Overview

overview

10

Static

static

10

4abd3fdc56...aN.exe

windows7-x64

10

4abd3fdc56...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    25s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2025 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4abd3fdc568bb1f27720659825994c87f22381b8611c94761472145196dd369aN.exe

  • Size

    1.7MB

  • MD5

    251bc53b2e5b51a8605bbc3cc214d220

  • SHA1

    ea2c82feaebf9a3ee294094be2c8ce4190e6592b

  • SHA256

    4abd3fdc568bb1f27720659825994c87f22381b8611c94761472145196dd369a

  • SHA512

    0209113fa0a0418213da29ecf564cfb9a9ea27c17cb6582affdcab72be58635753f1d2b895395815672e432b330e974a0ac2cf77b01afcd368d2c8451c37a97e

  • SSDEEP

    24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:tgwuuEpdDLNwVMeXDL0fdSzAG

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4abd3fdc568bb1f27720659825994c87f22381b8611c94761472145196dd369aN.exe
    "C:\Users\Admin\AppData\Local\Temp\4abd3fdc568bb1f27720659825994c87f22381b8611c94761472145196dd369aN.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2136
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtwHUJyt6A.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1928
        • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe
          "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b55df200-d7a4-4185-9897-0bcd980639af.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1184
            • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe
              C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2152
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48581b72-5864-410e-b9ec-bd8f9c7a8605.vbs"
            4⤵
              PID:2084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2600
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2992
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1244
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2172

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\48581b72-5864-410e-b9ec-bd8f9c7a8605.vbs
        Filesize

        509B

        MD5

        1618f6cf172089dd69ebb65bffd67bc7

        SHA1

        426df71db9a25143009f69deae8df93a76f9f99b

        SHA256

        dd667154169a3e732912684a9083794c45d9c27e474bcbf696f8cf2baee24f55

        SHA512

        ce4080ca98e132b241323cec4335a677ac7e1bfa04aa056e3679213a1b8e90764f8608caee16b1dc235c3d199c61f21adead77b2cb1f6667885140633085db5f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RCX8834.tmp
        Filesize

        1.7MB

        MD5

        251bc53b2e5b51a8605bbc3cc214d220

        SHA1

        ea2c82feaebf9a3ee294094be2c8ce4190e6592b

        SHA256

        4abd3fdc568bb1f27720659825994c87f22381b8611c94761472145196dd369a

        SHA512

        0209113fa0a0418213da29ecf564cfb9a9ea27c17cb6582affdcab72be58635753f1d2b895395815672e432b330e974a0ac2cf77b01afcd368d2c8451c37a97e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\b55df200-d7a4-4185-9897-0bcd980639af.vbs
        Filesize

        733B

        MD5

        c0af0bd9b5283014616bad5e0056e2f1

        SHA1

        3698261c39c3e9481e40190940896aa6aec7b12d

        SHA256

        aaa0bbe161680b2c7764de422440fc269cf0da8e3af60f71fa67ad688d9e46fd

        SHA512

        d73c99114221c649fe7d2130286cd81befa6148829ee26f178b69cbdfd310e0daa75ef9682cff86fcfc7e6d99e18eb7d40c5acea098b9587fd44c603f5fc2b18

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wtwHUJyt6A.bat
        Filesize

        222B

        MD5

        681da6ef6f47ede730c91ecd369da1ba

        SHA1

        cd011290f25b608090b3f1f4d313b0845fff5361

        SHA256

        ba88e3d3878f5f4c81dc3493a915774537e8e2b47d0937695dd221506f5af27e

        SHA512

        6e8441760d9154e1444f7a63da5ae68c214add2201dd3236c5406f111a02c1027a3bec11894000f043fa9f0d3d52bb51fbb45f81ae264b54f2aa07351ca8df15

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        90c3410642435a7a5df23834c2f6ec41

        SHA1

        2248d5acd1110c7f59ade73523981dadfcc3d783

        SHA256

        edda2ed8061c8d789e054a6a97e7e4092eaab31b77a22aa76bd42817f95d6427

        SHA512

        0b7df13de04bc8813727305d9d52e5d303cbabc6839e19daef687cc26d94e546a2f2ffb23be80c83344663a70129d568426e31020f4d885d68bae739bcef8ea8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lsass.exe
        Filesize

        1.7MB

        MD5

        000447edacdafe43cf0532845ee37f14

        SHA1

        c38e4afc84b9a1e683fc0395f66f499a5abce3b9

        SHA256

        b7c241f04692dfc19dff6bafeb9113161ff2231dc745c750f0501fdfcd2e7455

        SHA512

        a2a34083a4ce6c6c84ed869f13c8a9d9e921e50d9028bca27fa6c038cdd52110a0130f1e4879b01de86ebc11b0391a674fe7e3e59dc5ce6ef2998c557a1e5fae

        Download Submit

      • memory/1028-73-0x000000001B630000-0x000000001B912000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1028-84-0x0000000001E70000-0x0000000001E78000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1756-134-0x0000000000E60000-0x0000000001016000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2128-7-0x0000000000A90000-0x0000000000AA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2128-0-0x000007FEF50C3000-0x000007FEF50C4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2128-12-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2128-14-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2128-13-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2128-16-0x0000000000B90000-0x0000000000B9C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2128-15-0x0000000000B00000-0x0000000000B08000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2128-17-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2128-20-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2128-9-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2128-8-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2128-10-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2128-6-0x0000000000A70000-0x0000000000A86000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2128-5-0x00000000005C0000-0x00000000005D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2128-121-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2128-4-0x0000000000530000-0x0000000000538000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2128-3-0x0000000000510000-0x000000000052C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2128-2-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2128-1-0x0000000001010000-0x00000000011C6000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2152-145-0x0000000000E80000-0x0000000001036000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2152-146-0x00000000004B0000-0x00000000004C2000-memory.dmp

        Filesize

        72KB

        Download