Overview

overview

10

Static

static

10

92d7397217...10.exe

windows7-x64

10

92d7397217...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92d7397217e43be9580e67e5d5568a5252966eea16dd213cae536b8b291c0310.exe

  • Size

    952KB

  • MD5

    acab32b0f304cd037ac7255786b4bb02

  • SHA1

    345fee6d21b2a5f66d159c1ead3b859089a0dc6f

  • SHA256

    92d7397217e43be9580e67e5d5568a5252966eea16dd213cae536b8b291c0310

  • SHA512

    8fbdfed630d54e2590ea2f279d6beb2eda7cb20861fc587e61995f40ce272336c9bdf1a609da215679b0322c6b046399bb98a318e7647c1429721122ed4c0daa

  • SSDEEP

    24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:Z8/KfRTK

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\92d7397217e43be9580e67e5d5568a5252966eea16dd213cae536b8b291c0310.exe
    "C:\Users\Admin\AppData\Local\Temp\92d7397217e43be9580e67e5d5568a5252966eea16dd213cae536b8b291c0310.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2380
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7j1bNpHsSg.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:444
        • C:\Windows\System32\DXPTaskRingtone\sppsvc.exe
          "C:\Windows\System32\DXPTaskRingtone\sppsvc.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\mmres\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\C_20105\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\DXPTaskRingtone\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2648

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7j1bNpHsSg.bat
      Filesize

      210B

      MD5

      4e7affd475b47df38ed8fa04bbe6a70f

      SHA1

      29ffb4d12e14e3e9ff7f7bc06a7f914c4951b2cc

      SHA256

      24fd05487ee27a62f3ba5e7a90a641f171a84f00ed294b28b06c7b9b816c0b86

      SHA512

      a96df4560b2c340065bcc07ffe6caf9c7dba475ae6f2578cfc34912c72821084759dd6ae7ba03d24980e3f8929834bebd4bb906ff286d26a57079b051672443d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RCX1269.tmp
      Filesize

      952KB

      MD5

      acab32b0f304cd037ac7255786b4bb02

      SHA1

      345fee6d21b2a5f66d159c1ead3b859089a0dc6f

      SHA256

      92d7397217e43be9580e67e5d5568a5252966eea16dd213cae536b8b291c0310

      SHA512

      8fbdfed630d54e2590ea2f279d6beb2eda7cb20861fc587e61995f40ce272336c9bdf1a609da215679b0322c6b046399bb98a318e7647c1429721122ed4c0daa

      Download Submit

    • C:\Users\Public\Desktop\dwm.exe
      Filesize

      952KB

      MD5

      0ab9800b771764b232fa64350d528efd

      SHA1

      92020b08eaddbcded8d52db911c3581a35fdadcc

      SHA256

      87327588fe6ea420ef5f8ff20b0e2641d94b90e5cae6c02fde448919219f5814

      SHA512

      cd0ac5ddb6dfc9f43c8600bdb2111414ea90709057540756e682438ec473aa29f4eaa1ca90504f4c6fb23e154f99f729ddabe9df613ae54ca3e01961fdd17aac

      Download Submit

    • memory/1700-79-0x0000000000A90000-0x0000000000B84000-memory.dmp

      Filesize

      976KB

      Download

    • memory/2380-4-0x0000000000170000-0x0000000000180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2380-5-0x00000000001A0000-0x00000000001AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2380-6-0x0000000000160000-0x000000000016C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2380-7-0x0000000000180000-0x000000000018A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2380-8-0x0000000000650000-0x0000000000658000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2380-10-0x00000000001B0000-0x00000000001BC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2380-9-0x0000000000190000-0x000000000019A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2380-11-0x00000000003D0000-0x00000000003DC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2380-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2380-3-0x0000000000150000-0x0000000000160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2380-75-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2380-2-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2380-1-0x0000000000FF0000-0x00000000010E4000-memory.dmp

      Filesize

      976KB

      Download