Overview

overview

10

Static

static

3

de22374f78...de.exe

windows7-x64

10

de22374f78...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe

  • Size

    1.7MB

  • MD5

    ff3f337ba133257bf7ef80c83af6a374

  • SHA1

    6c1746e5455bba5c362db11bf5aef0adaaea6337

  • SHA256

    de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde

  • SHA512

    f245180c0edbcd0836abc01e6660a95d698056109151e1451b8ce17c128aea1456c5cb3b23439645ef9dcc155a11801ee0d3ac6e334b66db191da98bb404a053

  • SSDEEP

    24576:LKoAZDIza+c3NunPWpnVuO2PJftX9fRQY16zIWJC5JUqR8lLr0I4gyid81sRO/F:LKdluO2P3N5QkWtlLr0ICNyO

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
    "C:\Users\Admin\AppData\Local\Temp\de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qmdxo6okUb.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4788
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:2240
          • C:\Users\Default\AppData\Roaming\Microsoft\smss.exe
            "C:\Users\Default\AppData\Roaming\Microsoft\smss.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4256
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2652
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Ease of Access Themes\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3420
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Documents\OneNote Notebooks\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cded" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cded" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3012

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe
        Filesize

        1.7MB

        MD5

        ff3f337ba133257bf7ef80c83af6a374

        SHA1

        6c1746e5455bba5c362db11bf5aef0adaaea6337

        SHA256

        de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde

        SHA512

        f245180c0edbcd0836abc01e6660a95d698056109151e1451b8ce17c128aea1456c5cb3b23439645ef9dcc155a11801ee0d3ac6e334b66db191da98bb404a053

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Qmdxo6okUb.bat
        Filesize

        227B

        MD5

        d33bef9cab3beea67453a89cee07eb00

        SHA1

        8e601d31400b9a87c7f11ea1ed44137ff245f2bd

        SHA256

        a32c4e1c2f6acc427e32f2f34f20d2202fea18cbe9833e1a7a7c4e369521b630

        SHA512

        d706aae870d3799865fcc22969d1d05bb909a107e67a49f4d168e4e23372b1aaacc82f2131ec01a076cc08e7149705ba7439e46dd6c088ba0bfa6af9e8d1c810

        Download Submit

      • memory/4240-6-0x00000000030C0000-0x00000000030CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4240-3-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4240-4-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4240-7-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4240-0-0x00007FFDF1C13000-0x00007FFDF1C15000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4240-8-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4240-10-0x00000000030F0000-0x0000000003108000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4240-12-0x00000000030D0000-0x00000000030DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4240-16-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4240-25-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4240-2-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4240-32-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4240-1-0x0000000000DF0000-0x0000000000FB0000-memory.dmp

        Filesize

        1.8MB

        Download