Overview

overview

10

Static

static

10

4a7e93517c...f0.exe

windows7-x64

10

4a7e93517c...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe

  • Size

    1.8MB

  • MD5

    2f7a0b0d633254c477f9d8650d485d11

  • SHA1

    1ce7e5c3989077d2965d9aac2a256f9930e5b98f

  • SHA256

    4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0

  • SHA512

    b6141e51687d39942fb04f593c7bb2c0a7ec9e0bc53200f22e4d4c94fdb5ce55aed3169ca35d014fb746089bd2087f585ad3f057931642650ff0063195054299

  • SSDEEP

    49152:VbA3GzW8NA/VUPoFVwrIIV+DJGfZ19qigh:Vbs8NA/VUPoXIV+Dwbwfh

Score
10/10
dcratdiscoveryevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
    "C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\CombrowserSavesInto\8XvFTVLpT5xtXdrooGsphRu.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\CombrowserSavesInto\gFc2W3El0.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\CombrowserSavesInto\Crtmonitor.exe
          "C:\CombrowserSavesInto\Crtmonitor.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/CombrowserSavesInto/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2872
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2160
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:544
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBobYecdYq.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2312
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2188
              • C:\Users\Public\explorer.exe
                "C:\Users\Public\explorer.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:1152
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e4f8b12-003b-42c8-8258-909c56620692.vbs"
                  7⤵
                    PID:316
                    • C:\Users\Public\explorer.exe
                      C:\Users\Public\explorer.exe
                      8⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • System policy modification
                      PID:672
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\612b4263-1bd6-4605-a102-e6d919109bbc.vbs"
                    7⤵
                      PID:2032
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                4⤵
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:2972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1856
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1516
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1440
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2488
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2896
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2404
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2308

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\CombrowserSavesInto\8XvFTVLpT5xtXdrooGsphRu.vbe
          Filesize

          205B

          MD5

          f9aa9ba9ca708623a6d8eafcab82b460

          SHA1

          c75bfeade1de9cd48b255a60679a2afd045fd737

          SHA256

          0b51137a1e50b6fde4624ccff526ceb7a3fb911c811c45dcdd2fd30004993471

          SHA512

          31ef0b612045b9261ab91921336931c318e4ff853197c58d29e9741c86eeb4db859a97d413d92ac6d6d18fbeabd4ee4a1c8d4512f25468818421c4ce63a4c7a8

          Download Submit

        • C:\CombrowserSavesInto\gFc2W3El0.bat
          Filesize

          151B

          MD5

          341c56654b4b916155226d31ae60c33b

          SHA1

          15625cf5fdc9c74cd7ab2df39433ec7a3e1587e8

          SHA256

          a5712bbb877663ebb6f017ecb478fe7c79337afa84dbda0b7b1c75120cf7b38d

          SHA512

          32509ecdeed2748d7e66d26b1d8927f6ab1ee98bd7e3c2b585c1ac697f9aaccb6efd44c0f8d30c70c8baebb1b4e07a51a5ce6e437ad155975b33a7dfe7dbf994

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\612b4263-1bd6-4605-a102-e6d919109bbc.vbs
          Filesize

          480B

          MD5

          18df8e62f88b7547852ed84b2222a10e

          SHA1

          72f07d753c21f172ed88de18645fd2a778650cd5

          SHA256

          365d97de5ad485028a13b0b654e1300d9e19c7fe71fea5e1f493700e1ddf46c3

          SHA512

          0a65a6ab0dce21b66da16354ca429499ba7c43a3dd8a58fad24d443c8ba16181987a0a4c3802610bbac2309a28609e252de42683f1b31c61c2e1db417a5081c2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6e4f8b12-003b-42c8-8258-909c56620692.vbs
          Filesize

          704B

          MD5

          b12e9d722bba4153ff952adc4514df55

          SHA1

          1291066f8a71f2a51317a877b41c359cd298100f

          SHA256

          20d63f4b55caef5f107c00bebedefd42a2876a124acc080ad4e8cd39f99bdc73

          SHA512

          3f507458f616d982114d1c7627ebd86a75a557f0d2ea07bb60a87caeffe5f82a1acd61b2ba0843dddd37114aef0d768b12974b00a31d105351530d8b51da1159

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\fBobYecdYq.bat
          Filesize

          193B

          MD5

          74e589d4faa556a23ac67c6317d188bf

          SHA1

          ddab71e9680ded73d30b751967b93c9d4ffb46b6

          SHA256

          c6c2a4469caec44c2d0cadeb9a7f664395b62e984840449a9447da232d9428f7

          SHA512

          c0b0c8f4485220eb7fe17fb2d4cd2fb531d640fb1f1f9e3eb518a4dbec2b2dd0fb47db441c9566c27ef309b41e04acfafdf3dedbbe38dd2f8bed28c1cf241c89

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          0b655016da40c97ea9fa074bccb279ea

          SHA1

          35d22f5ebc62293245d81050e95733ce7513f96d

          SHA256

          71c6ad2e11dcb114c2e07a5f5a57e7c371abdce75e955f4750dc9545da6b0acc

          SHA512

          e479fcf5ba601946ba6470e36b04614b9e53136e11ceb755e19c3703f120466d2f7681e8a282276a115a21186489d168710969329fe8481e5b2eb1b1fece8703

          Download Submit

        • \CombrowserSavesInto\Crtmonitor.exe
          Filesize

          1.5MB

          MD5

          4667f5be1002ce912e5590cca8da93b6

          SHA1

          2e408e483dd447b69d2e938218989265fbfdc2af

          SHA256

          fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e

          SHA512

          cdc57befaf7bad8917cc885b394f37d9dac3beabca5d07ab74cfee24f076dc088c2631ad2176dd7b9e62c555692b4c51e3280d5cf5d432ea5172db4ab8fa8c7f

          Download Submit

        • memory/1152-106-0x0000000000F80000-0x000000000110E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2572-21-0x0000000002190000-0x000000000219A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2572-26-0x000000001AAC0000-0x000000001AACC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2572-20-0x0000000002230000-0x000000000223C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2572-22-0x00000000021A0000-0x00000000021AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2572-18-0x0000000002170000-0x000000000217C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2572-23-0x0000000002240000-0x0000000002248000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2572-24-0x000000001AAA0000-0x000000001AAAC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2572-19-0x0000000002180000-0x0000000002188000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2572-25-0x000000001AAB0000-0x000000001AAB8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2572-17-0x0000000001FD0000-0x0000000001FDC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2572-13-0x0000000000910000-0x0000000000A9E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2572-14-0x0000000000550000-0x000000000056C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2572-16-0x0000000001FC0000-0x0000000001FCA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2572-15-0x0000000001FA0000-0x0000000001FB6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2632-47-0x000000001B770000-0x000000001BA52000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2632-48-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

          Filesize

          32KB

          Download