Overview

overview

10

Static

static

10

A26ED7DC21...02.exe

windows7-x64

10

A26ED7DC21...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A26ED7DC21BC77F20C0251FA25738D02.exe

  • Size

    2.5MB

  • MD5

    a26ed7dc21bc77f20c0251fa25738d02

  • SHA1

    8fc82929941d67a20c76976e796feab701795c2f

  • SHA256

    18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f

  • SHA512

    5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838

  • SSDEEP

    24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\A26ED7DC21BC77F20C0251FA25738D02.exe
    "C:\Users\Admin\AppData\Local\Temp\A26ED7DC21BC77F20C0251FA25738D02.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\89s4J3Slo6.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1600
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:776
          • C:\Users\Public\Downloads\conhost.exe
            "C:\Users\Public\Downloads\conhost.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:844
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1584
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2436
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2404
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1708
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2088
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2508
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1940
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1736
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2340
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:344
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2872
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2240

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\powershell.exe
        Filesize

        2.5MB

        MD5

        a26ed7dc21bc77f20c0251fa25738d02

        SHA1

        8fc82929941d67a20c76976e796feab701795c2f

        SHA256

        18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f

        SHA512

        5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\89s4J3Slo6.bat
        Filesize

        213B

        MD5

        8e51899c6efb6268840e4e371e6e548a

        SHA1

        566fec5886a76e440df421740bf1a09785b195f6

        SHA256

        638793e5559bcb63ab5db88fbb25b52ecc29a2363853a1fdcc95b2aa7dff19e4

        SHA512

        62e0c5f23790492739a9a098b7868509ae100c61c7dfaa6338921372b226a879baffc97c1bd7418ef31cd1fb3b35c03abca4ccb2c20f55ac3a2255683630eeb4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EA9E5YDNKHT7E7WOD00X.temp
        Filesize

        7KB

        MD5

        95b75d308eb1eae2aac08662fa33971a

        SHA1

        8e7e2c76fd820cf765ea59876345e74d77845994

        SHA256

        c66a1fa8905a47bd4797574af758811f6a2cc5babe6ccaa16acc383eea47e174

        SHA512

        45f855d3cd2c91ab589057d90547a3e05bb27d5ec785f725a515a3888bb66886f6d3f8d083cf12764dd9dfa9ff5fc165d6fa4246645963c8b2e6d486c5bd50e5

        Download Submit

      • memory/844-140-0x00000000003C0000-0x0000000000652000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/2100-34-0x0000000000B00000-0x0000000000B0C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2100-16-0x0000000000AC0000-0x0000000000AD8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2100-10-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2100-38-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2100-12-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2100-42-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2100-14-0x00000000004E0000-0x00000000004F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2100-40-0x0000000000D00000-0x0000000000D12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2100-18-0x00000000004F0000-0x0000000000500000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2100-19-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2100-22-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2100-21-0x0000000000500000-0x0000000000510000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2100-30-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2100-29-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2100-27-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2100-25-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2100-24-0x0000000000510000-0x000000000051E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2100-32-0x0000000000B20000-0x0000000000B32000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2100-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2100-36-0x0000000000B10000-0x0000000000B20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2100-9-0x00000000004E0000-0x00000000004FC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2100-7-0x0000000000480000-0x000000000048E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2100-11-0x0000000000490000-0x00000000004AC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2100-44-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2100-46-0x0000000000D20000-0x0000000000D30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2100-48-0x00000000012C0000-0x000000000131A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2100-50-0x0000000000D30000-0x0000000000D3E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2100-52-0x0000000000D40000-0x0000000000D50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2100-54-0x0000000001260000-0x000000000126E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2100-56-0x0000000001290000-0x00000000012A8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2100-58-0x0000000001270000-0x000000000127C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2100-60-0x000000001AA20000-0x000000001AA6E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2100-5-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2100-4-0x00000000004B0000-0x00000000004D6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2100-1-0x0000000001330000-0x00000000015C2000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/2100-2-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2100-126-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2124-109-0x0000000002330000-0x0000000002338000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2436-172-0x000000001B580000-0x000000001B862000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2436-177-0x0000000002960000-0x0000000002968000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2732-106-0x000000001B540000-0x000000001B822000-memory.dmp

        Filesize

        2.9MB

        Download