Overview

overview

10

Static

static

10

012700a410...85.exe

windows10-2004-x64

10

02a23f59da...1f.exe

windows10-2004-x64

10

053ddd7019...99.exe

windows10-2004-x64

10

072f59f857...a5.exe

windows7-x64

1

072f59f857...a5.exe

windows10-2004-x64

1

07b9d54ca0...2c.exe

windows10-2004-x64

10

085092942b...7b.elf

ubuntu-18.04-amd64

085092942b...7b.elf

debian-9-armhf

085092942b...7b.elf

debian-9-mips

085092942b...7b.elf

debian-9-mipsel

08cbd1cc0c...d1.elf

debian-12-armhf

1

0a50e4e96f...61.exe

windows7-x64

10

0a50e4e96f...61.exe

windows10-2004-x64

10

0bdd1bc4a2...54.elf

debian-12-armhf

1

0c349ec65f...e3.exe

windows10-2004-x64

10

0c6a7849d4...d3.exe

windows10-2004-x64

10

0ceb0dadfa...de.elf

debian-9-mips

0dd32a3e7e...85.exe

windows7-x64

10

0dd32a3e7e...85.exe

windows10-2004-x64

10

0dd3f8b254...7f.exe

windows10-2004-x64

10

1100f4a753...15.exe

windows10-2004-x64

10

124c02ed92...f5.exe

windows7-x64

10

124c02ed92...f5.exe

windows10-2004-x64

10

1267a2b9b9...dc.exe

windows7-x64

10

1267a2b9b9...dc.exe

windows10-2004-x64

10

13a5b3d41f...f1.exe

windows7-x64

10

13a5b3d41f...f1.exe

windows10-2004-x64

10

13a63fbb66...62.exe

windows10-2004-x64

10

143dea0e6e...5c.exe

windows10-2004-x64

10

14779e087a...9a.elf

ubuntu-24.04-amd64

1

15f6ddf672...e3.exe

windows10-2004-x64

10

16478becee...e4.elf

debian-12-armhf

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

  • max time kernel
    118s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-06-2024 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe

  • Size

    880KB

  • MD5

    d5af7b4e4aa554542307474645208ce1

  • SHA1

    aaf49c2518fb31dccdd6b8ae383b21cc6de0a430

  • SHA256

    0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85

  • SHA512

    785e01b295ac3a12045df777d8cd5fe86a76f06d5bab2ab77c07ca049c27119f43a1928724452339f90660ba379d74c080f810c74cb732274956ff68cc578310

  • SSDEEP

    12288:/mcnG6zEGU6Iq2jCrYQQsbeLmFDgJzEhFP92MpgtK3IoRA7+JQEKVWk:ZnGSrU6IqQCr1KJzEhFPWtxoR12/

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
    "C:\Users\Admin\AppData\Local\Temp\0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:344
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PFUyiEWIAf.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1588
        • C:\Program Files\Windows Defender\ja-JP\services.exe
          "C:\Program Files\Windows Defender\ja-JP\services.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\TermService\0409\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\inf\TermService\0409\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\TermService\0409\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2420
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1264
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\twain_32\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2368

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\PFUyiEWIAf.bat
      Filesize

      217B

      MD5

      64fff7c0855d0c15a95c964bd1141c3d

      SHA1

      a741f8b96384651ca0fd567b73ab74fb164c6f3d

      SHA256

      763cb4ccafb9798ca071c6da90c2b17a50adf82dbe4fdd1c4b8bcf450b05f32e

      SHA512

      1898638a8333bc84a413e57c9082ba537b626616236648d8f477cc086f6ae8a7179245696a3ba8e275cd29076902911d1e701dfe402da7db07326d71ea99a752

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      07f72f63d6442a1259ec146e31e155ed

      SHA1

      40c7f3553d689c68aee15a853a36f6927f2faeaf

      SHA256

      eab71ff75f01b38e40d61527f8b6b9190b07d5ba64f53411764d2cf96cdd9f88

      SHA512

      53a09cda6ae0ba1ac37ee37f86cece0b537b0d555c24440cee3419f1b4391c315193dc52f20208c932e53492bfa268fc8a1327582bf38fff7c734c24cb156aa9

      Download Submit
    • C:\Windows\twain_32\winlogon.exe
      Filesize

      880KB

      MD5

      d5af7b4e4aa554542307474645208ce1

      SHA1

      aaf49c2518fb31dccdd6b8ae383b21cc6de0a430

      SHA256

      0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85

      SHA512

      785e01b295ac3a12045df777d8cd5fe86a76f06d5bab2ab77c07ca049c27119f43a1928724452339f90660ba379d74c080f810c74cb732274956ff68cc578310

      Download Submit
    • memory/1528-83-0x0000000000C50000-0x0000000000D34000-memory.dmp
      Filesize

      912KB

      Download
    • memory/1612-26-0x000000001B590000-0x000000001B872000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/1612-33-0x0000000001D90000-0x0000000001D98000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2948-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2948-1-0x0000000000090000-0x0000000000174000-memory.dmp
      Filesize

      912KB

      Download
    • memory/2948-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2948-3-0x0000000000530000-0x000000000053C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2948-35-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp
      Filesize

      9.9MB

      Download