Overview

overview

10

Static

static

10

4d9be74be0...b3.exe

windows7-x64

10

4d9be74be0...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2025 20:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d9be74be06728c10b25ef019f7ff0b3.exe

  • Size

    2.7MB

  • MD5

    4d9be74be06728c10b25ef019f7ff0b3

  • SHA1

    10c41cfa6c5dbec839759e9fd6971e57311ea76a

  • SHA256

    f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343

  • SHA512

    5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f

  • SSDEEP

    49152:VRx6mfxiUnp3jfmEXD9KxZU9IaK3clnUezzuuLjaO7e:b40VJ5XQxZUyrctHNyse

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d9be74be06728c10b25ef019f7ff0b3.exe
    "C:\Users\Admin\AppData\Local\Temp\4d9be74be06728c10b25ef019f7ff0b3.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4412
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQ25hERLBD.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4532
        • C:\Users\Public\Documents\My Pictures\winlogon.exe
          "C:\Users\Public\Documents\My Pictures\winlogon.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:4000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:312

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Windows Portable Devices\dwm.exe
      Filesize

      2.7MB

      MD5

      4d9be74be06728c10b25ef019f7ff0b3

      SHA1

      10c41cfa6c5dbec839759e9fd6971e57311ea76a

      SHA256

      f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343

      SHA512

      5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\yQ25hERLBD.bat
      Filesize

      215B

      MD5

      20ce905a7149fc7bc67faaa37de837e8

      SHA1

      41de1d454068df42cdcc024440f31f9fac30ccc4

      SHA256

      2c7ce2b51973c21f1ff0767fb02f6287cda1e635724ed0dc5302f7bc42a061dd

      SHA512

      d954afd8a10d80176383ae012a56c3a5af7a0ae862543db59fb3e5726e257891390d0469623199faa7e24476aa0a668daacca1b65b4f4603ebd255b681e53916

      Download Submit

    • memory/4412-12-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4412-1-0x0000000000A60000-0x0000000000D14000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4412-0-0x00007FFB89CE3000-0x00007FFB89CE5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4412-6-0x0000000002E40000-0x0000000002E48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4412-9-0x000000001B990000-0x000000001B998000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4412-10-0x000000001B9A0000-0x000000001B9AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4412-8-0x000000001B970000-0x000000001B986000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4412-7-0x0000000002F80000-0x0000000002F90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4412-11-0x000000001C050000-0x000000001C0A6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4412-15-0x000000001C0A0000-0x000000001C0A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4412-4-0x0000000002F60000-0x0000000002F7C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4412-3-0x0000000002E20000-0x0000000002E2E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4412-5-0x000000001C000000-0x000000001C050000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4412-16-0x000000001C0B0000-0x000000001C0B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4412-17-0x000000001C0C0000-0x000000001C0CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4412-14-0x000000001C5D0000-0x000000001CAF8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4412-18-0x000000001C0D0000-0x000000001C0DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4412-19-0x000000001C0E0000-0x000000001C0EC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4412-20-0x000000001C0F0000-0x000000001C0FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4412-21-0x000000001C100000-0x000000001C10C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4412-2-0x00007FFB89CE0000-0x00007FFB8A7A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4412-99-0x00007FFB89CE0000-0x00007FFB8A7A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4412-13-0x000000001B9C0000-0x000000001B9D2000-memory.dmp

      Filesize

      72KB

      Download