Overview

overview

10

Static

static

10

063f0ebe16...9f.exe

windows7-x64

10

063f0ebe16...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    063f0ebe162695ca595299a607634b1a4678527542053d73a85106d0de5f329f.exe

  • Size

    952KB

  • MD5

    7146d0c354a5ffc4f39db58415c14022

  • SHA1

    2aa91a6ae46fd1fb956e6c8efda7251025b6a90e

  • SHA256

    063f0ebe162695ca595299a607634b1a4678527542053d73a85106d0de5f329f

  • SHA512

    b1b799f42e04443097b7f94ee4273377fcad228cfde8e1a0ffbc2e28427a8ebd4e804be0bdafc3e40122dee2a19ac2f4baccd054dbe90b5609b1c945f2719fcf

  • SSDEEP

    24576:u+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXXL:p8/KfRTKZ

Score
10/10
dcratdefense_evasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\063f0ebe162695ca595299a607634b1a4678527542053d73a85106d0de5f329f.exe
    "C:\Users\Admin\AppData\Local\Temp\063f0ebe162695ca595299a607634b1a4678527542053d73a85106d0de5f329f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2916
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VVDSwyZL7t.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2760
        • C:\Windows\SoftwareDistribution\Download\csrss.exe
          "C:\Windows\SoftwareDistribution\Download\csrss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:1440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\clusapi\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\wer\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "063f0ebe162695ca595299a607634b1a4678527542053d73a85106d0de5f329f" /sc ONLOGON /tr "'C:\Users\Default User\063f0ebe162695ca595299a607634b1a4678527542053d73a85106d0de5f329f.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "063f0ebe162695ca595299a607634b1a4678527542053d73a85106d0de5f329f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\RD2D18\063f0ebe162695ca595299a607634b1a4678527542053d73a85106d0de5f329f.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1760

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RD2D18\063f0ebe162695ca595299a607634b1a4678527542053d73a85106d0de5f329f.exe
      Filesize

      952KB

      MD5

      7146d0c354a5ffc4f39db58415c14022

      SHA1

      2aa91a6ae46fd1fb956e6c8efda7251025b6a90e

      SHA256

      063f0ebe162695ca595299a607634b1a4678527542053d73a85106d0de5f329f

      SHA512

      b1b799f42e04443097b7f94ee4273377fcad228cfde8e1a0ffbc2e28427a8ebd4e804be0bdafc3e40122dee2a19ac2f4baccd054dbe90b5609b1c945f2719fcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\VVDSwyZL7t.bat
      Filesize

      214B

      MD5

      78492672607da47bcbd5e207a9cb2d87

      SHA1

      47bd52302f83f15b088e1500c635c8487b09c672

      SHA256

      a53cd0cac869b979519a5363a64fb55d29af669c334c0c355aa72b6e870948a3

      SHA512

      829e795800586ede3246e23ceb84ca550669c601d1016557cefb67d21d2770c9b472e2b9309ac8242529fb83b10c89dfe7263bb83348f56c6545b43e1389a4d3

      Download Submit

    • C:\Windows\System32\clusapi\csrss.exe
      Filesize

      952KB

      MD5

      9164e12e0b5b2f2f87b9c48d30b7499d

      SHA1

      71f2775c225040e39f098d4208286a84b6f66d10

      SHA256

      9bc84798a9bfc699136379f3d04efebb5f77b2b31ac09ed1ecff66bcde33c95e

      SHA512

      52323c7372cb5a2b63a5f9a3b5205ef5e77b6a9e1bdb3e113b759a466fe70e2f4d6a1c8c9375a628365c753cd48f11c69cc5ce5aa04feed767260ed3399e2f9e

      Download Submit

    • memory/1440-94-0x0000000000E00000-0x0000000000EF4000-memory.dmp

      Filesize

      976KB

      Download

    • memory/2916-4-0x0000000000370000-0x0000000000380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-5-0x0000000000360000-0x000000000036A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2916-6-0x0000000000410000-0x000000000041C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2916-7-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2916-8-0x0000000000A90000-0x0000000000A98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2916-11-0x0000000000450000-0x000000000045C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2916-10-0x0000000000470000-0x000000000047C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2916-9-0x0000000000440000-0x000000000044A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2916-0-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2916-3-0x0000000000350000-0x0000000000360000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-2-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2916-91-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2916-1-0x0000000000F10000-0x0000000001004000-memory.dmp

      Filesize

      976KB

      Download