Overview

overview

10

Static

static

10

99cccc9c25...76.exe

windows7-x64

10

99cccc9c25...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99cccc9c25dd6d31cb9541b8fd31cfd5d3f72fc393d157f1592320c9217bc576.exe

  • Size

    952KB

  • MD5

    c377fc47f9a69dfcdabb7a2e29d40142

  • SHA1

    e65c699ac98ea63b890062321c31b71db64c041c

  • SHA256

    99cccc9c25dd6d31cb9541b8fd31cfd5d3f72fc393d157f1592320c9217bc576

  • SHA512

    b4c213e65217fd720643d6aea277eb4d337de271ed637de2c31fd977408a2c7897bebae59d81bb178fc74b8cc7c879b330fdadbec98d86e85318af65bdf9898b

  • SSDEEP

    24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX3:Z8/KfRTKd

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 11 IoCs
    persistence
  • Process spawned unexpected child process 11 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 22 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\99cccc9c25dd6d31cb9541b8fd31cfd5d3f72fc393d157f1592320c9217bc576.exe
    "C:\Users\Admin\AppData\Local\Temp\99cccc9c25dd6d31cb9541b8fd31cfd5d3f72fc393d157f1592320c9217bc576.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1544
    • C:\Users\Admin\AppData\Local\Temp\99cccc9c25dd6d31cb9541b8fd31cfd5d3f72fc393d157f1592320c9217bc576.exe
      "C:\Users\Admin\AppData\Local\Temp\99cccc9c25dd6d31cb9541b8fd31cfd5d3f72fc393d157f1592320c9217bc576.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3416
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tqxXeAsAVU.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:1900
          • C:\Windows\TAPI\RuntimeBroker.exe
            "C:\Windows\TAPI\RuntimeBroker.exe"
            4⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:1516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Documents and Settings\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\AppxSignature\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:8
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\nshhttp\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3584
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\nshipsec\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\lstelemetry\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\PowerPolicyProvider\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:720

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PerfLogs\dllhost.exe
      Filesize

      952KB

      MD5

      4fb34170141e29b9406972180e72eb39

      SHA1

      e932d89ed84641b9dab7536bb864d2e1547fa908

      SHA256

      1198d4c50f99a9cb54e447fb9416d957275c5b7d9aba8ee783b616009850d773

      SHA512

      6f2e23d3452399c1ec48dca0eff16b7ee2619ee638df42d9b3d6705158d44c2e6976e28df55949e0d4d5c835a505086623db079bddba82a54e5a44e9e573f53d

      Download Submit

    • C:\Program Files (x86)\Windows Mail\smss.exe
      Filesize

      952KB

      MD5

      dad4b3f126758cc849be4b52c3c7b672

      SHA1

      429d1445e6d8953badf5bf33ebca7c33cc2b7738

      SHA256

      a32b281fc409a7145625a5b8057e2802601263350c724b39c37c56987ba488ba

      SHA512

      7c606f2ac861dcfefba0d42cb3286b0e1d1f2d9e7fa7907ae54e82d9ad72a4fc3123392fab341791989ea2d00c77cd3457bb71f075e287eafc55ba8989a78d4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\99cccc9c25dd6d31cb9541b8fd31cfd5d3f72fc393d157f1592320c9217bc576.exe.log
      Filesize

      1KB

      MD5

      7f3c0ae41f0d9ae10a8985a2c327b8fb

      SHA1

      d58622bf6b5071beacf3b35bb505bde2000983e3

      SHA256

      519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

      SHA512

      8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\99cccc9c25dd6d31cb9541b8fd31cfd5d3f72fc393d157f1592320c9217bc576.exe
      Filesize

      952KB

      MD5

      c377fc47f9a69dfcdabb7a2e29d40142

      SHA1

      e65c699ac98ea63b890062321c31b71db64c041c

      SHA256

      99cccc9c25dd6d31cb9541b8fd31cfd5d3f72fc393d157f1592320c9217bc576

      SHA512

      b4c213e65217fd720643d6aea277eb4d337de271ed637de2c31fd977408a2c7897bebae59d81bb178fc74b8cc7c879b330fdadbec98d86e85318af65bdf9898b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RCXE05E.tmp
      Filesize

      952KB

      MD5

      f7f39e6a45de003a1b055a725a85a760

      SHA1

      ce24a3ef442052adbd7c14d8035d2c94ae8a1ed0

      SHA256

      82d5689f614df5069ce292d8495f2ff21c8274003e89d0784525a7aad918f654

      SHA512

      dea55a1c43926cb3433fb1a8c8cc486f0a372f2b79e102ba526e92edfc190856b3d4b1cffa1389962e4352f40f91e0360636ea74525bfe2bc7e481fd23a2c0c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tqxXeAsAVU.bat
      Filesize

      197B

      MD5

      b7bbc7b14b7deee55e2fcc9b2a721670

      SHA1

      66ce2edd2a994c1a0b44c4daf25ebb94b2c5a89f

      SHA256

      f28882b4fcb53fb13e3dd5095e96fcfdc7f610a7ef158b12a489616d6ea0da81

      SHA512

      c72a59868033148b5503c78077d01edefaf35ecc2d937db36278a339480e0c2b91506de6a91304a442d7631ae1a03fa0dc46bd175c1d1c764e2e89a190f8fec0

      Download Submit

    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\AppxSignature\SearchApp.exe
      Filesize

      952KB

      MD5

      cb932244bbbfbf62bb2f46de969b242c

      SHA1

      7303ab79d4f7afe079338ef2bc054cd5db6bd532

      SHA256

      8d9680fd9f979bba2d3150722b4c9cb81f098e43d69d85fcb5631e21cfffb2ab

      SHA512

      55b2e77670725bb8f6db6112c01ac1882292c983bfb86ced09ecd3d4c9737c1c1df1e118aabf7c32db0ddbd3a29ce69114a27276fa75d8f66f768b2ae2e675ef

      Download Submit

    • memory/1544-5-0x0000000002CD0000-0x0000000002CDA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1544-8-0x0000000002D10000-0x0000000002D18000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1544-10-0x0000000002D50000-0x0000000002D5C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1544-11-0x0000000002E80000-0x0000000002E8C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1544-9-0x0000000002D40000-0x0000000002D4A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1544-7-0x0000000002D20000-0x0000000002D2A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1544-6-0x0000000002D30000-0x0000000002D3C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1544-0-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1544-4-0x0000000002D00000-0x0000000002D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1544-3-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1544-2-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1544-74-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1544-1-0x0000000000B70000-0x0000000000C64000-memory.dmp

      Filesize

      976KB

      Download