Overview

overview

10

Static

static

10

5bdee06dab...f9.exe

windows7-x64

10

5bdee06dab...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5bdee06daba59fe190c2d50c3f553c1ed64ddb9202b548b89c1714bef49be5f9.exe

  • Size

    952KB

  • MD5

    26c699f748a3e68a629350477bf1d5bc

  • SHA1

    720cf7b11430e765a673ec4210fe953cd58e1dd4

  • SHA256

    5bdee06daba59fe190c2d50c3f553c1ed64ddb9202b548b89c1714bef49be5f9

  • SHA512

    5eecc11b0bb4a699b409bf148921e1401b850f06df1e51bc9bc447956fffc0f16316f573c9e01890da61133414a5faea37bf9d85c3697569be5dbb1d723bb187

  • SSDEEP

    24576:++O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:58/KfRTK

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bdee06daba59fe190c2d50c3f553c1ed64ddb9202b548b89c1714bef49be5f9.exe
    "C:\Users\Admin\AppData\Local\Temp\5bdee06daba59fe190c2d50c3f553c1ed64ddb9202b548b89c1714bef49be5f9.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2368
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XDawAzvz42.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1668
        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe
          "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:1880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\RpcRtRemote\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2216

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RCXBD09.tmp
      Filesize

      952KB

      MD5

      26c699f748a3e68a629350477bf1d5bc

      SHA1

      720cf7b11430e765a673ec4210fe953cd58e1dd4

      SHA256

      5bdee06daba59fe190c2d50c3f553c1ed64ddb9202b548b89c1714bef49be5f9

      SHA512

      5eecc11b0bb4a699b409bf148921e1401b850f06df1e51bc9bc447956fffc0f16316f573c9e01890da61133414a5faea37bf9d85c3697569be5dbb1d723bb187

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XDawAzvz42.bat
      Filesize

      239B

      MD5

      d68629313bbbeff8c68b6260d52d0422

      SHA1

      9c623b43ada285a899d840d4d0f015fe920028cf

      SHA256

      e94c1a0f0d3261b24972b48fb4b70a52b866848b863f7a006862ea602bd7ce01

      SHA512

      d219a214bc53327d2e90b58f1f95de96248560ea9e154cd6c34e64fcc558cfe80e7301aff359552ddb21261b9a57abb67795df26c2607b2c6f48d7ea193d6791

      Download Submit

    • C:\Windows\System32\RpcRtRemote\winlogon.exe
      Filesize

      952KB

      MD5

      1d61a4644ec87d19e96e018a02267796

      SHA1

      bbb65d9ef6a8aca0e204d0fb0534005800521b30

      SHA256

      d1c0e63686e58a2a1a40794abeafc6db3640089312765320324943a5f190ad0b

      SHA512

      c6889af593b7248828eb7ce7bcc479621336d0d73954ca917e776923760ca768725b2d64f970227a6ee7b25dce1202f2cdd23120c1a2cb839ed60836cd3f18c7

      Download Submit

    • memory/1880-80-0x0000000000E40000-0x0000000000F34000-memory.dmp

      Filesize

      976KB

      Download

    • memory/2368-4-0x0000000000260000-0x0000000000270000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2368-5-0x0000000000290000-0x000000000029A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2368-6-0x0000000000250000-0x000000000025C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2368-7-0x0000000000420000-0x000000000042A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2368-10-0x00000000004F0000-0x00000000004FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2368-9-0x00000000004E0000-0x00000000004EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2368-8-0x0000000000570000-0x0000000000578000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2368-11-0x0000000000270000-0x000000000027C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2368-0-0x000007FEF5823000-0x000007FEF5824000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2368-3-0x0000000000240000-0x0000000000250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2368-76-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2368-2-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2368-1-0x0000000000B00000-0x0000000000BF4000-memory.dmp

      Filesize

      976KB

      Download