Overview

overview

10

Static

static

10

9f7d0b9a32...34.exe

windows7-x64

10

9f7d0b9a32...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2025, 05:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f7d0b9a32de0f6cefb6a3328f833034.exe

  • Size

    2.7MB

  • MD5

    9f7d0b9a32de0f6cefb6a3328f833034

  • SHA1

    b2f45dab2c76093c317cab36a47873e55e2c7c6e

  • SHA256

    6e333e5b68668934186d53525c24d2ed857c35e36b4d21102d06e52e6890ac5f

  • SHA512

    0ead99e58a9d244f308405a1cff664479de57f1ee38014a557642ef1ea3fe52f20f433c17da565ea23168a8b8c416fcbcb43e6d3df0c959341d36f592fb97f1d

  • SSDEEP

    49152:bBu+dK3GaaTUukCTXO2s2f1sKfmFRd0MdOa5k1kpm/Ufn6sC:duyjAi+j2aK+F54/U/6s

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f7d0b9a32de0f6cefb6a3328f833034.exe
    "C:\Users\Admin\AppData\Local\Temp\9f7d0b9a32de0f6cefb6a3328f833034.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2028
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dtHMBUzi2f.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2136
        • C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WMIADAP.exe
          "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WMIADAP.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WMIADAP.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2596

    Network

    • flag-us
      DNS
      a1071976.xsph.ru
      WMIADAP.exe
      Remote address:
      8.8.8.8:53
      Request
      a1071976.xsph.ru
      IN A
      Response
      a1071976.xsph.ru
      IN A
      141.8.192.164
    • 141.8.192.164:80
      a1071976.xsph.ru
      WMIADAP.exe
      152 B
       3
    • 141.8.192.164:80
      a1071976.xsph.ru
      WMIADAP.exe
      152 B
       3
    • 8.8.8.8:53
      a1071976.xsph.ru
      dns
      WMIADAP.exe
      62 B
       78 B
       1
      1

      DNS Request

      a1071976.xsph.ru

      DNS Response

      141.8.192.164

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Windows Defender\spoolsv.exe
      Filesize

      2.7MB

      MD5

      9f7d0b9a32de0f6cefb6a3328f833034

      SHA1

      b2f45dab2c76093c317cab36a47873e55e2c7c6e

      SHA256

      6e333e5b68668934186d53525c24d2ed857c35e36b4d21102d06e52e6890ac5f

      SHA512

      0ead99e58a9d244f308405a1cff664479de57f1ee38014a557642ef1ea3fe52f20f433c17da565ea23168a8b8c416fcbcb43e6d3df0c959341d36f592fb97f1d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dtHMBUzi2f.bat
      Filesize

      243B

      MD5

      44551438b735d16781abad52fef69c71

      SHA1

      24b50550d77a32cc8dd803ffb329cea5eebd58a9

      SHA256

      cb1ad1e42df8b94bc57959c285b99279afbe83ebfe51b5adef3bbc5cddd24588

      SHA512

      61dd572addb6f2715c36d8b0536d9de7b4e49bc562c748c2769a413ccf6af85e5a4f7585f5cff25d0ae84b54ce895b1b1d4e1ca38e77eef95c82c1df869d6e5d

      Download Submit

    • C:\Users\Admin\Downloads\RCXD712.tmp
      Filesize

      2.7MB

      MD5

      109b5cb9fd42d796d646a79486f7d6a2

      SHA1

      1684597a8b66e56050ae23973ee1ffed55a3ea21

      SHA256

      f1abafb7ed10e847dae29ca5f4241922031406fdd598e5132448b4c72f234ffa

      SHA512

      bd58d39ebfdacad48bddce44e7d865a249115e19b1060d0b57ddaf151c70587d9cb299754d31938e143c4ef0ea822091c9b95eb24acd9ff4950d6045ad429d09

      Download Submit

    • memory/472-77-0x00000000008C0000-0x0000000000B74000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/2028-12-0x0000000002140000-0x0000000002148000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2028-15-0x00000000022A0000-0x00000000022A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2028-6-0x00000000007E0000-0x00000000007F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2028-7-0x00000000007F0000-0x0000000000806000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2028-8-0x0000000000810000-0x0000000000818000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2028-9-0x0000000002130000-0x0000000002138000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2028-10-0x00000000021D0000-0x00000000021DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2028-11-0x000000001A8D0000-0x000000001A926000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2028-0-0x000007FEF6053000-0x000007FEF6054000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2028-13-0x00000000021E0000-0x00000000021F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2028-14-0x0000000002210000-0x0000000002218000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2028-5-0x00000000002F0000-0x00000000002F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2028-16-0x00000000022B0000-0x00000000022BC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2028-17-0x00000000022C0000-0x00000000022CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2028-18-0x0000000002310000-0x000000000231C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2028-19-0x0000000002320000-0x000000000232A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2028-20-0x0000000002330000-0x000000000233C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2028-4-0x00000000007C0000-0x00000000007DC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2028-3-0x00000000002D0000-0x00000000002DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2028-73-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2028-2-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2028-1-0x0000000000300000-0x00000000005B4000-memory.dmp

      Filesize

      2.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.