Overview

overview

10

Static

static

10

9E7C6C00FF...47.exe

windows7-x64

10

9E7C6C00FF...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2025 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9E7C6C00FFD9D6501586FF6E3A87FF47.exe

  • Size

    1.1MB

  • MD5

    9e7c6c00ffd9d6501586ff6e3a87ff47

  • SHA1

    da1f6be302efc67fb981d2cac011caa3ca40df93

  • SHA256

    a09c7f65b8c6559808fe7e429078639a61816e5c76e08466dfb5c03b04f27a18

  • SHA512

    6355e8ac75f8da391be58737e8f2f56a99dfbfb757d5044119d0c6e67954656ce7d3da65790b46c67ed4744154810874ed9e1964d3eb68a4420ac81072cdd5e0

  • SSDEEP

    24576:u2G/nvxW3WieC+TmsHesd2RxXEh2NnJ40Vm:ubA3j+TmsMQgFS

Score
10/10
dcratdefense_evasiondiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\9E7C6C00FFD9D6501586FF6E3A87FF47.exe
    "C:\Users\Admin\AppData\Local\Temp\9E7C6C00FFD9D6501586FF6E3A87FF47.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portbrowserSvc\niRlsT7U.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\portbrowserSvc\rMXTEEa.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\portbrowserSvc\agentbroker.exe
          "C:\portbrowserSvc\agentbroker.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Users\Default User\sppsvc.exe
            "C:\Users\Default User\sppsvc.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1744
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2532
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:808
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\portbrowserSvc\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:604
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\portbrowserSvc\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2280
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\portbrowserSvc\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3024
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3004
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2512
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2284
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1996
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2072
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2136
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1880
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\portbrowserSvc\niRlsT7U.vbe
    Filesize

    198B

    MD5

    c2147d735326a98b5d0e5cf67ab043a6

    SHA1

    0603c7a8209fe35f02127aa73671a2ca6e5c828b

    SHA256

    66358939bf43e6b9388c7c41f80e5b85ec6d05c100b0a955b08640b39c8934dc

    SHA512

    4836afcdacf6ced1f6b44bbef62635eab4a3e15084ade4b918e0e712af359137300a22c80411ffa016f7f1b204eac4205e1be0ebf46b6addaefdae185ce0c21e

    Download Submit

  • C:\portbrowserSvc\rMXTEEa.bat
    Filesize

    147B

    MD5

    5d83da11e18d561cdd46c036ceada49d

    SHA1

    fcb56d68080cea1f5495ccd915fd0e77d5cac6dd

    SHA256

    bea380a9fde04cf3178e4c4bd037db55bdae138a4b0263ccba9ed6274b5d102e

    SHA512

    4b5f09bac233c99d4e0e052950ec2b6f206c9244a09b96b65bdadd149a7b8bbf53d11b075e399ce3626a3f3902b81b85234b85fd6cf8845b2fce42e6ad1f7a94

    Download Submit

  • \portbrowserSvc\agentbroker.exe
    Filesize

    832KB

    MD5

    dd3da669f2a243c4dbbbfc8f063acca9

    SHA1

    4f41bf6dd2bafc00cd09aac21567849ff651311c

    SHA256

    ac07273ab1dc75a040355ab1decb04494f2304eec1b95ed9d6ff64d329e84cc1

    SHA512

    bdc0c28061b36dc4f871c2cf8eb824c0d4956749219ff2bba91e3fb9809d68cc82df438804aa7b5f8266bace538b933e2c43af8c2a7feb01bd0d84afd82f07ac

    Download Submit

  • memory/1744-46-0x00000000003C0000-0x0000000000498000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2752-13-0x0000000001100000-0x00000000011D8000-memory.dmp

    Filesize

    864KB

    Download