Overview

overview

10

Static

static

10

fe78f6e2b4...7N.exe

windows7-x64

10

fe78f6e2b4...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 17:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe78f6e2b4e88176dab282d4b56de4d8038f497a11f2ffcc49c3d33149309707N.exe

  • Size

    952KB

  • MD5

    2441dd3f0b62cd42f120a14c333cb3f0

  • SHA1

    77cf4605fddd9e854039648c028810a04c43427b

  • SHA256

    fe78f6e2b4e88176dab282d4b56de4d8038f497a11f2ffcc49c3d33149309707

  • SHA512

    4ab200a53e2b58b2ee95ba9808f720683ec55d8b9449f21a044bd804925653dde29019c91f64178f91b9caec5ef5bbf0ebf8a35ab2a937780da7e6af2d9a4b48

  • SSDEEP

    24576:u+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:p8/KfRTK

Score
10/10
dcratdefense_evasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 11 IoCs
    persistence
  • Process spawned unexpected child process 11 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 22 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe78f6e2b4e88176dab282d4b56de4d8038f497a11f2ffcc49c3d33149309707N.exe
    "C:\Users\Admin\AppData\Local\Temp\fe78f6e2b4e88176dab282d4b56de4d8038f497a11f2ffcc49c3d33149309707N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2548
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QmW3PVwdg9.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3492
        • C:\Program Files\Internet Explorer\ja-JP\System.exe
          "C:\Program Files\Internet Explorer\ja-JP\System.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\L2Schemas\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\System32\ncsi\MusNotification.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\ja-JP\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:32
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\ndisimplatcim\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1748

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Internet Explorer\ja-JP\System.exe
      Filesize

      952KB

      MD5

      2441dd3f0b62cd42f120a14c333cb3f0

      SHA1

      77cf4605fddd9e854039648c028810a04c43427b

      SHA256

      fe78f6e2b4e88176dab282d4b56de4d8038f497a11f2ffcc49c3d33149309707

      SHA512

      4ab200a53e2b58b2ee95ba9808f720683ec55d8b9449f21a044bd804925653dde29019c91f64178f91b9caec5ef5bbf0ebf8a35ab2a937780da7e6af2d9a4b48

      Download Submit

    • C:\Program Files\Internet Explorer\ja-JP\System.exe
      Filesize

      952KB

      MD5

      d8dcace3a0fcba83af4b66eef0154cc3

      SHA1

      81776f3fbf934f1ab81336e88b1634d0bb6ccd60

      SHA256

      6d024f0415f5c1e00eb0a1a67c4f101859456e87d46ec79a70e502f6fb82e48a

      SHA512

      349eb646350bc137de6b369ea270ce96e38f86b0c6b0af30fee4ca4fbf0a0255ba498fe5491b9812528bf09b322c2746b64e5bced8d86ff8d85f2496e50f3471

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\QmW3PVwdg9.bat
      Filesize

      215B

      MD5

      99abd6be30c5017d81d01598d483646e

      SHA1

      88e690d3556b990bac572fbffeaf61fed8f23185

      SHA256

      a798394d5f211a576dbc7357cd0267808bc094e61b411fa2188d46690a1eeb59

      SHA512

      c6da7c4dbaa515c94b71ae58a71bbcf8d4ed6fc7559e80fc7538f9cb79967eee10fa2a7c960f26ba3b523509452afae9fef30dde0b0d1235140bfa7d47f8dd28

      Download Submit

    • C:\Windows\Branding\Basebrd\ja-JP\System.exe
      Filesize

      952KB

      MD5

      99014f96199800dfa3842361418733bd

      SHA1

      5d27d5ce74f2ae2315c288658198035b1a4a420e

      SHA256

      eb5ce08c38bb06c63d1a5c337e003ac02b339b0e21ba7062ea4d7a0d7936a745

      SHA512

      36d9e70108e5202845a943787da2318c144b1ca23838c3e234b1b4741b984ee940f3b113e90925baf594a4dcfba741d8fab0cc9476c736c17683aafd787d1941

      Download Submit

    • memory/2548-4-0x0000000000CF0000-0x0000000000D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2548-8-0x0000000000D40000-0x0000000000D48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2548-6-0x0000000000D30000-0x0000000000D3C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2548-7-0x0000000000E80000-0x0000000000E8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2548-11-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2548-10-0x0000000000E70000-0x0000000000E7C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2548-9-0x0000000000E60000-0x0000000000E6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2548-5-0x0000000000D00000-0x0000000000D0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2548-0-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2548-3-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2548-2-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2548-1-0x0000000000440000-0x0000000000534000-memory.dmp

      Filesize

      976KB

      Download

    • memory/2548-170-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2984-174-0x0000000000870000-0x0000000000964000-memory.dmp

      Filesize

      976KB

      Download