Overview

overview

10

Static

static

10

b8b78dcf13...d2.exe

windows7-x64

10

b8b78dcf13...d2.exe

windows10-2004-x64

10

b8d253be83...33.exe

windows7-x64

10

b8d253be83...33.exe

windows10-2004-x64

7

b8ed4395ab...f9.exe

windows7-x64

7

b8ed4395ab...f9.exe

windows10-2004-x64

7

b93347150f...89.exe

windows7-x64

1

b93347150f...89.exe

windows10-2004-x64

1

b936c3a846...59.exe

windows7-x64

1

b936c3a846...59.exe

windows10-2004-x64

1

b985e2e2a0...ef.exe

windows7-x64

3

b985e2e2a0...ef.exe

windows10-2004-x64

10

b99adb733f...40.exe

windows7-x64

10

b99adb733f...40.exe

windows10-2004-x64

10

b9cfd0a072...65.exe

windows7-x64

10

b9cfd0a072...65.exe

windows10-2004-x64

10

b9d4ce4583...bc.exe

windows7-x64

10

b9d4ce4583...bc.exe

windows10-2004-x64

10

b9eb72c666...72.exe

windows7-x64

10

b9eb72c666...72.exe

windows10-2004-x64

10

b9f7b13b1d...ef.exe

windows7-x64

10

b9f7b13b1d...ef.exe

windows10-2004-x64

10

ba0566e43d...23.exe

windows7-x64

1

ba0566e43d...23.exe

windows10-2004-x64

1

ba21b0abda...c0.exe

windows7-x64

9

ba21b0abda...c0.exe

windows10-2004-x64

9

ba4d84a77a...85.exe

windows7-x64

10

ba4d84a77a...85.exe

windows10-2004-x64

10

ba598ceed6...17.exe

windows7-x64

10

ba598ceed6...17.exe

windows10-2004-x64

10

ba6c7a8dc7...59.exe

windows7-x64

10

ba6c7a8dc7...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba6c7a8dc76a63c70a2e018c2bd2a059.exe

  • Size

    984KB

  • MD5

    ba6c7a8dc76a63c70a2e018c2bd2a059

  • SHA1

    180970254354af46194e8ff74362230c6b667cd6

  • SHA256

    89333332d2bf50e37c6df1a85b3d03d7f6bdd1b16fae842656dab89ba42252ec

  • SHA512

    cfc904608b4af9b6be68c3750fb3b134e88c387c5521e4d4e9a4dd2a26cfc17774096d78e5c50bdffa7d0e12c941c850f72de46e639d441b511f193dc5d7ce6e

  • SSDEEP

    12288:zzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:zzZvuGD2PvA5YxwmbZB6Uv

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba6c7a8dc76a63c70a2e018c2bd2a059.exe
    "C:\Users\Admin\AppData\Local\Temp\ba6c7a8dc76a63c70a2e018c2bd2a059.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Windows\System32\dispex\winlogon.exe
      "C:\Windows\System32\dispex\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:484
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\dispex\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2188
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\interop\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dllhost.exe
    Filesize

    984KB

    MD5

    ba6c7a8dc76a63c70a2e018c2bd2a059

    SHA1

    180970254354af46194e8ff74362230c6b667cd6

    SHA256

    89333332d2bf50e37c6df1a85b3d03d7f6bdd1b16fae842656dab89ba42252ec

    SHA512

    cfc904608b4af9b6be68c3750fb3b134e88c387c5521e4d4e9a4dd2a26cfc17774096d78e5c50bdffa7d0e12c941c850f72de46e639d441b511f193dc5d7ce6e

    Download Submit

  • memory/592-4-0x0000000000140000-0x0000000000150000-memory.dmp

    Filesize

    64KB

    Download

  • memory/592-9-0x00000000005E0000-0x00000000005F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/592-6-0x0000000000430000-0x0000000000438000-memory.dmp

    Filesize

    32KB

    Download

  • memory/592-7-0x0000000000440000-0x0000000000450000-memory.dmp

    Filesize

    64KB

    Download

  • memory/592-5-0x0000000000420000-0x0000000000430000-memory.dmp

    Filesize

    64KB

    Download

  • memory/592-0-0x000007FEF59D3000-0x000007FEF59D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/592-3-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/592-2-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/592-10-0x0000000000610000-0x000000000061C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/592-8-0x00000000005D0000-0x00000000005DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/592-1-0x0000000000C20000-0x0000000000D1C000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/592-82-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2652-81-0x0000000000CD0000-0x0000000000DCC000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/2652-83-0x0000000000B90000-0x0000000000BA2000-memory.dmp

    Filesize

    72KB

    Download