Overview

overview

10

Static

static

3

b330a516dc...16.exe

windows7-x64

10

b330a516dc...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2025 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b330a516dc2ed01776ad58b0dc970216.exe

  • Size

    1.6MB

  • MD5

    b330a516dc2ed01776ad58b0dc970216

  • SHA1

    78db141d31b8131aabd9ba1c9144a33c8cd6842b

  • SHA256

    2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2

  • SHA512

    f25f66055176b4060b94ff3c765d54d6d7ee0186b70001205c2e65696180a57b32de897df1664bad8611f81da0f3267b6daf9eea46a0c68c4746c54a56999209

  • SSDEEP

    24576:GlZi59u2GRCRXXdoOH0dMPg/riXqsLS29ryVYNN+GCiRtnATOD:GPfsDHwsg/riE29rC2+GJRVA

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b330a516dc2ed01776ad58b0dc970216.exe
    "C:\Users\Admin\AppData\Local\Temp\b330a516dc2ed01776ad58b0dc970216.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qdo1p3u5\qdo1p3u5.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA98.tmp" "c:\Windows\System32\CSC475E19FAE1D94191BEC44ADB6473626D.TMP"
        3⤵
          PID:2876
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fq8aI4uEjK.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2196
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2212
          • C:\Users\All Users\Desktop\OSPPSVC.exe
            "C:\Users\All Users\Desktop\OSPPSVC.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\ja-JP\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2828
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\ja-JP\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1744
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:576
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b330a516dc2ed01776ad58b0dc970216b" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\b330a516dc2ed01776ad58b0dc970216.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b330a516dc2ed01776ad58b0dc970216" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\b330a516dc2ed01776ad58b0dc970216.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b330a516dc2ed01776ad58b0dc970216b" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\b330a516dc2ed01776ad58b0dc970216.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2920

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Windows Sidebar\ja-JP\lsass.exe
        Filesize

        1.6MB

        MD5

        b330a516dc2ed01776ad58b0dc970216

        SHA1

        78db141d31b8131aabd9ba1c9144a33c8cd6842b

        SHA256

        2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2

        SHA512

        f25f66055176b4060b94ff3c765d54d6d7ee0186b70001205c2e65696180a57b32de897df1664bad8611f81da0f3267b6daf9eea46a0c68c4746c54a56999209

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Fq8aI4uEjK.bat
        Filesize

        166B

        MD5

        11f3d2c95bd3a2614a08f32198a68565

        SHA1

        3735fb14eb2ce51aaa322280ce0727a40cad040a

        SHA256

        39fc069a9a7ad701feb3e2c26c4ba656f11143a6cd99c8e0cb3189ec060168a8

        SHA512

        97bda60163a9dba9c952b0b61189596030351349bd8f64065a89896ee9da3afdf285e23055053fd9266ab5ce98d705959c89c00fb055bbe88b8406398ed5c94d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESBA98.tmp
        Filesize

        1KB

        MD5

        629314d800a9d150f2278ca0f3529479

        SHA1

        4cb734afa6092663019075940a3bbff2d11c4ecc

        SHA256

        5dc2d799ddc81222d2eecdc02b6588a00ca3ebb4d3e0b01217de17399b5432bc

        SHA512

        d3ac3d88893a060bd6f5ccf11037eab59194838920c36f53d97ad742ee8f40383676917a999f90fbf14125a40b4e409d826fe4c70cd8ee12a1e166b639fdaaa9

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\qdo1p3u5\qdo1p3u5.0.cs
        Filesize

        380B

        MD5

        365bffd0fa3b8a9cd3ea46934a69ade3

        SHA1

        10e8c74f6f3a36d1e1e1988dbf6d7986aa583b46

        SHA256

        77f1dc994c5739742369ebf55216bef9a4d3a454a663d4d6b03667063d5c46a1

        SHA512

        571c6d7853f49956d11f1313becb53c163f7b724b3b703e61287e606462a8fca7fdeb8b59f6524837003a93b5974552a6add96d26b846601dc6386c9fb942c46

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\qdo1p3u5\qdo1p3u5.cmdline
        Filesize

        235B

        MD5

        5a8d55afd9922f6b918c9072115a6db2

        SHA1

        4d3f362883794c83e7f2d96a6c743e40683b2c28

        SHA256

        71f1f7440305646a1b02866b8046d8db37cfff6b4b7f662443fc7c1bf75ba604

        SHA512

        7ade2a30ff03c4a90fbf57347b30068436d8ab76302241a3681cf42f4bf0d1c7b7f7b6a457b96dd7a11aa18a7147b5081c479881306e08bbd6d9a3d033fbe4a8

        Download Submit

      • \??\c:\Windows\System32\CSC475E19FAE1D94191BEC44ADB6473626D.TMP
        Filesize

        1KB

        MD5

        02b6f6024c0f35b2dfb735e30d40ea59

        SHA1

        9e28d1d16523aab5845e09fdecf27759375f9b5a

        SHA256

        17491f9c7a135563b4c9dd20e2113e934070166146005e0f97ab301f4a5ef4aa

        SHA512

        a8a734f3d0f4d6a8904a8faa5638db91e9034c55306f153fdf321731cdfaaa58847d731ee64b226df0bd6cd4b8e6ed6d2ed1af77f510e079755f7159af433672

        Download Submit

      • memory/772-42-0x00000000003C0000-0x000000000056A000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2428-4-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2428-19-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2428-9-0x0000000000550000-0x000000000055C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2428-7-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2428-6-0x0000000000440000-0x000000000044E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2428-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-3-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2428-38-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2428-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2428-1-0x0000000000250000-0x00000000003FA000-memory.dmp

        Filesize

        1.7MB

        Download