Overview

overview

10

Static

static

10

b39b2723e3...6N.exe

windows7-x64

10

b39b2723e3...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b39b2723e3217a332fcc41aad66fcae56939e5368d2abbdbff0c874b84aea9e6N.exe

  • Size

    952KB

  • MD5

    44166bd2a126a97a6db8049255377240

  • SHA1

    470b088d19c3f3395e313a49d7b6ef6527a40d42

  • SHA256

    b39b2723e3217a332fcc41aad66fcae56939e5368d2abbdbff0c874b84aea9e6

  • SHA512

    482e1fc386b985e82bbe477d8b21eeb50192d03a6fcaf91abf4ec8c464708d65bcdeb49b9cfbf86f468db74e273a78999207e75a66c0a527a2ae1a8db6ce3531

  • SSDEEP

    24576:W+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:x8/KfRTK

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b39b2723e3217a332fcc41aad66fcae56939e5368d2abbdbff0c874b84aea9e6N.exe
    "C:\Users\Admin\AppData\Local\Temp\b39b2723e3217a332fcc41aad66fcae56939e5368d2abbdbff0c874b84aea9e6N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1320
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\odaT1mSkAJ.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3648
        • C:\Windows\System32\mspatcha\RuntimeBroker.exe
          "C:\Windows\System32\mspatcha\RuntimeBroker.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:3256
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\sigverif\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\mspatcha\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ntlanman\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:224

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\odaT1mSkAJ.bat
      Filesize

      210B

      MD5

      63b3382dbad5369fc6b9279c9d3edd2f

      SHA1

      c6d98d679f44d1e51d7317cfc82d0483b09f6933

      SHA256

      46749ebad55dd2eaaf03e3b8897d9ed9132fa3e94e773bb2fce90e2d64e6f0a6

      SHA512

      b5f750e3da1303edd109df418f6589c9da4729f387e9d6a678097f3e3b486e170a7d9cf1e64a94bcdd58db5791664b392f951aac20dd33a8772b93ba4a3d5b21

      Download Submit

    • C:\Users\csrss.exe
      Filesize

      952KB

      MD5

      44166bd2a126a97a6db8049255377240

      SHA1

      470b088d19c3f3395e313a49d7b6ef6527a40d42

      SHA256

      b39b2723e3217a332fcc41aad66fcae56939e5368d2abbdbff0c874b84aea9e6

      SHA512

      482e1fc386b985e82bbe477d8b21eeb50192d03a6fcaf91abf4ec8c464708d65bcdeb49b9cfbf86f468db74e273a78999207e75a66c0a527a2ae1a8db6ce3531

      Download Submit

    • C:\Windows\System32\mspatcha\RuntimeBroker.exe
      Filesize

      952KB

      MD5

      a367fe3b12ce2d246278d12e8622208e

      SHA1

      49013d1c06f4b79937ca9c036d8aa54719b545e2

      SHA256

      39dee13cb56bf7ca94b8a400a43400d69896eeeff04648616606d976d32cdc6b

      SHA512

      c0f1fae8c068c901124acde77952e0becbdbfec0b2e096815c5e51b387f60d44dee02794a2e38ebf141ef393977404cbf840b39366de5971f97c3ac552f533e1

      Download Submit

    • C:\Windows\System32\sigverif\dwm.exe
      Filesize

      952KB

      MD5

      153a571f844225542e372909b27d4095

      SHA1

      6a6ea89a3d4dd3132608a5ae970348393badcc3b

      SHA256

      2bfd9347b01e194b3424b9223a1f9105120c4fefa45818a84bc607d0b9040bb2

      SHA512

      59e4f2bbaed40127c4073e7ecaa7618efea693b2f59a8b9d23d903c46e83aa5b255fd0905485344b159cf9fdbd780c2e5ca07e62ea542d1d90deb1c27269a0ae

      Download Submit

    • memory/1320-4-0x0000000002430000-0x0000000002440000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1320-9-0x0000000002490000-0x000000000249A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1320-6-0x0000000002420000-0x000000000242C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1320-7-0x0000000002440000-0x000000000244A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1320-8-0x0000000002470000-0x0000000002478000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1320-10-0x00000000024A0000-0x00000000024AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1320-11-0x00000000024C0000-0x00000000024CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1320-5-0x0000000002410000-0x000000000241A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1320-0-0x00007FFFC1E73000-0x00007FFFC1E75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1320-3-0x0000000002400000-0x0000000002410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1320-2-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1320-1-0x00000000002A0000-0x0000000000394000-memory.dmp

      Filesize

      976KB

      Download

    • memory/1320-91-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3256-95-0x0000000000F70000-0x0000000001064000-memory.dmp

      Filesize

      976KB

      Download