Overview

overview

10

Static

static

10

cacc2bcd37...07.exe

windows7-x64

10

cacc2bcd37...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

  • Size

    682KB

  • MD5

    e5e4996e98303646d51296cd1a292e8d

  • SHA1

    d023ebe75fb01aa822f3788765be68108b3197df

  • SHA256

    cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07

  • SHA512

    57f5299aeefa22032c9e7df3d1c39d1a33504c1ec1ea5c80bf7fbf8b78042b9bfcae81155fcbfed24e7b9a603b960b2285872765b4c2dbed1bda6aa8e3db4ca3

  • SSDEEP

    12288:hqnO3mwJNoGFAgHCRvp1i/fjqJRYFInDrX/xTU3JgXDV6blx1wgtra7B+:h+O3mwJnCRvEMxnDVSwgYc

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 25 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
    "C:\Users\Admin\AppData\Local\Temp\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4616
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19vsyrATh2.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2584
        • C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe
          "C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:4876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\dnscacheugc\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Desktop\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\mdmpostprocessevaluator\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\C_20280\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\WindowsIoTCsp\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\wlidnsp\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:380

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Temp\fontdrvhost.exe
      Filesize

      682KB

      MD5

      15f1d04e26aebb0e72fc35fa537f9f2c

      SHA1

      da729542eaf51492fccb6f429bc4ac7973b8a479

      SHA256

      d329da13906a88711ea1eb69df253bba4314729c5d9d80737c57f6ee82251dc5

      SHA512

      85f1e4b850f8709a0dfc27900b5cd049a294ea922240098c8cdeac6436c426e6cfb115bd34a475506a1770e386d58b0e02d1066f59e6d5265de119d8200ebda3

      Download Submit

    • C:\ProgramData\Microsoft OneDrive\setup\fontdrvhost.exe
      Filesize

      682KB

      MD5

      d2cc9996ea7c592421955075590e3c90

      SHA1

      ada5a6d86cf1e2465c4ea578733a7ccd68881f1a

      SHA256

      eba55f2c36d3cea42da3a04b815fcd59469bd8ec58acf4b5a660c8c972161eee

      SHA512

      600a1f55756460832c5ebac60c88d55a2f256e41f797ac6f7e265f30ca1c03b7dc98b9567ef5c9bf9fd275af6f1a4af2b43fe084430f5875ab97faed6921fe9a

      Download Submit

    • C:\Recovery\WindowsRE\csrss.exe
      Filesize

      682KB

      MD5

      a3279f8cf5fd0105f5cff90d4cde35d4

      SHA1

      58cec02c401002154b44fb9b6c434382b48373fb

      SHA256

      73c897c0c0d05c0ecb96af946e4e8f21aa05302b8004e9eb2259e07d4a81162c

      SHA512

      f327f7d613c13f9d7cec28f8c598d6e6b8fa4fcac157ac4f2152c0875aec33f0b6fe111f5b1b43aa6981cd8ed00768fd545f464f6bb190b374bc96e8b860c53c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\19vsyrATh2.bat
      Filesize

      223B

      MD5

      b31d222b0b13f8d8172e3409940e8b21

      SHA1

      20d1c514b86c04f3feee9d8326fcefb2d8caaeb0

      SHA256

      dcfb3d17416f8ff1fd1887f357ff3e6fb442213dcf7b444dcb63e13c34b6badd

      SHA512

      3a97d2f72554d5e82c2189904fc113868f3282ff08860988177d0de072bc30646a66c319e01c2b96645bd0d3a879eba62b9838fec51448c99b7da7ecd1a7bf71

      Download Submit

    • C:\Windows\System32\C_20280\spoolsv.exe
      Filesize

      682KB

      MD5

      4c1db0b64cd6c5ddd13fed2eeead30ac

      SHA1

      503e93d809fac828031d220cdc257e3d8c3e0d1b

      SHA256

      20a50c018a7851c8d563823df5f4f9bb24585c8ba625126a1c89e81c402f9809

      SHA512

      7ee31c57141130dc10c6dd593fbe62df95697addf7a10f87f65737c460999a99720b4c3162a19ecd35725d0e04756a5e00d6c4b7ec1f827919acc4bd151b5b30

      Download Submit

    • C:\Windows\System32\WindowsIoTCsp\taskhostw.exe
      Filesize

      682KB

      MD5

      92d2b2b35752c3354562f113712a7865

      SHA1

      ce34da57f75d163e2cc05e9655676cc2bb93fefe

      SHA256

      c26c0ea12c846543a07b3f91431ef1d89cedcfedfff0a5c1babb02ab07c3315e

      SHA512

      285af6890733b1cb35a25f6f6ce827767f85c08b10e884cd5c73e5fec2cbe20bf0050ee17ea964e2fa8a5148aba14b7d7e1a4df55a98a59edb876f6cd8baf0a3

      Download Submit

    • C:\Windows\System32\dnscacheugc\RuntimeBroker.exe
      Filesize

      682KB

      MD5

      8435c244f54c3497bbb30117696daabc

      SHA1

      4885bb8d9c6c09cc6ec83dcb17bde9452ce2e430

      SHA256

      37e841b2920c0618f3347846c4ddfcb7b423e906f7b553003468550ae8e6021e

      SHA512

      2c67872e2e8d2ae0e1e7ed558177c870b135a20cae52801409105866b0582c365e21afd7a1d457d96634e76053b550f5226fe39670c2bda6e2617fe5cd6e6fb5

      Download Submit

    • C:\Windows\System32\mdmpostprocessevaluator\fontdrvhost.exe
      Filesize

      682KB

      MD5

      e5e4996e98303646d51296cd1a292e8d

      SHA1

      d023ebe75fb01aa822f3788765be68108b3197df

      SHA256

      cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07

      SHA512

      57f5299aeefa22032c9e7df3d1c39d1a33504c1ec1ea5c80bf7fbf8b78042b9bfcae81155fcbfed24e7b9a603b960b2285872765b4c2dbed1bda6aa8e3db4ca3

      Download Submit

    • C:\Windows\System32\mdmpostprocessevaluator\fontdrvhost.exe
      Filesize

      682KB

      MD5

      207dfe856884aedec1995deb99c079fc

      SHA1

      b8168898b89d2bbec0af91206d5808cc27e17b0a

      SHA256

      09fbeef7aa7c22a1e51e6d16023a5dde5b4115c6eae4e4b4dac81eaf612f2b29

      SHA512

      f3627ad9e603f2dcc82111d9ced87e6fa338c5971116056b28422e1b96b54418d6ff34b78348689abea7af10be746fd71276d18939620b1b8eb37382d0c925e2

      Download Submit

    • memory/4616-6-0x0000000002180000-0x000000000218A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4616-0-0x00007FFB80F43000-0x00007FFB80F45000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4616-8-0x0000000002190000-0x000000000219C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4616-5-0x0000000002160000-0x000000000216C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4616-7-0x0000000002170000-0x0000000002178000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4616-4-0x0000000002140000-0x000000000214C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4616-2-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4616-3-0x0000000002130000-0x0000000002140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4616-152-0x00007FFB80F43000-0x00007FFB80F45000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4616-154-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4616-1-0x0000000000020000-0x00000000000D2000-memory.dmp

      Filesize

      712KB

      Download