Overview

overview

10

Static

static

3

FCD38CBAA3...CC.exe

windows7-x64

10

FCD38CBAA3...CC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2025 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FCD38CBAA3982793517697BF89F666CC.exe

  • Size

    1.8MB

  • MD5

    fcd38cbaa3982793517697bf89f666cc

  • SHA1

    c345ceffabb9decaaa1e7a4f9582313401cbd589

  • SHA256

    2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728

  • SHA512

    8c5b64aa64dbc494e413b4e83b21c4f9bb0e3dd684a601c4faf1896e2f7d13cdb0885405b17839390358f823f4d61ea608b14f14e3f98d52a03778be64df0b9d

  • SSDEEP

    24576:QNHIUS4ZU8NigrQ1JKwsy3CL3sZb2W2LimA2putPYrrJUHJZ5HwhJ5Ji2aaf1kWT:oII8LFCL3sZqd204AKHFgTI2aU1kW

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\FCD38CBAA3982793517697BF89F666CC.exe
    "C:\Users\Admin\AppData\Local\Temp\FCD38CBAA3982793517697BF89F666CC.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kcpsovag\kcpsovag.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CFE.tmp" "c:\Windows\System32\CSC4373E19363AD45A4AB15797FD6532B21.TMP"
        3⤵
          PID:1800
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gcc3qDKvxN.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1860
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1152
          • C:\Users\All Users\SoftwareDistribution\taskhostw.exe
            "C:\Users\All Users\SoftwareDistribution\taskhostw.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4928
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2248
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2328
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3440
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\IdentityCRL\INT\sysmon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2024
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\INT\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1564
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SoftwareDistribution\taskhostw.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3152
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\SoftwareDistribution\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3748
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "FCD38CBAA3982793517697BF89F666CCF" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\FCD38CBAA3982793517697BF89F666CC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "FCD38CBAA3982793517697BF89F666CC" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\FCD38CBAA3982793517697BF89F666CC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "FCD38CBAA3982793517697BF89F666CCF" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\FCD38CBAA3982793517697BF89F666CC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5096

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Gcc3qDKvxN.bat
        Filesize

        181B

        MD5

        3d3478a4cd53bdaa470b2d504697c5c2

        SHA1

        cc29aee4d94ec350dd01c199b6fb03271b32cff9

        SHA256

        fd336c0e05dcb06d5e7a21876fbbe3a0cc04807a47add382cfa5072d86ec0d43

        SHA512

        e11bb63ab54f546d64da2875560fb6e4cec1fe3cd3d62b524a6a90010be5d580e8eb91e66dbfef20beefaf180231460e2ac60e6283e543fbb4332cba41f8576c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES8CFE.tmp
        Filesize

        1KB

        MD5

        7e5499c266aed72cae35a68b3d5aaa6f

        SHA1

        ce65fc58412359edf861aeddd1123588e2c46ce3

        SHA256

        8449029b6593ed739109b21cb46af33c9440e72d484609d5116018b808a8a6b4

        SHA512

        1c01baf897bec5fa08c6b33cf2b090b46df43955c1d9f66082bc25ae7ed606b40f73d64824a97ab8c25c4b491fb71d13c6a8b5a5c06c48284fe622e09f3805ee

        Download Submit

      • C:\Users\Public\dllhost.exe
        Filesize

        1.8MB

        MD5

        fcd38cbaa3982793517697bf89f666cc

        SHA1

        c345ceffabb9decaaa1e7a4f9582313401cbd589

        SHA256

        2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728

        SHA512

        8c5b64aa64dbc494e413b4e83b21c4f9bb0e3dd684a601c4faf1896e2f7d13cdb0885405b17839390358f823f4d61ea608b14f14e3f98d52a03778be64df0b9d

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\kcpsovag\kcpsovag.0.cs
        Filesize

        359B

        MD5

        1901fbfd40639b52f3de7f58fa76dda7

        SHA1

        d5917647ad60e77510f11fefe135ad7cd9b383dd

        SHA256

        d3e24f6e43ad7e1deea6ad7f02f67239e806d639c54238c1a946f268265e096e

        SHA512

        3ca054d527bcf53513971afdffe05bcbc39f95481d8e8e5701738ba3d985d00902dd8e6111b728e5600797f80e4e9cc79cfa485bd4ec224b5073248d95a055d9

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\kcpsovag\kcpsovag.cmdline
        Filesize

        235B

        MD5

        d7b21db8db3ecb380cfd8b6b7f5da352

        SHA1

        208204d5580b499f8740e65448e63776aea7b26d

        SHA256

        e5b5193c777229524bf54640c3ed811488cbcf6536490d8705f3269d47334e0b

        SHA512

        b585e53e32f2e14e1951e792e990cb7dfb7cb947c80df5f7f3a8eb1a907412fb92c3c712bbe090ccb5914a242569f4e60c13359a993fac9ad1cb6a3821bc15d4

        Download Submit

      • \??\c:\Windows\System32\CSC4373E19363AD45A4AB15797FD6532B21.TMP
        Filesize

        1KB

        MD5

        055343d2349db4836daceb1c553fb8db

        SHA1

        6d26ab027d2fe8077a70c255da49d43104c40c9c

        SHA256

        725a99c4f34607ad0421d5d87b24adf97237cd9ec2457816436b00f3c0d7a22a

        SHA512

        3b5460fbe57d9db9d12b274cebe02a20dfc3249097aeb3d543bb6d2332c7e79aa1bd4921ff254b457e8d545d5ea543b25d6d696a9cd93261838c5e941123438c

        Download Submit

      • memory/3764-15-0x0000000003380000-0x000000000338C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3764-29-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-12-0x000000001BD00000-0x000000001BD18000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3764-10-0x000000001C190000-0x000000001C1E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3764-13-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-16-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-0-0x00007FF8C8573000-0x00007FF8C8575000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3764-17-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-7-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-9-0x000000001BCE0000-0x000000001BCFC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3764-30-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-33-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-35-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-6-0x0000000003260000-0x000000000326E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3764-4-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-3-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-2-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3764-1-0x0000000000FD0000-0x00000000011AA000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/3764-51-0x00007FF8C8570000-0x00007FF8C9031000-memory.dmp

        Filesize

        10.8MB

        Download