Overview

overview

10

Static

static

10

92d7397217...10.exe

windows7-x64

10

92d7397217...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92d7397217e43be9580e67e5d5568a5252966eea16dd213cae536b8b291c0310.exe

  • Size

    952KB

  • MD5

    acab32b0f304cd037ac7255786b4bb02

  • SHA1

    345fee6d21b2a5f66d159c1ead3b859089a0dc6f

  • SHA256

    92d7397217e43be9580e67e5d5568a5252966eea16dd213cae536b8b291c0310

  • SHA512

    8fbdfed630d54e2590ea2f279d6beb2eda7cb20861fc587e61995f40ce272336c9bdf1a609da215679b0322c6b046399bb98a318e7647c1429721122ed4c0daa

  • SSDEEP

    24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:Z8/KfRTK

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 15 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\92d7397217e43be9580e67e5d5568a5252966eea16dd213cae536b8b291c0310.exe
    "C:\Users\Admin\AppData\Local\Temp\92d7397217e43be9580e67e5d5568a5252966eea16dd213cae536b8b291c0310.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4692
    • C:\Windows\System32\appidcertstorecheck\sihost.exe
      "C:\Windows\System32\appidcertstorecheck\sihost.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:3960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4416
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3056
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\WSClient\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\appidcertstorecheck\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\VBICodec\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4508
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\winlogon.exe
    Filesize

    952KB

    MD5

    5ceb5e2d7127fc25895d7224c5e457c5

    SHA1

    2b80d426ad82524d9c469062cad7080198f2539b

    SHA256

    0d8b42400c18c6bb68f5652d7f66202b25e9aa5b16860610568d1ff18e88fd71

    SHA512

    d710ba195b7f394cdeb67128343963fbadf104a31fd13729fcc253e1cb07a18e2a751c7e698bfe8206b9c8e8feaa4a056e5dc1aeb380855a236546b8557e96e3

    Download Submit

  • C:\Windows\System32\VBICodec\dllhost.exe
    Filesize

    952KB

    MD5

    acab32b0f304cd037ac7255786b4bb02

    SHA1

    345fee6d21b2a5f66d159c1ead3b859089a0dc6f

    SHA256

    92d7397217e43be9580e67e5d5568a5252966eea16dd213cae536b8b291c0310

    SHA512

    8fbdfed630d54e2590ea2f279d6beb2eda7cb20861fc587e61995f40ce272336c9bdf1a609da215679b0322c6b046399bb98a318e7647c1429721122ed4c0daa

    Download Submit

  • C:\Windows\System32\appidcertstorecheck\sihost.exe
    Filesize

    952KB

    MD5

    6edf5136f74deb09e3851fb9a5fb6858

    SHA1

    ed82051e6366099d979a4edacd5e6e02526db303

    SHA256

    7a5c092b3353af39f620c029b41aad3cf6001f0cb6b4ef9cd8c58dbc96951df9

    SHA512

    d106afd1fa296f14605a845d61ea948cb7f497d8e7ba21b03ce198ecb8573b32f98eb8299023c68bd80536ed5094088c11a37226e97cbd73ec43d5920f514ce7

    Download Submit

  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\TextInputHost.exe
    Filesize

    952KB

    MD5

    0ce7024976aeb059000c4236fece384f

    SHA1

    aab64a2a250289205d7b731912b1a585c09815b9

    SHA256

    5f64ce5027e8a17ab18a74b19658f8364482571208009f091eb7d08d14b2cec0

    SHA512

    c40eefd64c2bef33d461b0f0bba0f9bb40aa5f6e2a615fa056388645d8078581d64f4c5b08005271d6198e73f7c80dd248f5e171b34f0d179037771929f6799b

    Download Submit

  • memory/3960-138-0x0000000000270000-0x0000000000364000-memory.dmp

    Filesize

    976KB

    Download

  • memory/4692-4-0x0000000002A10000-0x0000000002A20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-6-0x0000000001250000-0x000000000125C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4692-7-0x0000000002A40000-0x0000000002A4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4692-8-0x0000000002A30000-0x0000000002A38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4692-10-0x0000000002A60000-0x0000000002A6C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4692-11-0x0000000002A90000-0x0000000002A9C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4692-9-0x0000000002A50000-0x0000000002A5A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4692-5-0x0000000001230000-0x000000000123A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4692-0-0x00007FFD55DD3000-0x00007FFD55DD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4692-3-0x0000000001220000-0x0000000001230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-2-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4692-137-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4692-1-0x0000000000880000-0x0000000000974000-memory.dmp

    Filesize

    976KB

    Download