Overview

overview

10

Static

static

3

a6429d9778...b7.exe

windows7-x64

10

a6429d9778...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6429d9778a93254c7387cf588619a2635ed97108558a122de885aad25a57eb7.exe

  • Size

    2.1MB

  • MD5

    6261ec3f13e1cc6ae25ee8942db137b0

  • SHA1

    20629ed3f752869dc4980827291bf3064333405f

  • SHA256

    a6429d9778a93254c7387cf588619a2635ed97108558a122de885aad25a57eb7

  • SHA512

    ed292a77db5e9926cbaa247e449a4019776b2452d2e8cdadfcea4c3d7551372793b2a1125b44cfd5106d2b03ff178041d413750ee81bfc42d7a3252a934b51f1

  • SSDEEP

    24576:2TbBv5rUyXVpz/IPMofzXxgF5X1u1seTK44vmrUcSgjBYsRX8TGxj4fY3D5K7Tqb:IBJp0PbsCk44v0y4BYgAGxrNKvdVT6

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6429d9778a93254c7387cf588619a2635ed97108558a122de885aad25a57eb7.exe
    "C:\Users\Admin\AppData\Local\Temp\a6429d9778a93254c7387cf588619a2635ed97108558a122de885aad25a57eb7.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4120
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ESD\UST9UxLQoHNIIFaYLHo0xhIRlgCNcLzoLb106m2nL.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ESD\bQzfgHSGdt2kLcLlkun74cHPltHDXr5Sp886hMeTP.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4176
        • C:\ESD\Winver.exe
          "C:\ESD/Winver.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1336
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\akjY9J06Hp.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4924
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2144
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2780
                • C:\Windows\uk-UA\smss.exe
                  "C:\Windows\uk-UA\smss.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Rules\ja-JP\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2356
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4188
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1128
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\uk-UA\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\uk-UA\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\uk-UA\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1764
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1576
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 7 /tr "'C:\ESD\Winver.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Winver" /sc ONLOGON /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WinverW" /sc MINUTE /mo 5 /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1044

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ESD\UST9UxLQoHNIIFaYLHo0xhIRlgCNcLzoLb106m2nL.vbe
        Filesize

        222B

        MD5

        8decf43a92645d8ba4b81696c5e7b1ae

        SHA1

        dcc9ca8b24e3adf7568eb0f6b7f5cd27f039faf6

        SHA256

        6ad34bd4e803fad802052423aeab64f4c60dd3ee55a3167425b9640ae24bfea1

        SHA512

        72e44773f484d2e69ebd41cc555d9a57c833b3930e1f3b0326c90882035e0dc5fb54e8d4ded22cf9f2d28fb502b37b133b7c1c9f9d89b8c21857b569c51ebc17

        Download Submit

      • C:\ESD\Winver.exe
        Filesize

        1.8MB

        MD5

        d9ce1032fee5365065a78bbff7267883

        SHA1

        4c7471b47d4151908dd204303421d7c64cf4c5c6

        SHA256

        65d26e7c0b856832e88efefe5c2a9e767fb2a7345715bbd0a6e10f9ac2afb520

        SHA512

        0455364fa91c07da6fecbfb3e3fdbbbcb909e3176b5b151e3653f8b8ebffc02e14fb3471245df479b83f90cd2e1142bcff82b80555cfb3df113696b2925d9435

        Download Submit

      • C:\ESD\bQzfgHSGdt2kLcLlkun74cHPltHDXr5Sp886hMeTP.bat
        Filesize

        57B

        MD5

        d1a4f1e326e7dfca62327ea69446dc7c

        SHA1

        253e264c90cbd15836d8c3a1eab3c26756d94047

        SHA256

        ea091556a5dbab314a6029817a9db64f9b8adc7afb476bbbb11aec0c227f0de2

        SHA512

        3d4624c169297b50329a4e13f3f559a7a1f02112f6482e45cfba747dad11c6e6642f1411cec5e92d7890f86fb38702f48c75fec4d24332d43484ad7b9dbf29c8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\akjY9J06Hp.bat
        Filesize

        201B

        MD5

        0fd2ea96b962e05937cd402061ab6cff

        SHA1

        d5c18a32b86ef0449c8945b8370e0b130fefa2e5

        SHA256

        d391d80e1abb9c1362255a3b80cc0d5b58a1087a5438256f66ac1a3e9f3e932f

        SHA512

        5a614f557e1f6ab9beaeb6a52308d18b9beda3531810e2c72011117923823d732919c9faf6c2dda702ae1b4d7b755a1ea3ebaadab743b1f4e90697f95c2f98af

        Download Submit

      • memory/1336-12-0x00007FFCECC23000-0x00007FFCECC25000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1336-13-0x00000000004D0000-0x00000000006A4000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1336-15-0x0000000000F80000-0x0000000000F8E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1336-17-0x000000001B320000-0x000000001B33C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1336-18-0x000000001B6D0000-0x000000001B720000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1336-20-0x000000001B340000-0x000000001B358000-memory.dmp

        Filesize

        96KB

        Download