Overview

overview

10

Static

static

3

726F633190...E3.exe

windows7-x64

10

726F633190...E3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2025 19:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    726F633190773A11ABA4D20BC1D28FE3.exe

  • Size

    2.5MB

  • MD5

    726f633190773a11aba4d20bc1d28fe3

  • SHA1

    3d3fe6242f7a23c15913a0b6e0ebdcb5fee97c7c

  • SHA256

    7a982ed5fcffafc6772a4694fad27694b6cacff8e30698cec33bf4f41f91a57a

  • SHA512

    89fedb3eeec1973fbceff58067410fef7af38de16aa00ef9cf854b404844cb14865be6cb08d806fb66c390ae019952a7c4400d138a51ff7dd78ccffa69bb6d98

  • SSDEEP

    49152:3nBJ/gmNwH6zpk2N2ggey84Y4g04NFRgNdmP/f55+L9N+9TUEq:RZnaHe+w2gryzSjqdYB0v+9G

Score
10/10
dcratdiscoveryexecutioninfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\726F633190773A11ABA4D20BC1D28FE3.exe
    "C:\Users\Admin\AppData\Local\Temp\726F633190773A11ABA4D20BC1D28FE3.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\injector.exe
      "C:\Users\Admin\AppData\Local\Temp\injector.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RuntimeCommon\n5Mkbvfp2mXkr7Yk.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\RuntimeCommon\xnL4kmC5Grvm10ef82Ks66FPsrKA2VcKc8wQTuDF.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Users\Admin\AppData\Roaming\RuntimeCommon\dllhost.exe
            "C:\Users\Admin\AppData\Roaming\RuntimeCommon/dllhost.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2792
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1540
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2688
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1208
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:840
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\cmd.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1800
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeCommon\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2180
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FPjzsJZtPn.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:976
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:1940
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:1576
                  • C:\Users\Admin\AppData\Roaming\RuntimeCommon\dllhost.exe
                    "C:\Users\Admin\AppData\Roaming\RuntimeCommon\dllhost.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2652
        • C:\Users\Admin\AppData\Local\Temp\launcher.exe
          "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c pause
            3⤵
              PID:2472
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:532
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1180
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2692
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1888
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2116
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2036
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2488
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\cmd.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2072
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1292
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\RuntimeCommon\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1004
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\RuntimeCommon\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\RuntimeCommon\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1176

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        1
        T1112

        Subvert Trust Controls

        1
        T1553

        Install Root Certificate

        1
        T1553.004

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\FPjzsJZtPn.bat
          Filesize

          232B

          MD5

          e3cb383d3418f6dc8b0c2fc21ac80aa7

          SHA1

          89c04797618f2792e057ea4bd7aa4a7aebdfa50a

          SHA256

          ff4519900ed6f08cfb35f368b0e9777ff5335ee7f997c7a232eb4982a0487533

          SHA512

          b788e7df02844ae495cfbfd5c61b48c216ba1bc949f3522501b17cdee8211be29eba34db28252d571fc9a85b49d4b9fc5e7e92e6d8dbb802085d9c041986773a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          84bfdcda46018c5468f207215bf75b7f

          SHA1

          1d98ef42a11bcc278c71c6791892cad1f2058acc

          SHA256

          d3ab93950e845dc1a1ca3100ef60d82b76095c45baf4c855226c878998ab64a6

          SHA512

          ad5b61e6cdb8778afe660e590246182073b68b043f4cc3973de6a808f5b2ef8be7bfdeb4545a0e5735ddf55f263047c097214eca2eb3ecd94105eebc7d7111bb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\RuntimeCommon\dllhost.exe
          Filesize

          1.9MB

          MD5

          9cbcec555db92b9c29489e35ad17c52b

          SHA1

          bbf76eedd98f96f53407ffaace7ac94deffeb765

          SHA256

          0d921095b78d10f3c4bb80098af0d584e2c87d8d4836702b6430361ae93b7b84

          SHA512

          db759631fecae0746d395828abb4a43220d9ac5e64c5b8f9f12462077e77f076bedfb797f0eafc12a833b7251baa35d76432d557a39ff699b7cffcd96eec19d6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\RuntimeCommon\n5Mkbvfp2mXkr7Yk.vbe
          Filesize

          238B

          MD5

          82fc5ac2f26d80b31b810fec1c33540d

          SHA1

          2d1a94df4c1680a7a60b8dd7bf22096f2b246c1e

          SHA256

          e301009c7f2b6a6be44a3516184a925a176195d1354e15a365303131a783e39d

          SHA512

          308e4df54666d498fefc371de3f5097170531f590c814778dbaa684179ee7da15d6b72df624bd89851f6b3ca30e31fce40313ba2bebb3a835e1356a6cb48abe9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\RuntimeCommon\xnL4kmC5Grvm10ef82Ks66FPsrKA2VcKc8wQTuDF.bat
          Filesize

          92B

          MD5

          fdc6ba2f585a47ed1a6673f3c4de744b

          SHA1

          2b6084987fd2ce78688324c35faee7e810850b19

          SHA256

          cd9fd752e87320d974b3e8299795e817cbdfda67f0ba923b595af13e72ebbacc

          SHA512

          f66eca0945f6ea0f3977a6263ad49f99112a99cfdec9c59b5496346e5a81d4273bd2d7e3c2a8af06a9ef577761a2266aef89c4063502e6c81f56c63b18b7ff37

          Download Submit

        • \Users\Admin\AppData\Local\Temp\injector.exe
          Filesize

          2.2MB

          MD5

          f9a2abe9311f9df90af80bef85ff17ca

          SHA1

          819937e3df12ea3860f6643d053ae88902642c63

          SHA256

          4d07179a86a3c34a802b847144df3d319c0666614f530ec0c3d17ff818e6903c

          SHA512

          c6ca8d144604ef252198a5f8f370aa25ee5ff0d3a17636eb2bd3dfcfb7708a955e57ad1ebba6b1f5283591738c8a8ebfffadb2423937f1be5438ee1fabac8471

          Download Submit

        • \Users\Admin\AppData\Local\Temp\launcher.exe
          Filesize

          256KB

          MD5

          586e3e8f9e5dd47b4bdc123028ba3bc7

          SHA1

          cf0340319970ae19544e33b73f167ebd0a485d73

          SHA256

          15bfe7f001eceb01074d1e0db66e8932c7fe03b262c173948551389f27bc61fd

          SHA512

          96d6d48af9342f17e8b59f18359c28955f17af0cf1c2952914932efdbb521b317c15fb76b24b48a588849b4763ff67ca1e7849b192c83ff8c711d96818b8c36f

          Download Submit

        • memory/1576-11-0x0000000000400000-0x000000000068B000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2180-74-0x000000001B500000-0x000000001B7E2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2180-75-0x0000000001F00000-0x0000000001F08000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2792-31-0x00000000005B0000-0x00000000005CC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2792-37-0x00000000005A0000-0x00000000005A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2792-39-0x00000000005D0000-0x00000000005DC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2792-35-0x0000000000590000-0x000000000059E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2792-33-0x00000000006F0000-0x0000000000708000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2792-29-0x0000000000380000-0x000000000038E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2792-27-0x0000000000ED0000-0x00000000010B8000-memory.dmp

          Filesize

          1.9MB

          Download