Overview

overview

10

Static

static

10

3dce7fce69...81.exe

windows7-x64

10

3dce7fce69...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2025 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3dce7fce69c35c15988ad7bc647d4681.exe

  • Size

    2.7MB

  • MD5

    3dce7fce69c35c15988ad7bc647d4681

  • SHA1

    bf0b951d922c6e92e40cec56f641a0c48da49b57

  • SHA256

    534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb

  • SHA512

    99e11b00a61b901a0954dbdd6c1b533c2898662584ea296fd1a92b790ffe10690cf2acba4b595e9d517fc3088ec03450c1d1ee1ce9ae8cfe1a15f24ae14ad33e

  • SSDEEP

    49152:Ano0OKQIQaPECv3la9Bc0JpOkFl5B9LzYSbqtR6v:hMvlyG0JpOG50SbOg

Score
10/10
dcratdefense_evasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dce7fce69c35c15988ad7bc647d4681.exe
    "C:\Users\Admin\AppData\Local\Temp\3dce7fce69c35c15988ad7bc647d4681.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4456
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xqMEPA9M3G.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4240
        • C:\Recovery\WindowsRE\Idle.exe
          "C:\Recovery\WindowsRE\Idle.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:3176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2304
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\TextInputHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\WindowsRE\Idle.exe
      Filesize

      2.7MB

      MD5

      fcee0616fac5d900415914424278018f

      SHA1

      f289f1a9274f121f245fa9671480ae251a829934

      SHA256

      5d1a251a8a296db513c13a195f71fc2cfbfb1b11009b2a6f11ab3c81ef9e5d68

      SHA512

      79105e57c18b0275536a240c274e15737b5df7cf63079812aafeac7ab222e3dfab8ef3ead6ca8aa95a456a772dd547ca16472a604a15b1d3704e35ff83b62cc7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RCXB518.tmp
      Filesize

      2.7MB

      MD5

      3dce7fce69c35c15988ad7bc647d4681

      SHA1

      bf0b951d922c6e92e40cec56f641a0c48da49b57

      SHA256

      534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb

      SHA512

      99e11b00a61b901a0954dbdd6c1b533c2898662584ea296fd1a92b790ffe10690cf2acba4b595e9d517fc3088ec03450c1d1ee1ce9ae8cfe1a15f24ae14ad33e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xqMEPA9M3G.bat
      Filesize

      195B

      MD5

      599f4dde11124ba673f39e94b7a5fc3a

      SHA1

      9f72a42d6b1cff91b8b4d4d6f439ba001c14533c

      SHA256

      c37fb9a26594b85e31a433790b0717bcfa38475b6a4461ad9abcd5536f3a36f9

      SHA512

      081512fb581e8d0a461b13dfc997b7564a43a67b28680eef360166a6443bde445a1333bee888f29f03bd3f4e65c00ef4df4dab77ec2b1d4938d4fe262a5ca6a1

      Download Submit

    • memory/3176-92-0x000000001C4C0000-0x000000001C4D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3176-91-0x0000000000EB0000-0x0000000001164000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4456-14-0x000000001C570000-0x000000001CA98000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4456-16-0x000000001C040000-0x000000001C048000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4456-6-0x0000000002D90000-0x0000000002D98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4456-8-0x000000001B7F0000-0x000000001B806000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4456-10-0x000000001B8A0000-0x000000001B8AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4456-9-0x000000001B810000-0x000000001B818000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4456-11-0x000000001B8B0000-0x000000001B906000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4456-12-0x000000001B820000-0x000000001B828000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4456-13-0x000000001B830000-0x000000001B842000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4456-0-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4456-17-0x000000001C150000-0x000000001C15C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4456-7-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4456-15-0x000000001B900000-0x000000001B908000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4456-19-0x000000001C060000-0x000000001C06C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4456-18-0x000000001C050000-0x000000001C05E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4456-20-0x000000001C070000-0x000000001C07A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4456-21-0x000000001C080000-0x000000001C08C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4456-5-0x000000001B850000-0x000000001B8A0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4456-4-0x000000001B7C0000-0x000000001B7DC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4456-3-0x0000000002D80000-0x0000000002D8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4456-87-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4456-2-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4456-1-0x00000000009F0000-0x0000000000CA4000-memory.dmp

      Filesize

      2.7MB

      Download