Overview

overview

10

Static

static

10

224c366651...d0.exe

windows10-2004-x64

10

Resubmissions

13-01-2025 15:25

250113-st1kpawrdv 10

10-01-2025 12:54

250110-p5j6asxjdk 10

28-12-2024 02:09

241228-clcwnatnby 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    224c3666515e1602d6a4c8f6802d8ad2c597951e50cf4938e5ddc849702f1bd0.exe

  • Size

    1.1MB

  • MD5

    c1ea7d9d2b92b29bb016dc0c82ce0136

  • SHA1

    0490c1a2a2ab084cb03bbb494454380eb0a4063f

  • SHA256

    224c3666515e1602d6a4c8f6802d8ad2c597951e50cf4938e5ddc849702f1bd0

  • SHA512

    51e7c868dd506de81112d18004f2dff73b0ef7a1b7614e94977c9e389919451a3c4bdda2668358999d490ca650a340305674d7c89212a33e8d111a8064a7a116

  • SSDEEP

    24576:U2G/nvxW3Ww0tLh6X9jiDf3b8goWoMSCUH0N:UbA30cQoSP

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\224c3666515e1602d6a4c8f6802d8ad2c597951e50cf4938e5ddc849702f1bd0.exe
    "C:\Users\Admin\AppData\Local\Temp\224c3666515e1602d6a4c8f6802d8ad2c597951e50cf4938e5ddc849702f1bd0.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\crtnet\U4fZxuOVYXKrCZIgxMyzABwsANpU.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\crtnet\Bnw1HgIbKGac.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\crtnet\hyperserversvc.exe
          "C:\crtnet\hyperserversvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Ol3V7wsjo.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4836
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3260
              • C:\Windows\L2Schemas\OfficeClickToRun.exe
                "C:\Windows\L2Schemas\OfficeClickToRun.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3964
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1436
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2744
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3576
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4928
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\crtnet\unsecapp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\crtnet\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\crtnet\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3060
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1552
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Local Settings\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4904
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:764
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2396
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1020
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:2244
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
          2⤵
          • Modifies data under HKEY_USERS
          PID:4652

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\3Ol3V7wsjo.bat
        Filesize

        206B

        MD5

        37d5285ffd25411dbfce1c0383c649d8

        SHA1

        a62d7cd4916eb9fbe0d9bafb64368dcbd1286b22

        SHA256

        990eb4831c0c8a032242eb7f1a8c2398b63f6e0befa17ed91aa2c8f56d37ce73

        SHA512

        af06dd2793b8314336235edd189e8062d5aa87e4765dba4cbbc12ec5d66e55cb5b03e626470c7c1cafb99e05c0833eacc816730207c5da6ef6e5865f39c6bc78

        Download Submit

      • C:\crtnet\Bnw1HgIbKGac.bat
        Filesize

        30B

        MD5

        ad864158aece2c49b735cb6ddb40c692

        SHA1

        42cff4692d777de8a6e5dc42a48b95a00a4f74d0

        SHA256

        d788ee93f4876edfdcc51052ee21680b067fee9071f2efa752608fe39af39c84

        SHA512

        df2ce6df2fc21d23d91f869729c1bb5fbde0079d015d1b44a2679861a30a18b373bcdffe6f399964577a2b8f566d5373958c82e0917aa838b2e3f5705dc8e034

        Download Submit

      • C:\crtnet\U4fZxuOVYXKrCZIgxMyzABwsANpU.vbe
        Filesize

        195B

        MD5

        d1e9f1bc4219b36665be0abca3f62ad2

        SHA1

        9ebf784c32f63049b3e39681015ee78350e04ee2

        SHA256

        8736f9684770146460caaf01b7cc432b2dcf9faf5d398b27f9f58cd86d87e978

        SHA512

        aeda85a9a5548a6eb44eb92c9839aa98e3e9932d9d0deb6a4fa9ec603438c85b38c1ab295cd10035b54e65453dd19da685457c82241caa369551df0ec75b2787

        Download Submit

      • C:\crtnet\hyperserversvc.exe
        Filesize

        828KB

        MD5

        915963963f2bfe83c2f1a3a50cf042ca

        SHA1

        5b7ccdc34d46ff3d25752ae9f73ae6649e9ef791

        SHA256

        28c32ebbf807cd3ed0a35ead7bef99665da102a85bdfe0f91cf7f92d167dfd40

        SHA512

        7509a3ba3258848851c5315eecb1105ec10018c1012c244531a6250bcab84196378bd1fa9374c92ee3fa66f96433ddd17929875f37d2b272a97389abb6aa39b4

        Download Submit

      • memory/1020-37-0x00000253E4EC0000-0x00000253E4ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1020-53-0x00000253E4FC0000-0x00000253E4FD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1020-69-0x00000253E94B0000-0x00000253E94B8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2500-12-0x0000000000D70000-0x0000000000E46000-memory.dmp

        Filesize

        856KB

        Download

      • memory/4652-99-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-95-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-78-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-77-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-76-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-75-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-79-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-103-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-102-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-101-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-74-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-100-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-98-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-97-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-96-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-73-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-94-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-93-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-92-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-91-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-90-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-89-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-88-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-87-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-86-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-85-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-84-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-83-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-82-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-81-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4652-80-0x000001C104CC0000-0x000001C104CD0000-memory.dmp

        Filesize

        64KB

        Download