Overview

overview

10

Static

static

10

812ac1ea0b...be.exe

windows7-x64

10

812ac1ea0b...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2025 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    812ac1ea0b1d66a93d0beca70cc28cbe.exe

  • Size

    2.2MB

  • MD5

    812ac1ea0b1d66a93d0beca70cc28cbe

  • SHA1

    c5cff3dc9a2503521de74a7d4cda2f678f5bb575

  • SHA256

    74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3

  • SHA512

    01acc3b99130f0d263917e4e362caf25841b21e3a9a82ce40004db96239ebcc8762a57ebad020ed704213596a100d060475cd9fd61c5bd4df9a35ff14d4cc6f6

  • SSDEEP

    49152:K31tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:KltZUE6NDyTo9lv2F+VvK6

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\812ac1ea0b1d66a93d0beca70cc28cbe.exe
    "C:\Users\Admin\AppData\Local\Temp\812ac1ea0b1d66a93d0beca70cc28cbe.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4588
    • C:\Windows\uk-UA\fontdrvhost.exe
      "C:\Windows\uk-UA\fontdrvhost.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2016
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e99227f-c961-4d69-a869-825873a40ca8.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3796
        • C:\Windows\uk-UA\fontdrvhost.exe
          C:\Windows\uk-UA\fontdrvhost.exe
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2628
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35ef0f11-5b4b-491e-a57c-2bbfd4889167.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4768
            • C:\Windows\uk-UA\fontdrvhost.exe
              C:\Windows\uk-UA\fontdrvhost.exe
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2216
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d80f3d5-ea95-4d12-8730-ce4990ad95f7.vbs"
                7⤵
                  PID:3992
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac8980b2-5b7c-40de-8b30-c406d8baf605.vbs"
                  7⤵
                    PID:3020
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0b64b6f-6dc0-4cdc-a9d8-967ca6190d43.vbs"
                5⤵
                  PID:4268
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\baf250cf-c7fc-4e9e-a937-405e13e402e3.vbs"
              3⤵
                PID:1400
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3956
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2364
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4048
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2876
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4424
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\System\StartMenuExperienceHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\PLA\System\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\System\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4144

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          4
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          3
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Recovery\WindowsRE\TextInputHost.exe
            Filesize

            2.2MB

            MD5

            7a7647742765547a92b6ae5ce5c0e21a

            SHA1

            777c478b9cf8f9a7e1e3b90647bb9a774bd337b7

            SHA256

            c0016928b39c45655a7448e32222f5093be0dc18d94bfb3db63b5454e6ed9370

            SHA512

            ac9d162183a37799e4ca32f0f54ffe59debf4a927481e337b07d0bb9c6cefd716bdb7df88fa239608a26693f10be975a737ce1cd0cdd2b0bae7167a9606443e1

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
            Filesize

            1KB

            MD5

            49b64127208271d8f797256057d0b006

            SHA1

            b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

            SHA256

            2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

            SHA512

            f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\35ef0f11-5b4b-491e-a57c-2bbfd4889167.vbs
            Filesize

            708B

            MD5

            db913d3434cf04ca0aa7cfa49aeb21b0

            SHA1

            fb2d4c69334be14b8e80a15a88e591db79608613

            SHA256

            6de03c295ce63b2d6407f1a9f17cb31559514c37459b7bdf47656782f7d13eb7

            SHA512

            f72794cde44fa1e30a8a9c09b5bd5cee8eed841010c3b73c48a24095935a23aacf2aa89b706ccef93e821fa7c2a6a3de0aabdbba53fc45757b43634ff79eb298

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\5e99227f-c961-4d69-a869-825873a40ca8.vbs
            Filesize

            708B

            MD5

            fe0b25219bef68e136622a31523c8d64

            SHA1

            1edb4ce3d171f6b4cb75949ca9329b29e33edbad

            SHA256

            3fc86be61a010be0df7e72970c60574d2b91c7e3285242d709699343cc65a51c

            SHA512

            a56d1553da834b8b9fe5608ed915ad393e56e0f3bae4cc4082850a0e82305f0069cdeab0119d670582c582ec07bfdd5309acbc6412c7e38928b4d412e3e48489

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7d80f3d5-ea95-4d12-8730-ce4990ad95f7.vbs
            Filesize

            708B

            MD5

            b5250ebaec5697547ddfad5f480183c9

            SHA1

            4a67055a803234085eb6513ba6b4a48b4b5b2b64

            SHA256

            5880fc4f9eda931fdfdd399f8fc133171658180da836f45de4b9f48e2afc8011

            SHA512

            f2c49d8b751d872926f12e2ca43a8017d7143af62122db079f8e963201294bd352e628e00d40509928c3010441eebadc1ff7e0b709ff17daff160b6a5d1e341e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RCX9AAB.tmp
            Filesize

            2.2MB

            MD5

            812ac1ea0b1d66a93d0beca70cc28cbe

            SHA1

            c5cff3dc9a2503521de74a7d4cda2f678f5bb575

            SHA256

            74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3

            SHA512

            01acc3b99130f0d263917e4e362caf25841b21e3a9a82ce40004db96239ebcc8762a57ebad020ed704213596a100d060475cd9fd61c5bd4df9a35ff14d4cc6f6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\baf250cf-c7fc-4e9e-a937-405e13e402e3.vbs
            Filesize

            484B

            MD5

            1cea5e552830473c825a226383ddcf13

            SHA1

            c4eb2d9cf765f1d6607b8cc3f505cfd61050bb8a

            SHA256

            a707901917408845ccb4d1d88bb359be1338325160318137d00eea5d2c753643

            SHA512

            4107996f3eb9a1a10fda912db34d11e51c83559c020b0ca6549131720d6521864e205147fd25e42006d9f6f3f34c144184f68287cca782d378ac0c30fd5dde81

            Download Submit

          • C:\Windows\PLA\System\StartMenuExperienceHost.exe
            Filesize

            2.2MB

            MD5

            cb66cc876fc3ab2718d66c93e8d5ccf6

            SHA1

            388e374d3c2398f69b422e7b0328a36804455197

            SHA256

            1dccd7cf88ebda5e103e54e34d4e4682c936d14de15506bc789c21c1116f99c7

            SHA512

            d387576f088b42890919df9aba7ad5b2d266d1f6e1c26a5f6df8c6c8eb751088a80c483d51c68a15a1f51f299adfc3a4256d3c73e0053a7dbdb0c0f163534ad6

            Download Submit

          • memory/4588-21-0x000000001C260000-0x000000001C26C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4588-31-0x000000001C530000-0x000000001C53C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4588-11-0x000000001C170000-0x000000001C178000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4588-6-0x000000001C1A0000-0x000000001C1F0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4588-12-0x000000001C180000-0x000000001C190000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4588-13-0x000000001C190000-0x000000001C19A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4588-14-0x000000001C1F0000-0x000000001C1FC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4588-15-0x000000001C200000-0x000000001C208000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4588-16-0x000000001C210000-0x000000001C21C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4588-17-0x000000001C220000-0x000000001C228000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4588-19-0x000000001C230000-0x000000001C242000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4588-20-0x000000001C790000-0x000000001CCB8000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/4588-0-0x00007FFEB3DF3000-0x00007FFEB3DF5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4588-22-0x000000001C270000-0x000000001C27C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4588-23-0x000000001C280000-0x000000001C28C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4588-28-0x000000001C4D0000-0x000000001C4DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4588-30-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4588-7-0x000000001BB00000-0x000000001BB08000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4588-29-0x000000001C520000-0x000000001C528000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4588-34-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4588-27-0x000000001C4C0000-0x000000001C4CE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4588-26-0x000000001C3B0000-0x000000001C3B8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4588-25-0x000000001C3A0000-0x000000001C3AE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4588-24-0x000000001C390000-0x000000001C39A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4588-10-0x000000001BB30000-0x000000001BB3C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4588-9-0x000000001C150000-0x000000001C166000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4588-8-0x000000001BB10000-0x000000001BB20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4588-137-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4588-5-0x000000001BAE0000-0x000000001BAFC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4588-4-0x000000001BAD0000-0x000000001BADE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4588-3-0x00000000030A0000-0x00000000030AE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4588-2-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4588-1-0x0000000000CA0000-0x0000000000ECE000-memory.dmp

            Filesize

            2.2MB

            Download