Overview

overview

10

Static

static

10

f08bab568e...d1.exe

windows7-x64

10

f08bab568e...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2025 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1.exe

  • Size

    2.2MB

  • MD5

    67f998093c11d8a104aef7a92a2d5b26

  • SHA1

    cea4392bfb620e2d5b303c7f39fe68a30080a771

  • SHA256

    f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1

  • SHA512

    e3572eaf810f95944206728a83c822244afd079f59cef2911e11dddd85216a09663edbd8041fe5281c0ca9a6182bc5b70d77cbcc403baccbfbdc1d9c6a137e92

  • SSDEEP

    49152:AsSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvif:ALlK6d3/Nh/bV/Oq3Dxp2RUG

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 20 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1.exe
    "C:\Users\Admin\AppData\Local\Temp\f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1928
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNL0dL8YnE.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1912
        • C:\Windows\es-ES\WmiPrvSE.exe
          "C:\Windows\es-ES\WmiPrvSE.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:624
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff24ee68-17d7-4902-8dd3-5422abdb9c11.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Windows\es-ES\WmiPrvSE.exe
              C:\Windows\es-ES\WmiPrvSE.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2804
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3386ffa4-5889-442f-8999-3d7e45c0b579.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2320
                • C:\Windows\es-ES\WmiPrvSE.exe
                  C:\Windows\es-ES\WmiPrvSE.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2964
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8175194c-83d9-4975-b7ba-c406c7c6b4f4.vbs"
                    8⤵
                      PID:1960
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5e7d90a-b511-44e6-a4d3-8d15c936dcdb.vbs"
                      8⤵
                        PID:2148
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83e541ae-4677-424f-a5dd-614a02249a06.vbs"
                    6⤵
                      PID:1876
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7617842-653d-40e1-b844-882c64d03df3.vbs"
                  4⤵
                    PID:2524
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2396
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2892
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2852
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\wininit.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1908
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\wininit.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2580
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\wininit.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2608
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3064
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2884
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2076
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1964
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2844
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\audiodg.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1720
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\fr-FR\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2024
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1892
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1604
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1220
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1724

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            1
            T1562

            Disable or Modify Tools

            1
            T1562.001

            Modify Registry

            4
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\3386ffa4-5889-442f-8999-3d7e45c0b579.vbs
              Filesize

              705B

              MD5

              7cdce46924b4936319b6135da2ff02df

              SHA1

              96afd1e20863d9b182be10b736bd3d924f5b611a

              SHA256

              417c00eeabd31bc0af717e6b4533480461264bb76d0823994f4f979e28ae1051

              SHA512

              bf6eb6c290da0ac8e92031b413a11fcf33f09ae87910c28221e66f6105cecd3fa4d635fe0089100d24d63cfabdd26042386625d7a7d7360ef7151191a225c720

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\8175194c-83d9-4975-b7ba-c406c7c6b4f4.vbs
              Filesize

              705B

              MD5

              e78b958cc1a6f3c5c83c54ce3e0f797c

              SHA1

              ca52db585418f0813034e03c58a086bbbfcd5bf7

              SHA256

              efc36083cc1ed7e49eecb80ccece75525311282f2b009c8f5ff8f5d401920e40

              SHA512

              7b7f1b5033fe7cb60741f49e08ef75f36977e9f3f1562b4735fe8656cd740b3d9fcd3b484195ab928f1d84964bbc8edc820d290d7de9a37f61bbf2ed2e80eb71

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\e7617842-653d-40e1-b844-882c64d03df3.vbs
              Filesize

              481B

              MD5

              58d3684cf7bb9142bcade7b2d21aca30

              SHA1

              1b9c7ffb9aa7bd01ee9e455f6658475eb5c6b97f

              SHA256

              cfddebefaf1501b299d8cb0d4907f6a7144d6f275ef12750ef9122442e288aed

              SHA512

              4e802ab417b6bdc80f9c02676850811058ff146d7f80dae3f8e9baaff800005fe1834ffe3eabc8af187e22737fef1f68631cf02cdfe1a04597d9d74fffaf5485

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ff24ee68-17d7-4902-8dd3-5422abdb9c11.vbs
              Filesize

              704B

              MD5

              6ec468829da35b952d3169c0ade3a8fa

              SHA1

              63ba4ed42f0e732eb0618eb67a9d74cbecd0897f

              SHA256

              340ede3cf3dd1ebbf0c4e166c72d894df52dff583c5707b27c2258b9ce1b4c3b

              SHA512

              588fe95f1c0eac5da4cd7c8f2421e74b8f60d801f44d5910f558a78835cce006452c1aec2a9742d304e5a872f9928a44dfce3a18ad4577bf7208c540ced0095c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\wNL0dL8YnE.bat
              Filesize

              194B

              MD5

              704de5522b9d4e65fad093e7d233ad9b

              SHA1

              972244a80bf974f4c85c311d754a9fa3f7ea09e2

              SHA256

              39bd028eb0d75ced67147a8535e96f91dec95bfb3c41f6f2d5bb38221b98d0db

              SHA512

              f579f78138baaa91506dc91283e0a3197c76c49a30790cace2175747a48f7d02d2a427111a804fbca94c6e353dd8cbe7fa8c305e9a1900be16a2688f70ec4c69

              Download Submit

            • C:\Windows\AppCompat\Programs\RCXDEEF.tmp
              Filesize

              2.2MB

              MD5

              70f35d04041d9c029d59586fc6aa3819

              SHA1

              a9f37462584d22bad8909ffc1c047cdfee84f049

              SHA256

              517ef97c6f4481e5d6eac2ebd79fbbfe34c9dbe59a0f775c0c2a3e3b942aaae6

              SHA512

              1739c6ce05e4fbee9d2829a95b3ca910b28a0f853d2a6e11e779fae7b419c46b7fd22641f28c2b91b826dd3905e478a23fa1e55c31665adea3f6a042d7078f53

              Download Submit

            • C:\Windows\fr-FR\audiodg.exe
              Filesize

              2.2MB

              MD5

              67f998093c11d8a104aef7a92a2d5b26

              SHA1

              cea4392bfb620e2d5b303c7f39fe68a30080a771

              SHA256

              f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1

              SHA512

              e3572eaf810f95944206728a83c822244afd079f59cef2911e11dddd85216a09663edbd8041fe5281c0ca9a6182bc5b70d77cbcc403baccbfbdc1d9c6a137e92

              Download Submit

            • memory/624-128-0x0000000000220000-0x000000000044E000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/1928-10-0x0000000000570000-0x0000000000578000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1928-26-0x0000000000920000-0x000000000092C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1928-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1928-11-0x0000000000620000-0x0000000000630000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1928-12-0x0000000000600000-0x000000000060A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1928-13-0x0000000000610000-0x000000000061C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1928-14-0x0000000000630000-0x0000000000638000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1928-15-0x0000000000640000-0x000000000064C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1928-16-0x0000000000650000-0x0000000000658000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1928-18-0x0000000000660000-0x0000000000672000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1928-19-0x0000000000690000-0x000000000069C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1928-20-0x00000000006B0000-0x00000000006BC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1928-21-0x00000000006C0000-0x00000000006CC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1928-22-0x00000000006D0000-0x00000000006DA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1928-23-0x00000000006E0000-0x00000000006EE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1928-25-0x0000000000910000-0x000000000091E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1928-24-0x0000000000900000-0x0000000000908000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1928-9-0x0000000000560000-0x000000000056C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1928-27-0x0000000000930000-0x0000000000938000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1928-29-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1928-28-0x0000000000940000-0x000000000094C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1928-8-0x0000000000540000-0x0000000000556000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1928-6-0x0000000000520000-0x0000000000528000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1928-124-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1928-7-0x0000000000530000-0x0000000000540000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1928-5-0x0000000000500000-0x000000000051C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1928-4-0x00000000004F0000-0x00000000004FE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1928-3-0x00000000004E0000-0x00000000004EE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1928-1-0x00000000002B0000-0x00000000004DE000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/1928-2-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2804-140-0x0000000002200000-0x0000000002212000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2804-139-0x0000000000B40000-0x0000000000D6E000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/2964-152-0x0000000000330000-0x000000000055E000-memory.dmp

              Filesize

              2.2MB

              Download