f58491e

    SHA256

    6997e2804dd727bab1f1a13eda04b71c94aec9ac7ca7cf85bb6b5b19555978c2

    SHA512

    8d4dab60d2814a08ce0b4b3a6fe203c508507399c76996d816698e440bb582bbf1c8ddf098affcd07bf7c3b3f90e4342a78bbb9bca9cb6e2b70be9097d713f02

    Download Submit

  • C:\Windows\System32\secpol\lsm.exe
    Filesize

    952KB

    MD5

    969fae5eb1d2a27e8049247e5b073c52

    SHA1

    252f6046227b8b0fe629845d4e3df5d792dc5c34

    SHA256

    b4470b65a101be4f9fcd5ae3c7fef097abd708b862375616b2c2a760798b9526

    SHA512

    ae40667c4d6c7586ab4d4df2a3de24d50de55d98917d350dcdaaad83a14ed6d96bbecb9683a224f3265262209600d29d7ffa367d325de75c5a85655fb9a3442a

    Download Submit

  • memory/1356-130-0x00000000001A0000-0x0000000000294000-memory.dmp

    Filesize

    976KB

    Download

  • memory/1700-6-0x0000000000280000-0x000000000028C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1700-8-0x00000000009C0000-0x00000000009C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1700-9-0x0000000000520000-0x000000000052A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1700-10-0x0000000000750000-0x000000000075C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1700-11-0x0000000002000000-0x000000000200C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1700-7-0x0000000000530000-0x000000000053A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1700-5-0x0000000000270000-0x000000000027A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1700-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1700-4-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1700-3-0x0000000000250000-0x0000000000260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1700-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1700-1-0x00000000009E0000-0x0000000000AD4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/1700-129-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

    Filesize

    9.9MB

    Download