Overview

overview

10

Static

static

10

647194fc57...74.exe

windows7-x64

10

647194fc57...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2025 03:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    647194fc5716bcdebe9b20e13b3f08e7816d13530a15e8d1669f2f25ba628274.exe

  • Size

    2.7MB

  • MD5

    a079d0ef7608f8fb08e6e67ebe720cdd

  • SHA1

    612e4d36e0c92c850848ff92dc466fb2c956415b

  • SHA256

    647194fc5716bcdebe9b20e13b3f08e7816d13530a15e8d1669f2f25ba628274

  • SHA512

    d2d4aa554c4bc1108dc73ee97dcb17fb66fdb862d64b10c08456fe62be5ff9d9e7b83a76956dbc2ffd855fb3a675d6939ee4416c4ebf2c55f060f7d0db93eb88

  • SSDEEP

    49152:7bA3jfxSks5WqWk9IEJKb9aUgXXNOUnkonLxB5ctECb:7bwsgql9hJfUgX8+vc6i

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\647194fc5716bcdebe9b20e13b3f08e7816d13530a15e8d1669f2f25ba628274.exe
    "C:\Users\Admin\AppData\Local\Temp\647194fc5716bcdebe9b20e13b3f08e7816d13530a15e8d1669f2f25ba628274.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\MsSession\Ov1RwD.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\MsSession\K37wJmF1HmUF8ALyjA8MpCp.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3512
          • C:\MsSession\hyperComwin.exe
            "C:\MsSession\hyperComwin.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4844
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aINWZcLocN.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2628
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1736
                • C:\MsSession\smss.exe
                  "C:\MsSession\smss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3808
      • C:\Users\Admin\AppData\Local\Temp\explorer.exe
        "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\MsSession\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MsSession\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\MsSession\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4152
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperComwinh" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\en-US\hyperComwin.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperComwin" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\hyperComwin.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperComwinh" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\en-US\hyperComwin.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MsSession\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MsSession\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MsSession\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4288

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MsSession\K37wJmF1HmUF8ALyjA8MpCp.bat
      Filesize

      30B

      MD5

      fa3ead269fc71745ff9e202da56f658e

      SHA1

      5d2662e79f1e992c0c9f72c050cc676df0f3cdde

      SHA256

      1cf1a92d3e3ce17a13d4827deb0cdb9f89a40116905980b547d7f954d59040a7

      SHA512

      9e3c2ea4326648905360005b2aa95fb0e0935dc641b32af56446abf2bd69e9749c92f22e6eab4240da6505ffee6c1c3f5ed4ab6ac945f59fee2835aa2f9ec347

      Download Submit

    • C:\MsSession\Ov1RwD.vbe
      Filesize

      209B

      MD5

      f5a3f2ada233639fa06802ff18569f99

      SHA1

      da11e9ad7bda556c74204c32691f3ec5efe8b6a5

      SHA256

      3558ba240c76b6de27cdc3ac9370d6b50774aa2d5d5e3fe6a697e971e832aef9

      SHA512

      ab223924c713a6551ded2a1e86d70533d7c1b8d5155f0d12b3b9e7fbc928ead6c452d3112484a6974b3be94b937a333d2b5f3f8852b0a21793d160689aca3ba9

      Download Submit

    • C:\MsSession\hyperComwin.exe
      Filesize

      2.3MB

      MD5

      82fcc473fb802d134540a4d3bc9ddc06

      SHA1

      d879feb817639baeeef685261d8574ab7944f8b2

      SHA256

      f6cf6f23a7d27460b34f9ead8e72584a706ae1e986f3fa3920c51fbd0d6f93d0

      SHA512

      6a67c4b0d98c04c8a86bdd7d3f6f72e1b0f7e3718c58c22a30004ac55c60dc53a36fc764bdee79d8aab981b863c203992abbaaaca788d200c9456ff3d0319cf2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aINWZcLocN.bat
      Filesize

      186B

      MD5

      7446cbef82b7afb22b905ca21cbf2492

      SHA1

      199be600eb50c54786f8f94ec52cad535d06751b

      SHA256

      3f141650181bac098f3ba8a78662dfc0a0b80e84b96546ce124e91a1efc82a7a

      SHA512

      aa6e17cc9f158f743043bb79364f3f8a46703cdcdbd2c6a212ab4227a5530f642a2093273f3d5509e79c9bc1d236987da999c3b679da4079c843679fd3f7e71b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\explorer.exe
      Filesize

      130KB

      MD5

      f27a284ef9b018cdd2a98a7b78ccdcb3

      SHA1

      67e260b11e6227c18cae8925b4f6899103c607f2

      SHA256

      af86dc3f76d39b67b967a3b714e9e70ed43eec8d3871e9691cb45d84372b53fb

      SHA512

      9a8811f13517748539308a70933b126a3348407f397bf30f903019379f927532c64015853b94acf21bdbc554d638a0265d4394d026e289103db06fe93fe5524b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      2.6MB

      MD5

      eb81df2c7222c48ef46c781d460c83b9

      SHA1

      c7fe4682e2c1bc5cc55c2913600f8950fe955129

      SHA256

      1594a7f6707f01d3f1688f726af842940fe96fe700f99df23a3d8ec6909e4b13

      SHA512

      6ce26f9d1f1f8f10d8dae13132217ca8aa2d42e98475ee0543f1cdd35f0a06f824f5ef8ab0db03b25c15041560464aa73c545d91d13d6fda72131c7ccc2c7c5b

      Download Submit

    • memory/688-1-0x00000000008C0000-0x0000000000B80000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/688-2-0x00000000054F0000-0x000000000558C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/688-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3808-74-0x000000001AFC0000-0x000000001AFD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4844-35-0x0000000000D90000-0x0000000000FDE000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/4844-38-0x0000000003130000-0x0000000003146000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-39-0x000000001C1D0000-0x000000001C226000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4844-40-0x0000000003040000-0x0000000003052000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4844-41-0x000000001CAE0000-0x000000001D008000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4844-42-0x00000000030D0000-0x00000000030DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4844-37-0x000000001BC60000-0x000000001BCB0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4844-36-0x00000000030B0000-0x00000000030CC000-memory.dmp

      Filesize

      112KB

      Download