Overview

overview

10

Static

static

10

600d942726...dN.exe

windows7-x64

10

600d942726...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bdN.exe

  • Size

    952KB

  • MD5

    dc33393b307bd0e4092fba53020cf2b0

  • SHA1

    9341b0a2c621e016142f7c78569b0321da0b85f8

  • SHA256

    600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bd

  • SHA512

    7b7c6a5c2d5b143ef850603fdde43e455fae8eb1913b644029779348d2247d90efd72c58e623712057051ab30107bfa8beb62dd9b3c89c0a6389b4547ad8a3af

  • SSDEEP

    24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:Z8/KfRTK

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
    persistence
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in System32 directory 16 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bdN.exe
    "C:\Users\Admin\AppData\Local\Temp\600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bdN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:972
    • C:\Users\Admin\AppData\Local\Temp\600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bdN.exe
      "C:\Users\Admin\AppData\Local\Temp\600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bdN.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1144
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9v5XqA8Xpk.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3416
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:2444
          • C:\Windows\System32\DXP\sihost.exe
            "C:\Windows\System32\DXP\sihost.exe"
            4⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:4936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\tcpip\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\MapGeocoder\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\DXP\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\WMSysPr9\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Documents and Settings\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\splwow64\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\NetworkProxyCsp\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bdN" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bdN.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1868

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bdN.exe.log
      Filesize

      1KB

      MD5

      7f3c0ae41f0d9ae10a8985a2c327b8fb

      SHA1

      d58622bf6b5071beacf3b35bb505bde2000983e3

      SHA256

      519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

      SHA512

      8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9v5XqA8Xpk.bat
      Filesize

      198B

      MD5

      4ad67848a1307f355f72335ee2e31574

      SHA1

      a1c84dd602010d0182602999f24c55eb0795565c

      SHA256

      af65600a56935906c509d21623d8b183a76f5cdcbc4f99773102de8fe6ebf55b

      SHA512

      a852ee9058fec4a0a5b57d4a9918e6916c8689d013707255d04966c50d9a072c6bfaaa4317196fa5d592a801225f6f32b84c32ea024463778ec2931127ba0dcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RCXA4EC.tmp
      Filesize

      952KB

      MD5

      dc33393b307bd0e4092fba53020cf2b0

      SHA1

      9341b0a2c621e016142f7c78569b0321da0b85f8

      SHA256

      600d9427269badcbd7bb8635d82c3722b6475d0479787498811ee247cc2d53bd

      SHA512

      7b7c6a5c2d5b143ef850603fdde43e455fae8eb1913b644029779348d2247d90efd72c58e623712057051ab30107bfa8beb62dd9b3c89c0a6389b4547ad8a3af

      Download Submit

    • C:\Windows\Performance\WinSAT\DataStore\winlogon.exe
      Filesize

      952KB

      MD5

      5a3dfd0d33504361faef40c26939705d

      SHA1

      9307dadb38aeb5b4048e542d9804cf1df51054dd

      SHA256

      f83d4f4394eb46c9dc1ff2c3bf773d9e4dc3b884984fd5de6613e64ede8e2413

      SHA512

      ad59f8d5ad1e0b69347a370312dd3f1f097b89bbf8f2c926b79d20a2037bb2d7f7ff9ed7099826f14ced4ab7611d2adf703547dfee765ddeefb8153d3f7d1ff2

      Download Submit

    • C:\Windows\System32\MapGeocoder\RuntimeBroker.exe
      Filesize

      952KB

      MD5

      f0933521dea9f91bf0a1fbf40938587b

      SHA1

      933ba75f12d1e3ebc02f046356da271d3eaf2748

      SHA256

      a3b9dc392a5de635b550d68dba5da8d468ca799ed150e803f17f6fb826ab42bb

      SHA512

      1e085f0b8147c9bbf879ace603e739fea764775198a093643610acea42e5115c5887fb352666d5ee0add9a988c84306ad98f4481309db77f850ae29d915d76f4

      Download Submit

    • C:\Windows\System32\wbem\tcpip\unsecapp.exe
      Filesize

      952KB

      MD5

      12320cb983f7292f827a086fdd19453a

      SHA1

      1e7d532e4567b672de574e24952aee5ddb0301ab

      SHA256

      9ff9410a88948e2b2065671f3f133fc58be1f6697337395a78aa578164fa3ae0

      SHA512

      e58768fcf986cbbcc4f5f94d68824434d2764e9a694596c1071e65103e53a081f077e3ce8f07d9c6750d7b97f285d08cd92674efacc0d38e73cad94a911f85ea

      Download Submit

    • memory/972-4-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/972-7-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/972-8-0x0000000001030000-0x0000000001038000-memory.dmp

      Filesize

      32KB

      Download

    • memory/972-10-0x0000000001050000-0x000000000105C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/972-11-0x0000000001060000-0x000000000106C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/972-9-0x0000000001040000-0x000000000104A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/972-6-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/972-5-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/972-0-0x00007FFB29E63000-0x00007FFB29E65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/972-3-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/972-2-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/972-60-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/972-1-0x0000000000710000-0x0000000000804000-memory.dmp

      Filesize

      976KB

      Download