Overview

overview

10

Static

static

10

0ce8e2125c...fa.exe

windows7-x64

10

0ce8e2125c...fa.exe

windows10-2004-x64

10

0d08fd5994...a1.exe

windows7-x64

10

0d08fd5994...a1.exe

windows10-2004-x64

10

0d39a7ade0...a9.exe

windows7-x64

10

0d39a7ade0...a9.exe

windows10-2004-x64

10

0d7cbc8822...d3.exe

windows7-x64

10

0d7cbc8822...d3.exe

windows10-2004-x64

10

0da351d641...30.exe

windows7-x64

10

0da351d641...30.exe

windows10-2004-x64

10

0dcb9d68dd...81.exe

windows7-x64

10

0dcb9d68dd...81.exe

windows10-2004-x64

10

0de35a9720...08.exe

windows7-x64

3

0de35a9720...08.exe

windows10-2004-x64

3

0df2367bf9...81.exe

windows7-x64

10

0df2367bf9...81.exe

windows10-2004-x64

7

0df7144ed5...52.exe

windows7-x64

10

0df7144ed5...52.exe

windows10-2004-x64

10

0df97b99ca...e3.exe

windows7-x64

1

0df97b99ca...e3.exe

windows10-2004-x64

4

0e48a47f40...30.exe

windows7-x64

10

0e48a47f40...30.exe

windows10-2004-x64

10

0e820aad5e...54.exe

windows7-x64

10

0e820aad5e...54.exe

windows10-2004-x64

10

0ea0e36c70...d3.exe

windows7-x64

10

0ea0e36c70...d3.exe

windows10-2004-x64

10

0eb27c6385...3a.exe

windows7-x64

10

0eb27c6385...3a.exe

windows10-2004-x64

10

0ee8580c3e...ef.exe

windows7-x64

10

0ee8580c3e...ef.exe

windows10-2004-x64

10

0eed307263...f5.exe

windows7-x64

10

0eed307263...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d39a7ade0eaa19a185fc11508caeba9.exe

  • Size

    920KB

  • MD5

    0d39a7ade0eaa19a185fc11508caeba9

  • SHA1

    5083d9622465c43bc02a1edd71acd1d9ae75270c

  • SHA256

    51c94ec08bddcec2e7992bb2c758e8518850b373e649ac57c9c26067715bd2ea

  • SHA512

    480bbfb12c3bbde7cff197f069a9aec5558464f417c7920f0dd09e4b1ba859d9e7b7d7f552a7bad094a3ec49069ce442240be5380e2d1ee0de6cec6f514506b0

  • SSDEEP

    12288:lANcYfRu9sAPayJk5cz9VBRmWAJXJmn72Rfc/G/BwG5vo5YTJRI1m2h47oJuzlZ4:lAbJwPa3YnGWnSR/uGuFQaRQj/

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 30 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 7 IoCs
    persistence
  • Process spawned unexpected child process 28 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 28 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d39a7ade0eaa19a185fc11508caeba9.exe
    "C:\Users\Admin\AppData\Local\Temp\0d39a7ade0eaa19a185fc11508caeba9.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe
      "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "46g4services" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\ja-JP\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "yIGHservices" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "USRMservices" /sc ONSTART /tr "'C:\Windows\PolicyDefinitions\ja-JP\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\ja-JP\services.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "rcR3wininit" /sc MINUTE /mo 12 /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "EKqbwininit" /sc ONLOGON /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "jTb6wininit" /sc ONSTART /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc MINUTE /mo 9 /tr "'C:\Users\Public\wininit.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Hbbusppsvc" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2280
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IxXvsppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "vg6bsppsvc" /sc ONSTART /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2616
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "7Tzkexplorer" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Tao0explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1504
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "39Izexplorer" /sc ONSTART /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "03lIlsass" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "oGGslsass" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:852
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ldb7lsass" /sc ONSTART /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Start Menu\lsass.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1824
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "0dgmspoolsv" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2188
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "pzijspoolsv" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "iPm2spoolsv" /sc ONSTART /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2516
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "hkOVtaskhost" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Templates\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1692
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "3Q0Otaskhost" /sc ONLOGON /tr "'C:\ProgramData\Templates\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "xlSVtaskhost" /sc ONSTART /tr "'C:\ProgramData\Templates\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 9 /tr "'C:\ProgramData\Templates\taskhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Media Player\it-IT\explorer.exe
    Filesize

    920KB

    MD5

    8127f685ac1eec6d1e0f7fb927f2943f

    SHA1

    64b311898fb9791f3cf142f9aff6e9c766bd671f

    SHA256

    b723bb863c2d778f8c3e6cdcd1bdd4be2cbbbad626ff2d960f481f1f0a8d1942

    SHA512

    d3c94610a2706a6bffa98ab7d5af434b978e7d2ec24af7f0a955fb37eba18e1ce02a2bef0169f0bede09f0ee5a1d955032f274e06723904645655f6356637977

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\lsass.exe
    Filesize

    920KB

    MD5

    0d39a7ade0eaa19a185fc11508caeba9

    SHA1

    5083d9622465c43bc02a1edd71acd1d9ae75270c

    SHA256

    51c94ec08bddcec2e7992bb2c758e8518850b373e649ac57c9c26067715bd2ea

    SHA512

    480bbfb12c3bbde7cff197f069a9aec5558464f417c7920f0dd09e4b1ba859d9e7b7d7f552a7bad094a3ec49069ce442240be5380e2d1ee0de6cec6f514506b0

    Download Submit

  • C:\Windows\PolicyDefinitions\ja-JP\services.exe
    Filesize

    920KB

    MD5

    ef3aa23b274059099bfecfdcc71ae015

    SHA1

    71e2e29b496f5a15ec0a476dcfdc40560edafcd9

    SHA256

    e19039d4e09e510c0f9c9583d7c2ea131e11393ea7d0df23a5e4cb66d67abf03

    SHA512

    95db1bfc1438d56a0aa29429ea60c5cd05bc2cf7e1ddec7640697f91b5de404f137a79efe6ba50fcd6d9d06ecfc426c1c638fb70c6ed9011841da9912e9ef2e5

    Download Submit

  • memory/1728-4-0x0000000000160000-0x0000000000170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1728-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1728-5-0x0000000000270000-0x0000000000280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1728-6-0x0000000000280000-0x0000000000292000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1728-7-0x0000000000330000-0x000000000033C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1728-8-0x00000000004D0000-0x00000000004DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1728-9-0x0000000000340000-0x0000000000348000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1728-3-0x0000000000140000-0x000000000015C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1728-2-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1728-1-0x0000000000C00000-0x0000000000CEC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/1728-116-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2304-115-0x0000000000CE0000-0x0000000000DCC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2304-117-0x0000000000300000-0x0000000000312000-memory.dmp

    Filesize

    72KB

    Download