Overview

overview

10

Static

static

10

4d9022605a...b5.exe

windows7-x64

10

4d9022605a...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe

  • Size

    952KB

  • MD5

    82ededc8ebe36096a29aeb793260f6c6

  • SHA1

    9bc9ba0e92990015e1ee7d3175506cd850e40f08

  • SHA256

    4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5

  • SHA512

    a94b65efa5a07af586071dad395e7694e30acb5a4ef6ff19f55f8191a11bfacd3c1cfd17e04077949091ace10e573033c4399aaa23264435780e34f081700120

  • SSDEEP

    24576:W+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXl:x8/KfRTKv

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
    persistence
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in System32 directory 22 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe
    "C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe
      "C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2764
      • C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe
        "C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2248
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wpdmtp\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\normidna\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:572
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\WUDFCoinstaller\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1916
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\mscat32\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2404
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\KBDINASA\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1160
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-crt-convert-l1-1-0\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1192
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2196
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe
    Filesize

    952KB

    MD5

    82ededc8ebe36096a29aeb793260f6c6

    SHA1

    9bc9ba0e92990015e1ee7d3175506cd850e40f08

    SHA256

    4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5

    SHA512

    a94b65efa5a07af586071dad395e7694e30acb5a4ef6ff19f55f8191a11bfacd3c1cfd17e04077949091ace10e573033c4399aaa23264435780e34f081700120

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RCX6568.tmp
    Filesize

    952KB

    MD5

    88da2110432e89c73ed202c4adbec720

    SHA1

    e9059a8ba711fe7475bc0de9efe75f758ce6e5e5

    SHA256

    c844c4574183306af2f9cd32e43eebeb0a33e5d804391eeda8d5f4fd7c34b717

    SHA512

    9e4b32ac7c8bde6cf301a7194a91611d7c9fab5ff4d9f4e6ffce88725383452ef7e3336bf4485550f41433068c651f439b0b931e4366f120d8edef0bb1c7a38a

    Download Submit

  • C:\Windows\System32\normidna\spoolsv.exe
    Filesize

    952KB

    MD5

    d0fc2239b51302519e7a6f6a891b43c6

    SHA1

    6cf997f48760569edb9db0998b2c4e9628135fe1

    SHA256

    b4849f47a655d1a3c41049d2a2ca6a71cafefdafd4257550cc14de9e10b4e808

    SHA512

    72156bbe6cc6ec3604b71c84c6921d187e546f5edd080a2daa1ceb326a39c1c031e69b56e57f581f90960c3a92c52be889b4838d4ec5000aa7339f66858c8426

    Download Submit

  • memory/2248-104-0x0000000000AC0000-0x0000000000BB4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/2868-4-0x00000000001F0000-0x0000000000200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2868-5-0x00000000001E0000-0x00000000001EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2868-6-0x0000000000200000-0x000000000020C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2868-7-0x0000000000440000-0x000000000044A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2868-8-0x00000000004A0000-0x00000000004A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2868-9-0x0000000000410000-0x000000000041A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2868-10-0x0000000000430000-0x000000000043C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2868-11-0x0000000000460000-0x000000000046C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2868-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2868-3-0x00000000001D0000-0x00000000001E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2868-2-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2868-73-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2868-1-0x0000000000A40000-0x0000000000B34000-memory.dmp

    Filesize

    976KB

    Download