Overview

overview

10

Static

static

10

4d9022605a...b5.exe

windows7-x64

10

4d9022605a...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe

  • Size

    952KB

  • MD5

    82ededc8ebe36096a29aeb793260f6c6

  • SHA1

    9bc9ba0e92990015e1ee7d3175506cd850e40f08

  • SHA256

    4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5

  • SHA512

    a94b65efa5a07af586071dad395e7694e30acb5a4ef6ff19f55f8191a11bfacd3c1cfd17e04077949091ace10e573033c4399aaa23264435780e34f081700120

  • SSDEEP

    24576:W+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXl:x8/KfRTKv

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
    persistence
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 18 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe
    "C:\Users\Admin\AppData\Local\Temp\4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4308
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cQXzoabhhW.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2816
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:1076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Documents and Settings\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Documents and Settings\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Management.EnrollmentStatusTracking.ConfigProvider\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Cookies\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\iemigplugin\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2996

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\SoftwareDistribution\dllhost.exe
      Filesize

      952KB

      MD5

      82ededc8ebe36096a29aeb793260f6c6

      SHA1

      9bc9ba0e92990015e1ee7d3175506cd850e40f08

      SHA256

      4d9022605a286834508c28ec5c9a0ee0ba83cb0e573003919fe190598875fdb5

      SHA512

      a94b65efa5a07af586071dad395e7694e30acb5a4ef6ff19f55f8191a11bfacd3c1cfd17e04077949091ace10e573033c4399aaa23264435780e34f081700120

      Download Submit

    • C:\ProgramData\SoftwareDistribution\spoolsv.exe
      Filesize

      952KB

      MD5

      53c530051a5b50a5c37530ca7abfe7fe

      SHA1

      78f1097ffb90d77b61e60a8f80d605c7ed855f3e

      SHA256

      9a001d0bc02c3e7ec58476408d52b97398d87c84d304e9964e0455a76a1a5b25

      SHA512

      cc81dbb0ddc0deb8c3cd27ef74b5c41791f482cb1822ad36b5741c8a61f4e1445b3681098fdf7d5cff3942d531a6a15a2789168d270ace628381070d5a1d9a26

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cQXzoabhhW.bat
      Filesize

      268B

      MD5

      d206931ce8e024e387426d803186ac4d

      SHA1

      bc3750a1a52e64e3a52be0934fd458a13f9fb52f

      SHA256

      72b9c76403e27808e1afd0a95a0085aee84b57a3beb1cb8abb1dd0ae3a6c82c4

      SHA512

      b8e2ab5bae96e6b4b0beec46b642e55e7afacbaaadd2bcf95f217b358fcfeb4c5e15aff3773ce6d6b7d6f503d1f69fb85b496411b0cb616d9eec39e635372c3f

      Download Submit

    • C:\Users\backgroundTaskHost.exe
      Filesize

      952KB

      MD5

      c5ce39ad067dd9912cace1adb85dc9ed

      SHA1

      a17a31341341b67cec5b1b3844ed3ac17c5c2997

      SHA256

      6af55435dab183b03c3775893a016087ce7591402321b3ae17293e7f09859526

      SHA512

      703449af6e77164b1c87e7366309ddd4fc2858117b2147c0eb67208da24054a174c29221c1e1181d0d25b45b14ec2cfd56d29c590215ed80bcdcbbf01921c3d5

      Download Submit

    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe
      Filesize

      952KB

      MD5

      18aad5f025b92ce584b9513bcf2d5f13

      SHA1

      652d59fc75019a3222a322aa4905cfa2aaee0813

      SHA256

      ec8e214ad56305f96d2e5ace0e5a2465225375bf19367d80dc94407fccb28905

      SHA512

      9d62e5ad754fabb7830daba2b906e8cf8a96f1b4cb4ec439b550d35bc627a8c93702304306ec08ad21d802e245edb15a2c7832d53869017c0d66fcec0fcdd005

      Download Submit

    • memory/1076-148-0x0000000000A50000-0x0000000000B44000-memory.dmp

      Filesize

      976KB

      Download

    • memory/4308-4-0x0000000001790000-0x00000000017A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4308-7-0x00000000017B0000-0x00000000017BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4308-8-0x0000000002F80000-0x0000000002F88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4308-9-0x0000000002FA0000-0x0000000002FAA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4308-10-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4308-11-0x0000000002FC0000-0x0000000002FCC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4308-5-0x0000000002F90000-0x0000000002F9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4308-6-0x0000000001780000-0x000000000178C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4308-0-0x00007FFA102C3000-0x00007FFA102C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4308-3-0x0000000001770000-0x0000000001780000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4308-143-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4308-2-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4308-1-0x0000000000DD0000-0x0000000000EC4000-memory.dmp

      Filesize

      976KB

      Download