Overview

overview

10

Static

static

10

26c6ef53b2...8N.exe

windows7-x64

10

26c6ef53b2...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2025 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26c6ef53b2879f9186b0d848992fd353adea2b66169eee692c14c8fde230bcc8N.exe

  • Size

    984KB

  • MD5

    b813c234f84296fc8c62e48152bf2d20

  • SHA1

    6448ce15c36cdd80c54a3921a0250c7d4567b343

  • SHA256

    26c6ef53b2879f9186b0d848992fd353adea2b66169eee692c14c8fde230bcc8

  • SHA512

    1b7a317447a1ad86db00d29e9a247555e8cf748369ba35851001fd04501bb01bac69ad6474ed219e530822be7544849b087aa3102cd6d96e9c1cb2f3606b24cc

  • SSDEEP

    12288:MyEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgo:MyErYT+PvXIUln/1GJgo

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\26c6ef53b2879f9186b0d848992fd353adea2b66169eee692c14c8fde230bcc8N.exe
    "C:\Users\Admin\AppData\Local\Temp\26c6ef53b2879f9186b0d848992fd353adea2b66169eee692c14c8fde230bcc8N.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2128
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UwlPBWA7TM.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1584
        • C:\Program Files\Reference Assemblies\Microsoft\audiodg.exe
          "C:\Program Files\Reference Assemblies\Microsoft\audiodg.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2980
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\actionqueue\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Reference Assemblies\Microsoft\audiodg.exe
      Filesize

      984KB

      MD5

      2249ef36eb14a043ed2c9bbabe7b7f17

      SHA1

      e6af3b5f7ec67eb773fd9aa5df34154380c47fde

      SHA256

      02741013bbb1febd94ffcd0166b3c2d790eb89b1ede37a38991d68b06e7a12a6

      SHA512

      477953feff4201c34b1ce488881d084681fe714aacb59f3c77e0ee128931eb1e2176e748c569d26e8c34ec2493da719c1787749cfdc926774ca866e9a938a1eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RCXDAB6.tmp
      Filesize

      984KB

      MD5

      b813c234f84296fc8c62e48152bf2d20

      SHA1

      6448ce15c36cdd80c54a3921a0250c7d4567b343

      SHA256

      26c6ef53b2879f9186b0d848992fd353adea2b66169eee692c14c8fde230bcc8

      SHA512

      1b7a317447a1ad86db00d29e9a247555e8cf748369ba35851001fd04501bb01bac69ad6474ed219e530822be7544849b087aa3102cd6d96e9c1cb2f3606b24cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\UwlPBWA7TM.bat
      Filesize

      224B

      MD5

      156056c493f8cfb841a9bb81265796bb

      SHA1

      332bd18ccea0b6655369f2be32f42f5a54f159aa

      SHA256

      d07b58274cbddca3265ecb44744e6c17814db4c14df81a3d6cd3f5db3361014c

      SHA512

      d91dbcd093d0e32148a10d42d79b83caba45b1ac1e9e217e34d65e1260cb36deca3b88b8e7393a367fcd3d6617688721911e0f6f45d6a6e2dec96652176281b6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      81f16c9668d576fab08b9aec55f1e8bf

      SHA1

      f6deab4ce5839e6742c182de32a4495907198c79

      SHA256

      4f009fb021b4daebcc646ff877bdb010787f33e088d3e4870adf090cdf215eda

      SHA512

      b7efc8c5b6908cee67ebe42c1aa085ae36bd82f8f90f5a6af44f02048c4752f2da1a37c7193b0d5520a201b222d24c911f992d2b88016af059cd84c7828d0c90

      Download Submit

    • memory/2128-6-0x00000000002F0000-0x0000000000306000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2128-11-0x00000000006C0000-0x00000000006C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2128-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2128-7-0x0000000000320000-0x000000000032A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2128-8-0x0000000000330000-0x000000000033C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2128-9-0x00000000004A0000-0x00000000004AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2128-10-0x00000000006F0000-0x00000000006FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2128-13-0x00000000006E0000-0x00000000006EC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2128-12-0x00000000006D0000-0x00000000006DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2128-5-0x0000000000260000-0x0000000000270000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2128-15-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2128-14-0x0000000000700000-0x000000000070C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2128-4-0x0000000000250000-0x0000000000258000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2128-3-0x0000000000140000-0x000000000014E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2128-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2128-86-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2128-1-0x0000000000800000-0x00000000008FC000-memory.dmp

      Filesize

      1008KB

      Download

    • memory/2140-131-0x0000000000AB0000-0x0000000000BAC000-memory.dmp

      Filesize

      1008KB

      Download

    • memory/2896-92-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2896-87-0x000000001B700000-0x000000001B9E2000-memory.dmp

      Filesize

      2.9MB

      Download