Overview

overview

10

Static

static

10

A26ED7DC21...02.exe

windows7-x64

10

A26ED7DC21...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A26ED7DC21BC77F20C0251FA25738D02.exe

  • Size

    2.5MB

  • MD5

    a26ed7dc21bc77f20c0251fa25738d02

  • SHA1

    8fc82929941d67a20c76976e796feab701795c2f

  • SHA256

    18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f

  • SHA512

    5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838

  • SSDEEP

    24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\A26ED7DC21BC77F20C0251FA25738D02.exe
    "C:\Users\Admin\AppData\Local\Temp\A26ED7DC21BC77F20C0251FA25738D02.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:5028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4672
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0dRCDF2pfD.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3164
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2944
        • C:\Users\Admin\powershell.exe
          "C:\Users\Admin\powershell.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3484
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1740
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:540
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3888
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3120
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2452
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3688
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3268
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:372
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2932
          • C:\Users\Admin\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2344

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      8aa6fd9542b093d8796a8b5afd319fe2

      SHA1

      1aab967a5f9e5969ac6b714cf6d11279f5be7c63

      SHA256

      eefc16a449e111b8fdedbe1d670c088c56060cfe478e38dc6bdb33125806df81

      SHA512

      ddafd98cf8d012aa36b5b40250ea0ab9333449dceb4f01f7136161f28b70a21a9df014e100c878f4af8c044c68dda2e7bbd156e0b6873bed79d8b7220be551a8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      59d97011e091004eaffb9816aa0b9abd

      SHA1

      1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

      SHA256

      18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

      SHA512

      d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\0dRCDF2pfD.bat
      Filesize

      157B

      MD5

      a73ea3c1a778d0b5c4a5a2de2f04e02c

      SHA1

      9c24c8c57177ad834fe57b0d062aeb6973c7cdae

      SHA256

      8e78ea200056927569aff1fbf6677c12427f9cadc7dc7bd5b355fe51fd9ea079

      SHA512

      bd0327c8975f58353a776ba42ff5ad256227bced58544016791920a05c0ee81dd9a4e8af96c91111b29752f5b7f298d9b2efacd90df185196a8c37bf5a6d80c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1an515b.vdl.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Default\powershell.exe
      Filesize

      2.5MB

      MD5

      a26ed7dc21bc77f20c0251fa25738d02

      SHA1

      8fc82929941d67a20c76976e796feab701795c2f

      SHA256

      18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f

      SHA512

      5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838

      Download Submit

    • memory/2160-230-0x000000001BE80000-0x000000001BEEB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/2344-35-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2344-43-0x000000001BA00000-0x000000001BA0E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2344-13-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2344-15-0x000000001B8E0000-0x000000001B8F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2344-18-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-20-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2344-22-0x000000001B900000-0x000000001B90E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2344-17-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2344-23-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-25-0x000000001B9A0000-0x000000001B9AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2344-26-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-28-0x000000001B9B0000-0x000000001B9BC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2344-32-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2344-33-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-30-0x000000001B9E0000-0x000000001B9F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2344-0-0x00007FFFFDBF3000-0x00007FFFFDBF5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2344-37-0x000000001BA20000-0x000000001BA36000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2344-39-0x000000001BA40000-0x000000001BA52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2344-40-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-11-0x000000001B910000-0x000000001B960000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2344-45-0x000000001BA10000-0x000000001BA20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2344-41-0x000000001BF90000-0x000000001C4B8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2344-47-0x000000001BA60000-0x000000001BA70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2344-48-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-50-0x000000001BAD0000-0x000000001BB2A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/2344-52-0x000000001BA70000-0x000000001BA7E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2344-54-0x000000001BA80000-0x000000001BA90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2344-56-0x000000001BA90000-0x000000001BA9E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2344-58-0x000000001BB30000-0x000000001BB48000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2344-62-0x000000001BBA0000-0x000000001BBEE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/2344-60-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2344-10-0x000000001B790000-0x000000001B7AC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2344-9-0x000000001B740000-0x000000001B75C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2344-1-0x00000000009E0000-0x0000000000C72000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/2344-120-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-7-0x000000001B6D0000-0x000000001B6DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2344-5-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-4-0x000000001B6F0000-0x000000001B716000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2344-2-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5028-95-0x0000021F3BDF0000-0x0000021F3BE12000-memory.dmp

      Filesize

      136KB

      Download