Overview

overview

10

Static

static

10

02d4afb627...d9.exe

windows7-x64

10

02d4afb627...d9.exe

windows10-2004-x64

10

02d4afb627...d9.exe

android-9-x86

02d4afb627...d9.exe

android-10-x64

02d4afb627...d9.exe

android-11-x64

02d4afb627...d9.exe

macos-10.15-amd64

02d4afb627...d9.exe

ubuntu-18.04-amd64

02d4afb627...d9.exe

debian-9-armhf

02d4afb627...d9.exe

debian-9-mips

02d4afb627...d9.exe

debian-9-mipsel

Resubmissions

13-01-2025 05:27

250113-f5r2gazrfk 10

12-01-2025 20:06

250112-yvdp7sxlby 10

Analysis

  • max time kernel
    900s
  • max time network
    732s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 05:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02d4afb627db486201d4700854e390d9.exe

  • Size

    2.3MB

  • MD5

    02d4afb627db486201d4700854e390d9

  • SHA1

    f63533f82c2a434f9104ccc9beee3216796aeb14

  • SHA256

    46cf8f5e46c3dbdd32c5f300f6fd395a7f12c0ec611de9e518bf7312f187590c

  • SHA512

    0ccaa408f5e1e3481b413ab07dea2b77540e500097a7ab194f6052161517b2c29214d680e7731b9a39a300edf3b88a3b564f85c8008386099474e82c028109fc

  • SSDEEP

    49152:uAHOUI3tHsLi/P025up1V40tz/i4Eq/qo8ychEcMPbVxFAK6E00:uIQ3L/zULV/qWch7MPxxFh6E0

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\02d4afb627db486201d4700854e390d9.exe
    C:\Users\Admin\AppData\Local\Temp\02d4afb627db486201d4700854e390d9.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XjeaX12neu.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1528
        • C:\Program Files\Common Files\Services\SearchApp.exe
          "C:\Program Files\Common Files\Services\SearchApp.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1460
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2196
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:428
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1388
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Documents\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4980
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3416
    • C:\Program Files\Microsoft Office 15\ClientX64\services.exe
      "C:\Program Files\Microsoft Office 15\ClientX64\services.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Users\Admin\Templates\System.exe
      C:\Users\Admin\Templates\System.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4716
    • C:\Users\Default User\dllhost.exe
      "C:\Users\Default User\dllhost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:920
    • C:\Windows\BitLockerDiscoveryVolumeContents\Idle.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\Idle.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:856
    • C:\Program Files\Common Files\Services\SearchApp.exe
      "C:\Program Files\Common Files\Services\SearchApp.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3356
    • C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe
      C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3684
    • C:\Program Files\Microsoft Office 15\ClientX64\services.exe
      "C:\Program Files\Microsoft Office 15\ClientX64\services.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4960
    • C:\Users\Admin\Templates\System.exe
      C:\Users\Admin\Templates\System.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:608
    • C:\Users\Default User\dllhost.exe
      "C:\Users\Default User\dllhost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4468
    • C:\Users\All Users\Documents\lsass.exe
      "C:\Users\All Users\Documents\lsass.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4000
    • C:\Windows\BitLockerDiscoveryVolumeContents\Idle.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\Idle.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4164
    • C:\Program Files\Microsoft Office 15\ClientX64\services.exe
      "C:\Program Files\Microsoft Office 15\ClientX64\services.exe"
      1⤵
      • Executes dropped EXE
      PID:2040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office 15\ClientX64\services.exe
      Filesize

      1.1MB

      MD5

      6d453dc456db115540dd32d5b2eb9648

      SHA1

      0ec791fa853e6063b862bb8ee2f7de83301c479e

      SHA256

      31c67c27a642a5f2ac99b57ee9856cf8a545926a48df26ad969128e42efac351

      SHA512

      516f1c749124567e8c2b277ef462f9f8ac4a17b5ff422e62799f9f70c688cb60211d9f2d57b32440f2f9a7583efa79a3d6c3c19091e740ca4553449d50f7b2f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log
      Filesize

      1KB

      MD5

      4a667f150a4d1d02f53a9f24d89d53d1

      SHA1

      306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

      SHA256

      414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

      SHA512

      4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log
      Filesize

      1KB

      MD5

      baf55b95da4a601229647f25dad12878

      SHA1

      abc16954ebfd213733c4493fc1910164d825cac8

      SHA256

      ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

      SHA512

      24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XjeaX12neu.bat
      Filesize

      217B

      MD5

      4b9ab327adb43b9f5295fd7a5f0deea3

      SHA1

      84199900089d11f466497d38e56cbed686be9d7b

      SHA256

      5bace290d53b5d40244d900bafce3ae08c68d34d7f5225532b1da5cc5b20952c

      SHA512

      1133f986d803db218587a0333e3f9c211782c1033a287382faddf9cd2f867c392b727caecc0104d0816b464da62789fd96f241d1a84284cf0aef4679f30a07b6

      Download Submit

    • C:\Users\Default\dllhost.exe
      Filesize

      2.3MB

      MD5

      02d4afb627db486201d4700854e390d9

      SHA1

      f63533f82c2a434f9104ccc9beee3216796aeb14

      SHA256

      46cf8f5e46c3dbdd32c5f300f6fd395a7f12c0ec611de9e518bf7312f187590c

      SHA512

      0ccaa408f5e1e3481b413ab07dea2b77540e500097a7ab194f6052161517b2c29214d680e7731b9a39a300edf3b88a3b564f85c8008386099474e82c028109fc

      Download Submit

    • memory/856-49-0x0000000001350000-0x0000000001362000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1624-43-0x000000001D2A0000-0x000000001D2B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3284-34-0x000000001BF00000-0x000000001BF56000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3284-35-0x000000001BDE0000-0x000000001BDF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4164-68-0x00000000030A0000-0x00000000030F6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4960-62-0x000000001ADF0000-0x000000001AE02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5004-5-0x0000000002A90000-0x0000000002AA6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/5004-6-0x000000001B9B0000-0x000000001BA06000-memory.dmp

      Filesize

      344KB

      Download

    • memory/5004-29-0x00007FF814CB0000-0x00007FF815771000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5004-7-0x00000000010E0000-0x00000000010F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5004-0-0x00007FF814CB3000-0x00007FF814CB5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5004-4-0x000000001BA00000-0x000000001BA50000-memory.dmp

      Filesize

      320KB

      Download

    • memory/5004-3-0x0000000002A70000-0x0000000002A8C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/5004-2-0x00007FF814CB0000-0x00007FF815771000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5004-9-0x0000000001100000-0x000000000110E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5004-8-0x000000001C2B0000-0x000000001C7D8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/5004-1-0x00000000005C0000-0x000000000080E000-memory.dmp

      Filesize

      2.3MB

      Download