Overview

overview

10

Static

static

10

A26ED7DC21...02.exe

windows7-x64

10

A26ED7DC21...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A26ED7DC21BC77F20C0251FA25738D02.exe

  • Size

    2.5MB

  • MD5

    a26ed7dc21bc77f20c0251fa25738d02

  • SHA1

    8fc82929941d67a20c76976e796feab701795c2f

  • SHA256

    18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f

  • SHA512

    5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838

  • SSDEEP

    24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 13 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\A26ED7DC21BC77F20C0251FA25738D02.exe
    "C:\Users\Admin\AppData\Local\Temp\A26ED7DC21BC77F20C0251FA25738D02.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVjdOBXCdz.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2116
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2136
        • C:\MSOCache\All Users\powershell.exe
          "C:\MSOCache\All Users\powershell.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1264
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2832
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2876
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2828
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2764
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2820
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2612
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2280
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1480
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2892
          • C:\MSOCache\All Users\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
      Filesize

      2.5MB

      MD5

      a26ed7dc21bc77f20c0251fa25738d02

      SHA1

      8fc82929941d67a20c76976e796feab701795c2f

      SHA256

      18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f

      SHA512

      5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\oVjdOBXCdz.bat
      Filesize

      164B

      MD5

      bfd86c1c8511ece68740ff50c139c128

      SHA1

      a24170623358393fe6c765a70517069b21aea32c

      SHA256

      7640f7517cdb239fb08c12087f87ba48e97731682c8deff90d51d0d65c954cbd

      SHA512

      ec02e3cbe9a8d093319d966bdebaa9a042fb004455137c421e77f4488815d234bfd1b8f0315cceafa0a460cdb1405e3ea36b910ec2aa8b2b91c212f9452613ba

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      a122388fe7ddd3114ad6dd3115ee1ab9

      SHA1

      db38fd3e2fc27a582be50bc00ccc9cd4cde05825

      SHA256

      2615529fa5e0ec9641db9915553231c0e79c20e1a59f817ab4a8f7111dad4147

      SHA512

      7530619c1c14d1a6240b23f54089d6d0bbcdc73e8ef56a9b62b5e57c96cc5c466c03d7ad4462b967c172b9ffcf67f6638162c27d34a26f2d7f66e415594b7909

      Download Submit

    • memory/1264-137-0x0000000000C30000-0x0000000000EC2000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/1656-34-0x0000000000A50000-0x0000000000A66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1656-4-0x00000000006C0000-0x00000000006E6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1656-9-0x0000000000780000-0x000000000079C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1656-10-0x00000000006A0000-0x00000000006BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1656-12-0x00000000007F0000-0x0000000000800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-14-0x00000000009A0000-0x00000000009B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1656-16-0x0000000000980000-0x0000000000990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-17-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1656-19-0x0000000000990000-0x00000000009A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-21-0x00000000009C0000-0x00000000009CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1656-22-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1656-24-0x00000000009D0000-0x00000000009DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1656-26-0x00000000009E0000-0x00000000009EC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1656-41-0x0000000000A40000-0x0000000000A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-30-0x00000000009F0000-0x00000000009FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1656-32-0x0000000000A00000-0x0000000000A10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-0-0x000007FEF63C3000-0x000007FEF63C4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-36-0x00000000022A0000-0x00000000022B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1656-2-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1656-7-0x0000000000690000-0x000000000069E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1656-28-0x0000000000A10000-0x0000000000A22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1656-43-0x00000000022C0000-0x00000000022D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-44-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1656-46-0x0000000002330000-0x000000000238A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1656-48-0x00000000022D0000-0x00000000022DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1656-49-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1656-51-0x00000000022E0000-0x00000000022F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-53-0x00000000022F0000-0x00000000022FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1656-55-0x0000000002520000-0x0000000002538000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1656-57-0x0000000002300000-0x000000000230C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1656-59-0x000000001AE60000-0x000000001AEAE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/1656-60-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1656-5-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1656-39-0x0000000000A30000-0x0000000000A3E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1656-1-0x00000000000A0000-0x0000000000332000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/1656-37-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1656-133-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1916-123-0x0000000001D20000-0x0000000001D28000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1916-103-0x000000001B7B0000-0x000000001BA92000-memory.dmp

      Filesize

      2.9MB

      Download