Overview

overview

10

Static

static

10

Serversvc.exe

windows7-x64

10

Serversvc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Serversvc.exe

  • Size

    827KB

  • MD5

    2b1b671bc3ef38079bfc62e0383258e8

  • SHA1

    1231c2d534a55d0e0923953e3d238a2052d6fad7

  • SHA256

    50ba49f457fa7dad0a39dbf75d14570d5308b33b1c4141e37223dda5c731f4b9

  • SHA512

    0552db872a39c27e069a6526db6046368887fc2fc42534ab63fb30ed235388cf831b52bec5234b2fb2bec50f774fe17d31a27323b702f03029233d6a1b9d5f23

  • SSDEEP

    12288:YlMOe0Zu4AanEAlKOP6dE1qAmpBfcjYbg4EEgIGSXx9GI:Ye0Zu4AarrP2OCm4g41Zf

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Serversvc.exe
    "C:\Users\Admin\AppData\Local\Temp\Serversvc.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Local\Temp\Serversvc.exe
      "C:\Users\Admin\AppData\Local\Temp\Serversvc.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Users\Admin\AppData\Local\System.exe
        "C:\Users\Admin\AppData\Local\System.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:924
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\Registry.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:/Users/Admin/AppData/Local/\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4156
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1832
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:/Users/Admin/AppData/Local/\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Serversvc.exe.log
    Filesize

    1KB

    MD5

    7f3c0ae41f0d9ae10a8985a2c327b8fb

    SHA1

    d58622bf6b5071beacf3b35bb505bde2000983e3

    SHA256

    519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

    SHA512

    8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

    Download Submit

  • C:\Users\Admin\AppData\Local\System.exe
    Filesize

    827KB

    MD5

    2b1b671bc3ef38079bfc62e0383258e8

    SHA1

    1231c2d534a55d0e0923953e3d238a2052d6fad7

    SHA256

    50ba49f457fa7dad0a39dbf75d14570d5308b33b1c4141e37223dda5c731f4b9

    SHA512

    0552db872a39c27e069a6526db6046368887fc2fc42534ab63fb30ed235388cf831b52bec5234b2fb2bec50f774fe17d31a27323b702f03029233d6a1b9d5f23

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\272861e3e255283adbe8513732b11c40c25b19994.5.32861b7e248a497df38ced2d1412ef3cd66d1d1498
    Filesize

    136B

    MD5

    b510e841abcb148869683a2a7a65d0f0

    SHA1

    3224db951ec9460eaa63c7e63c0f9a4a89ba88a8

    SHA256

    ca0a1cc58f406d64e53a2bdfe13d976a401f6df1f11cefe42061000dc67ac3f0

    SHA512

    f49544156b2c7f3bb5aab0df86c644e911bcb311ebad2f6943c567ba04015b767f3ae9caec2e57bcf4ee2a5cb4df04752a5b24d842ac1711f6458079bc527f01

    Download Submit

  • memory/3524-0-0x00007FF80F383000-0x00007FF80F385000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3524-1-0x00000000007C0000-0x0000000000896000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3524-3-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3524-8-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

    Filesize

    10.8MB

    Download