Overview

overview

10

Static

static

10

1e1ee51c8a...7d.exe

windows7-x64

10

1e1ee51c8a...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 20:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d.exe

  • Size

    952KB

  • MD5

    95939c0925ece0edd3465ef067ca58c8

  • SHA1

    7c0f4691d4f60beb794a161834702623b610c2a6

  • SHA256

    1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d

  • SHA512

    b46684d36fc7be55fc83d84866fa91c8af85c19dc3f23922f6acf241e173dbfb173bda53d18bfc447f751315c004ea5dd06079a10d1a6acb70a354e98e5e9625

  • SSDEEP

    24576:u+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:p8/KfRTK

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
    persistence
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 18 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d.exe
    "C:\Users\Admin\AppData\Local\Temp\1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1852
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pruhi1Hz6v.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:904
        • C:\Users\Default\Downloads\dllhost.exe
          "C:\Users\Default\Downloads\dllhost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\perfctrs\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\MusNotification.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\PerfLogs\MusNotification.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\hlink\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3620

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\SppExtComObj.exe
      Filesize

      952KB

      MD5

      95939c0925ece0edd3465ef067ca58c8

      SHA1

      7c0f4691d4f60beb794a161834702623b610c2a6

      SHA256

      1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d

      SHA512

      b46684d36fc7be55fc83d84866fa91c8af85c19dc3f23922f6acf241e173dbfb173bda53d18bfc447f751315c004ea5dd06079a10d1a6acb70a354e98e5e9625

      Download Submit

    • C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\SppExtComObj.exe
      Filesize

      952KB

      MD5

      cd19d548e9f8d3ad83d26cc41a27f322

      SHA1

      1d73f49547b194ab70588333f6021b3cf8046b0f

      SHA256

      fce9dccccd9ef2e5a66030f2ede6a323d837910a01a4b7afede8913d48bdc77e

      SHA512

      c927270b027d5f849ed569c6d0ae7bac9b5e43a842749e2fc76b4cfcd6418d233129c5b204b570756294314e9de29683874786d6379d6571d30e3f8011524b12

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Pruhi1Hz6v.bat
      Filesize

      202B

      MD5

      10cd8b7a5417bf7470263560b1f183fc

      SHA1

      370ff03f76576a24ac8fe6ea7338c794883cb8f9

      SHA256

      ebeba046c30013ba1cc92f1f8fb62948ac00334343bfddb1691a858efc9c9cc7

      SHA512

      10c8001908818f7dcfe0c014063590b16c2c85e7e144e01d587757c112d6d352221c913f825e0a553299c1a1c4c95912172384785a28d38ad4971e23d1c0511f

      Download Submit

    • C:\Users\Public\AccountPictures\services.exe
      Filesize

      952KB

      MD5

      6f10d025631ab2bf2ffa2cb9e90540c0

      SHA1

      b489280f47351276eb38e3364f9f09347ce6ca02

      SHA256

      d1b0a0baabd3d86ef3d607989754e7d2ef5bcbf252c3a41fa7cb5f96e7866c03

      SHA512

      8b422963eb3e63c9f046d5c5b99e0e26dc7a430000a55caacfb6f8967e210579fd20fc4e3a83e07d41f850f5a2cbcebbf738c44db2f66d20c14e54bf69a5862f

      Download Submit

    • C:\Windows\System32\hlink\lsass.exe
      Filesize

      952KB

      MD5

      b5bdd774bcefda6033711c3a1f8572fe

      SHA1

      fa00e07d4df3be263a42042e0a4e2063dc72a60a

      SHA256

      72a5289881a63aff3fe4c75febc53fc0e1ded375278707a5afebf7f116d0190c

      SHA512

      ed1a1996d088a21f76796cc3c2fe8f00e4f00330e7a931c86608920611d6f1b22de5484a7d46b41e0becb3069bfad48e4230f4f8d483d187f3519cac34a4880b

      Download Submit

    • C:\Windows\de-DE\fontdrvhost.exe
      Filesize

      952KB

      MD5

      e0de1ba634da47dcc6a42dcf67cefcac

      SHA1

      0c7679a6ec9fd37353d9374b43b34b4cc973c092

      SHA256

      0fba4b4f4e0e15e9d092e4052744ac75c8781ed144051bcacd072ce723c3d073

      SHA512

      4fa7b9d961fc39a838041612299aa6db19cb28d0dbec22328bb097dd179f2fc0e212f133f13e5e08cdef56dd896af361f1c44ca4c319fcefe497ee58d1b7427d

      Download Submit

    • memory/1852-4-0x0000000002F00000-0x0000000002F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1852-7-0x0000000002F30000-0x0000000002F3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1852-8-0x0000000002F70000-0x0000000002F78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1852-10-0x0000000002F90000-0x0000000002F9C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1852-9-0x0000000002F80000-0x0000000002F8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1852-11-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1852-6-0x0000000002F40000-0x0000000002F4C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1852-5-0x0000000002F10000-0x0000000002F1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1852-0-0x00007FFDB5643000-0x00007FFDB5645000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1852-3-0x0000000002EF0000-0x0000000002F00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1852-2-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1852-141-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1852-1-0x0000000000DB0000-0x0000000000EA4000-memory.dmp

      Filesize

      976KB

      Download