Overview

overview

10

Static

static

10

0fc3107833...a8.exe

windows7-x64

10

0fc3107833...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe

  • Size

    984KB

  • MD5

    789ff6a462201360bea02c98b4fb3c2d

  • SHA1

    322228573e2be64daf1ee9118af397dfcbc91bce

  • SHA256

    0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8

  • SHA512

    72517203f735a71d241fb69d55a85315f678dec2f7c02d8b3733e318fe804424cf7079873a296a6e411e2b1364800cc89df45987a8609813f1a64a60b044616e

  • SSDEEP

    12288:gyEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgo:gyErYT+PvXIUln/1GJgo

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat 19 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
    "C:\Users\Admin\AppData\Local\Temp\0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:524
    • C:\Users\Admin\AppData\Local\Temp\0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe
      "C:\Users\Admin\AppData\Local\Temp\0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1828
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2372
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1268
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1788
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1076
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:592
      • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:1000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2812
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2240
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2216
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\lsass.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2808
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\winlogon.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\explorer.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe
    Filesize

    984KB

    MD5

    789ff6a462201360bea02c98b4fb3c2d

    SHA1

    322228573e2be64daf1ee9118af397dfcbc91bce

    SHA256

    0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8

    SHA512

    72517203f735a71d241fb69d55a85315f678dec2f7c02d8b3733e318fe804424cf7079873a296a6e411e2b1364800cc89df45987a8609813f1a64a60b044616e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    befdca40ece5c597e70353a881185298

    SHA1

    287be117c4f0855f9e806e0b4291c519fc9537a6

    SHA256

    0b5f2158fcf9319a87765f3cf4afe09c3d6437877bc9e9924492defff0d6ab75

    SHA512

    31580a6b623f9ab48b44a3998b84142ce5659aa70551dd69fd482cbe1368c4e6a43633f4e3a1b5251b92c2fa823635b746120c291f4a905114dcb8c4a68c7153

    Download Submit

  • memory/1000-133-0x0000000000A90000-0x0000000000B8C000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/1992-11-0x0000000002090000-0x0000000002098000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1992-14-0x0000000002140000-0x000000000214C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1992-5-0x0000000000550000-0x0000000000560000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1992-7-0x0000000000690000-0x000000000069A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1992-6-0x0000000000670000-0x0000000000686000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1992-8-0x00000000008B0000-0x00000000008BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1992-9-0x00000000008C0000-0x00000000008CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1992-10-0x00000000008D0000-0x00000000008DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1992-12-0x0000000002120000-0x000000000212E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1992-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-13-0x0000000002130000-0x000000000213C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1992-4-0x0000000000540000-0x0000000000548000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1992-15-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-3-0x0000000000530000-0x000000000053E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1992-1-0x0000000000060000-0x000000000015C000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/1992-104-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2096-62-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2096-63-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3052-144-0x0000000001C90000-0x0000000001C98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3052-139-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download