Overview

overview

10

Static

static

10

25fac6b0d6...a7.exe

windows7-x64

10

25fac6b0d6...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe

  • Size

    3.2MB

  • MD5

    8c1a813f52ed5c9f746cc2baea9b421c

  • SHA1

    923f06dd79705fe0957b6efa9b47f8a726e80b08

  • SHA256

    25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7

  • SHA512

    b524b7766912011f5ff17bf8b7b4b96abed8a77b113a27eb4ef9ba2fa840946b5443e68204e1e2e45ed9a78c2c681ad12c5a1324bcafee63d297f8dfe8cddb57

  • SSDEEP

    49152:oD+WhPI+P05YhHbpHP1qcdhymFKN/1cCLKtrp8qotx/8jwwpO5:k+WhPIq0iHPEA1W/19LGrBoP9wpO5

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
    "C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\Idle.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1932
    • C:\Windows\DigitalLocker\en-US\explorer.exe
      "C:\Windows\DigitalLocker\en-US\explorer.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3176
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\801acbde-3428-40be-82cf-b01c67b07248.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Windows\DigitalLocker\en-US\explorer.exe
          C:\Windows\DigitalLocker\en-US\explorer.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2492
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48c70e5b-91e9-4b7e-9fee-74b5ba4415a5.vbs"
        3⤵
          PID:2764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3204
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Cookies\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Windows Sidebar\Gadgets\Registry.exe
      Filesize

      3.2MB

      MD5

      d6b05247339898ab73d1ae454f32e882

      SHA1

      a2d2d1b940cc9df0c01ca56a7ac415f5570d4fc7

      SHA256

      97861d6b89babc77332a309d39a50b9736d199d9299be97fc9cd5f4fac8abf2c

      SHA512

      c86d617017b71cacf812b6006c7aa3ef29ee53b5a55a38e9b4596be7e571e59d9d2a24a1d357e92b22842aa8390feca94117e217435e03cd496f69e1a153eaf3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log
      Filesize

      1KB

      MD5

      4a667f150a4d1d02f53a9f24d89d53d1

      SHA1

      306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

      SHA256

      414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

      SHA512

      4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      76c53f98e963e1f0b5c5b44205853d00

      SHA1

      20e8a24ed1f0f7829835e9ca7d90bcffa010638d

      SHA256

      496a302089774f9d3b24b2a1f408e100349fabdba063525683e900402779509b

      SHA512

      951740ab7adda707b9a25cc45e827a9b4059c5532a26110424771dd29b0a78c07254edd0c41a180f33e3aba37323cebc70b6bc8528f5010569c2fea083ef73d1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      cadef9abd087803c630df65264a6c81c

      SHA1

      babbf3636c347c8727c35f3eef2ee643dbcc4bd2

      SHA256

      cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

      SHA512

      7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\48c70e5b-91e9-4b7e-9fee-74b5ba4415a5.vbs
      Filesize

      495B

      MD5

      15a7fcb7f0d5fa1a379f6b55aaede307

      SHA1

      84c048fdc6a16c86571f4746854d5316dada8e9f

      SHA256

      c10b519da8f59cdecf361464f246c89a4c467215b46ac03aa84db0ae58a6b4eb

      SHA512

      802692efa8498f5f69971a9b36499874e7530454e4b19a695daf3b7046343069757a7b0cc3205533c6d5e911d037b025792aa6f9c7cc63ca42b430997a8596ec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\801acbde-3428-40be-82cf-b01c67b07248.vbs
      Filesize

      719B

      MD5

      06bac8a17a8b6d9b264ea204de539a07

      SHA1

      5fe57e3d9a95d86610cb9003f0e5ca74e47598db

      SHA256

      bd2b5b1e3e7773190fa9a5a8ea514beed08d9ab929609eba7c5d291a2a085181

      SHA512

      a0e95a69995350106b46f398f93f676f765a043ba170accfc235caa3aa2152ea7b79b799c53000fbdf105be4c705c5e1f8c1af46888b1d2e21159c202b6ba00d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RCX9607.tmp
      Filesize

      3.2MB

      MD5

      a665e22aa25b2f62c5524fc10feb2820

      SHA1

      0f8f6aa96b425633eb11f84aece99ef2f9d67b9e

      SHA256

      d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0b

      SHA512

      cbc565fb6b584d5b9720c6bfbebeaf71d4884ea41033fd26cba78a6b3544b39e83e0a5b011c901bbd56f9d509735a0830d18036ef677c43abf6b94eec03cc381

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2cyildi.jyo.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\DigitalLocker\en-US\explorer.exe
      Filesize

      3.2MB

      MD5

      8c1a813f52ed5c9f746cc2baea9b421c

      SHA1

      923f06dd79705fe0957b6efa9b47f8a726e80b08

      SHA256

      25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7

      SHA512

      b524b7766912011f5ff17bf8b7b4b96abed8a77b113a27eb4ef9ba2fa840946b5443e68204e1e2e45ed9a78c2c681ad12c5a1324bcafee63d297f8dfe8cddb57

      Download Submit

    • memory/1488-25-0x000000001C1A0000-0x000000001C1A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1488-28-0x000000001C310000-0x000000001C31E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1488-13-0x000000001BFA0000-0x000000001BFF6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1488-14-0x000000001BFF0000-0x000000001BFF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1488-15-0x000000001C000000-0x000000001C00C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1488-18-0x000000001C020000-0x000000001C032000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1488-16-0x000000001C010000-0x000000001C018000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1488-19-0x000000001C580000-0x000000001CAA8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1488-20-0x000000001C050000-0x000000001C05C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1488-21-0x000000001C060000-0x000000001C06C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1488-23-0x000000001C080000-0x000000001C08C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1488-22-0x000000001C070000-0x000000001C078000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1488-24-0x000000001C090000-0x000000001C09C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1488-0-0x00007FF8A8573000-0x00007FF8A8575000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1488-32-0x000000001C350000-0x000000001C35C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1488-31-0x000000001C340000-0x000000001C348000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1488-26-0x000000001C1B0000-0x000000001C1BC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1488-30-0x000000001C330000-0x000000001C33E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1488-29-0x000000001C320000-0x000000001C328000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1488-12-0x000000001BF90000-0x000000001BF9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1488-27-0x000000001C1C0000-0x000000001C1CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1488-34-0x000000001C360000-0x000000001C368000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1488-33-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1488-37-0x000000001C380000-0x000000001C38C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1488-36-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1488-35-0x000000001C370000-0x000000001C37A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1488-11-0x000000001BF80000-0x000000001BF90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-10-0x000000001B910000-0x000000001B918000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1488-8-0x000000001B8E0000-0x000000001B8F6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1488-1-0x0000000000950000-0x0000000000C84000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/1488-9-0x000000001B900000-0x000000001B908000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1488-182-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1488-6-0x0000000002F80000-0x0000000002F88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1488-7-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-5-0x000000001BF30000-0x000000001BF80000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1488-4-0x000000001B8B0000-0x000000001B8CC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1488-3-0x0000000002E00000-0x0000000002E0E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1488-2-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1932-141-0x000001A1B2810000-0x000001A1B2832000-memory.dmp

      Filesize

      136KB

      Download