Overview

overview

10

Static

static

10

7a735fb7f6...ed.exe

windows7-x64

10

7a735fb7f6...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed.exe

  • Size

    952KB

  • MD5

    74ffc0f02c115af7ca2a9e63280ee91a

  • SHA1

    cbc921ebe0671922b3495aead9c23c9d8305baba

  • SHA256

    7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed

  • SHA512

    e9a2453c1a3c897a94a0cb817c12dbda52c175a709704614cda8497ce95dd6f137d394d3e6c0136f73819b05c1248649b4a1fc147c90dbe0bdc25d12b1fa5179

  • SSDEEP

    24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXX:Z8/KfRTKt

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
    persistence
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed.exe
    "C:\Users\Admin\AppData\Local\Temp\7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3044
    • C:\Windows\System32\mfc110deu\lsass.exe
      "C:\Windows\System32\mfc110deu\lsass.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\wlanui\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\C_10081\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\msrating\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\mfc110deu\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\SearchFilterHost\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe
    Filesize

    952KB

    MD5

    74ffc0f02c115af7ca2a9e63280ee91a

    SHA1

    cbc921ebe0671922b3495aead9c23c9d8305baba

    SHA256

    7a735fb7f6e21b8f02009613d40272571de48bb6511509326e65f44aec6b19ed

    SHA512

    e9a2453c1a3c897a94a0cb817c12dbda52c175a709704614cda8497ce95dd6f137d394d3e6c0136f73819b05c1248649b4a1fc147c90dbe0bdc25d12b1fa5179

    Download Submit

  • C:\Windows\System32\SearchFilterHost\wininit.exe
    Filesize

    952KB

    MD5

    1143df3dac1cea96e3e0b7e7233ec101

    SHA1

    47b902d6db1e2d7846ffd44b590b7f83dd9813d9

    SHA256

    69b04db50496a778be7b023275a4bbf22799959874417a179d1e9ba08d4f028f

    SHA512

    3da2d141e4842a838cb5bdb6f2e737a7e64d89cf103ad31f0a0b9a4cd5db95fdb751fe0154eb0f8c4263cff50fc2a61f5187fe437580458d7cddbe786b5c37ce

    Download Submit

  • C:\Windows\System32\mfc110deu\lsass.exe
    Filesize

    952KB

    MD5

    fc8751c3e2dabf0d588a762b22df3581

    SHA1

    cfaaa41a0b54ded47a90a07f540ecfa484e25204

    SHA256

    2ebe23e7c50ad803426216aab32e3e759c1cd65329c223c29b54f630ca1ae3d9

    SHA512

    5c2fb0f3f0bc924dfe7da7f665d9596384c6349010cc70469fa916a0775f9df702dba8f347e9ee4200f1c850db81a67507684f3ee8198766b9689329921fb531

    Download Submit

  • memory/2260-159-0x0000000000A60000-0x0000000000B54000-memory.dmp

    Filesize

    976KB

    Download

  • memory/3044-6-0x00000000009A0000-0x00000000009AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3044-11-0x0000000000A30000-0x0000000000A3C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3044-10-0x0000000000A00000-0x0000000000A0C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3044-9-0x00000000009F0000-0x00000000009FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3044-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-8-0x00000000009C0000-0x00000000009C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3044-5-0x00000000009D0000-0x00000000009DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3044-4-0x0000000000990000-0x00000000009A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-3-0x0000000000980000-0x0000000000990000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-7-0x0000000000A20000-0x0000000000A2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3044-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3044-1-0x0000000001320000-0x0000000001414000-memory.dmp

    Filesize

    976KB

    Download

  • memory/3044-160-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

    Filesize

    9.9MB

    Download