Overview

overview

10

Static

static

10

D9B4B4579B...1E.exe

windows7-x64

10

D9B4B4579B...1E.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    D9B4B4579B6C61FD94D69D7FCEB5F51E.exe

  • Size

    2.3MB

  • MD5

    d9b4b4579b6c61fd94d69d7fceb5f51e

  • SHA1

    7c14d43649b8f78065f6a53e38fb20e69f77c376

  • SHA256

    96c2e9a2370d0df91033333bb9f4dd0662af2c7cd15a2f23ba2b9bb8a699aad0

  • SHA512

    fa37fb61c39d089f3e0313c6b35e2644b26d8cb5af90691589b17d30509cde4af74c93c5dd585d6fafae3a1319a8e3ffa6aa4878bdd3bb7d8a33eecf598dae11

  • SSDEEP

    49152:UbA30/6uKKVR8qNFi+fY8GNTQbVxZdmbvCy6xk0lMA2u/lgqY:UbOuN8qbfY85KbvCjuQ2r

Score
10/10
dcratdiscoveryevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\D9B4B4579B6C61FD94D69D7FCEB5F51E.exe
    "C:\Users\Admin\AppData\Local\Temp\D9B4B4579B6C61FD94D69D7FCEB5F51E.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Agentref\owPgZv.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Agentref\x525Aw58wgGh.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Agentref\serverDriverMonitor.exe
          "C:\Agentref\serverDriverMonitor.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:676
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fOXhQzV8Qo.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4212
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4400
              • C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe
                "C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:4936
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\441ece6c-7cac-4ef7-b149-2650780c954f.vbs"
                  7⤵
                    PID:3428
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13402cff-d124-4a85-8a57-d2a6813c8ccd.vbs"
                    7⤵
                      PID:3208
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3116
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3128
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3020
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\ServiceModelOperation 3.0.0.0\0000\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\INF\ServiceModelOperation 3.0.0.0\0000\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3340
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\ServiceModelOperation 3.0.0.0\0000\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3940
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4696
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\ado\it-IT\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2024
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\ado\it-IT\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3224
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System\ado\it-IT\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1688
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:952
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\SearchApp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3716
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4632
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3248

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Agentref\owPgZv.vbe
          Filesize

          197B

          MD5

          0d5aefa3c43518d920c22edbedbc89a9

          SHA1

          c83cca811f929b69bf1b4f718373f8a37f5721cd

          SHA256

          c4204aba735a3ffed104da1e734b06e30ccf4c30cec6447a6c7c07e8c262b6f9

          SHA512

          431067fbca5b0d27d290d3627acfd5edc4461e540359d13a0b17a964c93141f0a98be739c5c4d7405d6b4293b8c161f856d1619eb1f75823f769cc0faa60425c

          Download Submit

        • C:\Agentref\serverDriverMonitor.exe
          Filesize

          2.0MB

          MD5

          fc975c6529d815edd1ad7fdcf717a85f

          SHA1

          84c7b446e4d3915a6968242ef8fa2bd2facf2314

          SHA256

          67b1bda1f5c4225232425b51ebd6ad53d12bea40d581823d3491bdb3c3f34cf1

          SHA512

          ecd2d6db9fe10b138951b558fb8f00ae30b9495fd14d7766e2f70045bef6908ba3492711e62adb3af750e373dc47121520302757fcbbb00a47fdf2545fbbb22a

          Download Submit

        • C:\Agentref\x525Aw58wgGh.bat
          Filesize

          37B

          MD5

          f89871c7b07a892e3b5b74f32b3ded9a

          SHA1

          7d425f9f3a2796307ca2a5acd5c743038f73c7d7

          SHA256

          c1844a2fcb48d78a6b3755e29f6bb41ecd194414bbe0f2a9f21a9d846171141e

          SHA512

          772c36d0a490a2aff151582d2d7f1f06f828baaf0a5d7b7651d758097db6a7aab9659944ec41a73ac9b7103866ad4077dd6dd813c1cd307109b9548aa879b750

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\13402cff-d124-4a85-8a57-d2a6813c8ccd.vbs
          Filesize

          508B

          MD5

          adb85c8748c4e4c822f14c8da2d25f82

          SHA1

          6d1e4823ed37d7bca1f6cc9e562e3d6b82ccb1ad

          SHA256

          064350fa9f3465fe312c4f4f79bad98f3912acb401756b33871c9cd7917ec80c

          SHA512

          2478a87976c49811ab568113301a9a50ba3dfdd2a9a3ac1d1b897fd3b79f97f81d6556db2491d3413f7f348bb3fc5ebd4811fbf95111363065e7a327790ddc52

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\441ece6c-7cac-4ef7-b149-2650780c954f.vbs
          Filesize

          732B

          MD5

          6a70219bf3470b43e6870ce07dba49f7

          SHA1

          57d6c37c2a1d544152bae659c28101a9952da775

          SHA256

          1dd3704520c39554a12d63d45124c5d49dd8951f87b0d7d2d48e35c265344415

          SHA512

          2d8ab9fbc62c38b726e19811ca1e8fdd52a182c1427a12fe52e38e495393bb388fb0dcfb77441947cb5c8d2639d7a23d02a69e26864b2bde86213a59fb9f4134

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\fOXhQzV8Qo.bat
          Filesize

          221B

          MD5

          281fde9d54f36cad99cfdba829f2a099

          SHA1

          acac49483057334154db13897684c8c99fdd1cb8

          SHA256

          db876b0ff756b246dd4d20e233ea5d7f487e48aad335fdea5e579d6317a13f28

          SHA512

          4bf36b224e45e3a73af6979033cb35465ff344332e15c721d15449577cb0bf72934b6dbd1e2dedbc1c1c75ed943a51946ff54fc539e986e19b16c088e55c53a8

          Download Submit

        • memory/676-15-0x00000000019F0000-0x0000000001A46000-memory.dmp

          Filesize

          344KB

          Download

        • memory/676-16-0x0000000001A40000-0x0000000001A4C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/676-18-0x0000000001A60000-0x0000000001A6C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/676-17-0x0000000001A50000-0x0000000001A5A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/676-14-0x00000000019E0000-0x00000000019EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/676-13-0x0000000000E70000-0x0000000001070000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/676-12-0x00007FFEF6073000-0x00007FFEF6075000-memory.dmp

          Filesize

          8KB

          Download