Overview

overview

10

Static

static

3

51ee1c43b8...8a.exe

windows7-x64

10

51ee1c43b8...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51ee1c43b8c4c83a1ee89f486a002e8a.exe

  • Size

    1.9MB

  • MD5

    51ee1c43b8c4c83a1ee89f486a002e8a

  • SHA1

    ac3559b85e9f8328fc661c4f7dc17d464aa461fa

  • SHA256

    2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253

  • SHA512

    3191012d5078beb815ff733c3981545858a30e5051ffbbb7b4bb1dff5bab82004809a0d407af0d8312b241c05738591d7a83ce2e01e0c9b2e8f9d325ca9649d6

  • SSDEEP

    49152:SIsY+oZb+wZGTt6IDmYYg+tfxXi1Mq39V:SIg6IDatJXbM9V

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe
    "C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rmhl5yjz\rmhl5yjz.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES782C.tmp" "c:\Windows\System32\CSC56C0968DF43F42A2B7751CC2EC385A6.TMP"
        3⤵
          PID:1436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\smss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\winlogon.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2144
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1424
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rWLcZICN77.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2996
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2576
          • C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe
            "C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2580
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2140
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Favorites\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a5" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2280
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a5" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3020

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      3
      T1112

      Subvert Trust Controls

      1
      T1553

      Install Root Certificate

      1
      T1553.004

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      1
      T1082

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe
        Filesize

        1.9MB

        MD5

        51ee1c43b8c4c83a1ee89f486a002e8a

        SHA1

        ac3559b85e9f8328fc661c4f7dc17d464aa461fa

        SHA256

        2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253

        SHA512

        3191012d5078beb815ff733c3981545858a30e5051ffbbb7b4bb1dff5bab82004809a0d407af0d8312b241c05738591d7a83ce2e01e0c9b2e8f9d325ca9649d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES782C.tmp
        Filesize

        1KB

        MD5

        2d15bc063a5d67867a7c9363c0238287

        SHA1

        4d7bc377b481e83484bd359f09c450699ec01e1e

        SHA256

        ba71d3c80ec36a6137dc9c4545015ae6b4981eb74c6b9a60606ac6b8e831598b

        SHA512

        52db8c6a433c3880f73f245260f5a1e983294b4512f4d9ff97c5ea722a23ba37fe1c5ed576ee511fd741b07ec80581ff064b1d0fc27e8d14bdff2ff63f9760b7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rWLcZICN77.bat
        Filesize

        184B

        MD5

        e97f52a79a8d26bcda436c99c6e5fb22

        SHA1

        a57b6cdf8bd4fee08fcbdbf98a589e0b1bde7de6

        SHA256

        10f7cf0c20e26eb25602864402e8b9d932d0d0bd68b4711e9fa56b6d9d58c059

        SHA512

        10c1359d65431e02612997302f18393f203898b34d486caa7ea718a8a38477f2e16060bcb207bbb9f85f9d66a0f09f9c43f06e2e254b8bce4618191b946ecb7f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        855bb37e60ace97039c94c6257e0c30a

        SHA1

        5f183f885762db20af44ace9659dd319e0457298

        SHA256

        79c193e2f450c3adb25f17c7b0b56d50ffd0267b7f7b308a4ff7e0f1f938ce06

        SHA512

        5a0108f09262097c4caa61b928bd946f03b5110847fd335fa22eedf9a5c3b9c7077fd122601814551125fb6b056dec9275798529cc431ff31e18f5c6c8f92dda

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\rmhl5yjz\rmhl5yjz.0.cs
        Filesize

        400B

        MD5

        5aa92967ecf6e2f924c88b17c396364b

        SHA1

        3552f0e90dad798ca589103c5ee59ecb95466acf

        SHA256

        2b304bf9c0c35974c536eb0ec964f5c39b9a46df1913a1415f3afabf87fbb6ba

        SHA512

        d3e3cad33cdd442cbbc7907e30809dc33684179332dda90c71af75cde23c8567b46b1ff71c8476e2948623ee846f3cd51d518dc7263fe42d786512d269da9623

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\rmhl5yjz\rmhl5yjz.cmdline
        Filesize

        235B

        MD5

        a4ef5efbcae4c61e9c79d53ad02547eb

        SHA1

        ce38e6ae372f37ab909bb44e54caa89e2355f8cd

        SHA256

        36b8d47cbf0209a854c2b96c6ade8c149fa1e83855ea7fed3e95791143d49fea

        SHA512

        daf4685ab1b3593ba80200dfdb09ee22ceee413029706259289c781a3708abec9c45e1814b0802b83a1ba196352f20cbda939d1fbab87c1c4bae2f5645a1766d

        Download Submit

      • \??\c:\Windows\System32\CSC56C0968DF43F42A2B7751CC2EC385A6.TMP
        Filesize

        1KB

        MD5

        8c85ef91c6071d33745325a8fa351c3e

        SHA1

        e3311ceef28823eec99699cc35be27c94eca52d2

        SHA256

        8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

        SHA512

        2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

        Download Submit

      • memory/1424-79-0x000000001B5A0000-0x000000001B882000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2144-85-0x00000000026F0000-0x00000000026F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2740-89-0x0000000000CD0000-0x0000000000EB8000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2756-23-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-8-0x00000000003C0000-0x00000000003DC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2756-22-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-21-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-20-0x0000000000330000-0x000000000033C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2756-18-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-0-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2756-14-0x0000000000310000-0x000000000031E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2756-16-0x0000000000320000-0x0000000000328000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2756-11-0x00000000004F0000-0x0000000000508000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2756-12-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-17-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-9-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-47-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2756-48-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-49-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-6-0x0000000000200000-0x000000000020E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2756-4-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-3-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-2-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-63-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2756-1-0x0000000000900000-0x0000000000AE8000-memory.dmp

        Filesize

        1.9MB

        Download