Overview

overview

10

Static

static

3

b330a516dc...16.exe

windows7-x64

10

b330a516dc...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2025 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b330a516dc2ed01776ad58b0dc970216.exe

  • Size

    1.6MB

  • MD5

    b330a516dc2ed01776ad58b0dc970216

  • SHA1

    78db141d31b8131aabd9ba1c9144a33c8cd6842b

  • SHA256

    2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2

  • SHA512

    f25f66055176b4060b94ff3c765d54d6d7ee0186b70001205c2e65696180a57b32de897df1664bad8611f81da0f3267b6daf9eea46a0c68c4746c54a56999209

  • SSDEEP

    24576:GlZi59u2GRCRXXdoOH0dMPg/riXqsLS29ryVYNN+GCiRtnATOD:GPfsDHwsg/riE29rC2+GJRVA

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b330a516dc2ed01776ad58b0dc970216.exe
    "C:\Users\Admin\AppData\Local\Temp\b330a516dc2ed01776ad58b0dc970216.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e2snvw2o\e2snvw2o.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES756E.tmp" "c:\Windows\System32\CSC55B16C27EFFF421984F8FBCE4B7FB8AF.TMP"
        3⤵
          PID:580
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ejRGfI2ABE.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2028
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:1168
            • C:\Program Files (x86)\Windows Media Player\audiodg.exe
              "C:\Program Files (x86)\Windows Media Player\audiodg.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2700
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Fonts\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2376
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1084
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\audiodg.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:276
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2680
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2872
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2764
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2844
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Pictures\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "b330a516dc2ed01776ad58b0dc970216b" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\b330a516dc2ed01776ad58b0dc970216.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1580
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "b330a516dc2ed01776ad58b0dc970216" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\b330a516dc2ed01776ad58b0dc970216.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "b330a516dc2ed01776ad58b0dc970216b" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\b330a516dc2ed01776ad58b0dc970216.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2260

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\MSBuild\Microsoft\Idle.exe
          Filesize

          1.6MB

          MD5

          b330a516dc2ed01776ad58b0dc970216

          SHA1

          78db141d31b8131aabd9ba1c9144a33c8cd6842b

          SHA256

          2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2

          SHA512

          f25f66055176b4060b94ff3c765d54d6d7ee0186b70001205c2e65696180a57b32de897df1664bad8611f81da0f3267b6daf9eea46a0c68c4746c54a56999209

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES756E.tmp
          Filesize

          1KB

          MD5

          7ad0813c37ceda07a7e8baaacee6ee60

          SHA1

          73a826927e776b043eb766fe9d6d13cd12b776f4

          SHA256

          a9cdc9ae12f1247ce21d576e63d11642bce6d3e984cc4eebe5bdcf2a15922aee

          SHA512

          adddde87b817cda2b8595bfccdf25bfec6645dc927bbf5cc635db8cacaedea1b0d4f8e85157892a958e2108149f53653a32961560aea806f53233d2d99ff8a71

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ejRGfI2ABE.bat
          Filesize

          231B

          MD5

          335dbd47332d2560c9b573373f13e725

          SHA1

          be1965ae1815d91399bb8aa8d84792966b388b36

          SHA256

          84410000989d762d8934d6e385b7f18c02c25c6f72d2714f352f678dda369040

          SHA512

          1a5510a328a771fe9e851b264510a7d7c551892df618218aeac4c6df76cc4072503c69f21929f091dfaabd7f5c18782a2035db1cf324aa9c746506dd696a9e04

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\e2snvw2o\e2snvw2o.0.cs
          Filesize

          375B

          MD5

          cf6699df0dba00b34e526527b0214463

          SHA1

          39e035dc825566162f4de1e8072db55f3f434237

          SHA256

          d2861a0ba2fd639c79646e0e825c86dd06a857a775528625789da2b6d93d17cc

          SHA512

          fe2f87490edd4520ab91a2e8a0550dfdc00c04fd67633c974694ddf8c97460ae44dde33fb7546576706ae129cedb24742ddc769c0255cc63faf71b623ed97b41

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\e2snvw2o\e2snvw2o.cmdline
          Filesize

          235B

          MD5

          be6b6f26eca6505c9ba335a9ae0fa7e3

          SHA1

          72759e60c60586468c3e61ab82776649a87d8d69

          SHA256

          b5b93ec9602ae19b16a98f018b198be0e3c3294288557d8544cca0569ba458fc

          SHA512

          bbedb5d8fd0144d35f2563e781d4339ab6bdf013a245428345073910338814cbdb0e23050c41c1a6b618e0bca51dcae66197c6e19289b77c73a1f7a5fcfb913e

          Download Submit

        • \??\c:\Windows\System32\CSC55B16C27EFFF421984F8FBCE4B7FB8AF.TMP
          Filesize

          1KB

          MD5

          dbb2cd021b80875d9c777c705ef845c8

          SHA1

          3ed0cde3b4f4d8267c3cddd37dd4ede100b5ecce

          SHA256

          a4d8c8c391bc1975510bdea24653db0f578d998dead4ce7f8a85eb8fbb3ec829

          SHA512

          a8076e4d1b1641e189d2066050809ce0cce557e23c110fba77c2cfb7448b5915252b2e2f4d3443f708941277b947b951cfba6c191980a09b8c7710589c766c8e

          Download Submit

        • memory/2452-43-0x00000000001C0000-0x000000000036A000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2876-4-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2876-11-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2876-9-0x00000000002B0000-0x00000000002BC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2876-10-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2876-7-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2876-6-0x00000000002A0000-0x00000000002AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2876-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2876-3-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2876-2-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2876-40-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2876-1-0x0000000000E80000-0x000000000102A000-memory.dmp

          Filesize

          1.7MB

          Download