Overview

overview

10

Static

static

10

a8733ea130...d1.exe

windows7-x64

10

a8733ea130...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe

  • Size

    3.1MB

  • MD5

    18f5a3194d73e08d7d66b7a3b42568b3

  • SHA1

    86d424c8a86ec2f20407f9f2db9133a0a2b314f7

  • SHA256

    a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1

  • SHA512

    3f14d5b896cdba1ea41516a3c1f9b2745bd403a57bb66bf6c2016ee5dde2f2bab8560822975848f4920502a4ae94975891846d8249ab401054655482964bcb11

  • SSDEEP

    49152:UbA30w1VlUYYDF62IumHbysKqLb5yHfCbShsA3z42d7U8rUc1uHToN/:UbgJWF6ymHbRzLb5ya2hsUz4c7W9K/

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Detects executables packed with SmartAssembly 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe
    "C:\Users\Admin\AppData\Local\Temp\a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\BlockproviderComponentweb\no2eZG6mwS0.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\BlockproviderComponentweb\QGmdpYGOg.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\BlockproviderComponentweb\intoHostDhcp.exe
          "C:\BlockproviderComponentweb\intoHostDhcp.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2660
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockproviderComponentweb\intoHostDhcp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:328
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xKZCuHzSJ5.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1664
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2808
              • C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe
                "C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2200
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6c77471-6193-4b87-810b-b3f5f36f56fa.vbs"
                  7⤵
                    PID:1720
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c72ba46-5185-4851-bbb8-47109446ceda.vbs"
                    7⤵
                      PID:1532
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1732
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2520
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1896
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:1776

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          System Information Discovery

          2
          T1082

          Query Registry

          1
          T1012

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\BlockproviderComponentweb\QGmdpYGOg.bat
            Filesize

            58B

            MD5

            924b1ca537cd105768edbcd1fe0cf3ca

            SHA1

            968648854cb40f3b55d3c30aa809ffb2545dd9e2

            SHA256

            ff9548c5810351eea938a04cc4b47dbb3cece7e555c16968edca4c140485f456

            SHA512

            bf8157c56bdeadc32183c681f28f33e26d1e1ee6bf3053493666163ce639cd60942e543c600cd1cb70539739155c2539ba306da5557fabc9c5dc06a3fb37ec38

            Download Submit
          • C:\BlockproviderComponentweb\intoHostDhcp.exe
            Filesize

            2.8MB

            MD5

            93615053d95e46026ed276c2b258c306

            SHA1

            2b1c428f05fa18718c3f92a1afe6d800c9bf4191

            SHA256

            3098b5044a048fc12aa27784d29635bbba89bac9c184cfbecd34c62c8a29987d

            SHA512

            82fd306cbdebcd406d769bf511721daba7478fd7fb3a6035636f0da2a8de629a31644f22bd047ab57603127a7f636f331c9e2d0d1cfcb0020fe75fb07dcce3e1

            Download Submit
          • C:\BlockproviderComponentweb\no2eZG6mwS0.vbe
            Filesize

            222B

            MD5

            b237326af75ea09be7db779654da38d4

            SHA1

            5b8b54c44d6dc2ddac14ed9a3feb56d088bc377e

            SHA256

            f636ad5bfab3cacd97532396ade77867a5e198445385ce0f18128a87c2c599e0

            SHA512

            beb445b3bac73675b70fd28e1a026096f9cb34f19be1b88f487a2b2b1452eacbc13c64a32a6b8b0b2e1d53121964ec35e8131627cb6cc7a7cbd6cb6dd1a47617

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\2c72ba46-5185-4851-bbb8-47109446ceda.vbs
            Filesize

            504B

            MD5

            2cf50d8f55af93f29c7f33127e93c17f

            SHA1

            19b6a178ee1f53aeb263990a53b21d8fcdba2bd0

            SHA256

            a834a8496b65baa5432bd96c3bb4b1bae56ac14c17268ec9cef964f72763c662

            SHA512

            c71e962e71b05f3329537c85acfdd9c948fcd733077d79c3c4f589534c9855af2d1c8db6feecdcef75d2ec548e523f456fa904c4d2eb012322e4bf3f8663dbbe

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\d6c77471-6193-4b87-810b-b3f5f36f56fa.vbs
            Filesize

            728B

            MD5

            05a0e68d5dcdf86ce5290842a3154d5a

            SHA1

            c59eca2104caa71d1017129793d108c388caa43b

            SHA256

            741fbc239b88e7464ace208c4eec9e49858d4d6bd3d26bdd23a7a9ad5f3b1922

            SHA512

            4695cb3fabb8302ca9a45a353d9e328fded7b6ffae6ff817714aebe75963881c52ccc733737924eeb066047103e84eb5cfe521f69181965b8f855666f6f1fa70

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\xKZCuHzSJ5.bat
            Filesize

            217B

            MD5

            3285e3837764055bd8beb08c6520a73b

            SHA1

            38e24fd5723379bff6d255a30d27382aa41109f1

            SHA256

            995c32beaefc780eedcc53c6ff5d29ce81fc0a14aad4912860cbc4fa0e1eb265

            SHA512

            4bcb8790928b900dff2084b67c1be8e2bc1cbe67a581a4715e8093c2852ac84923045017dd7528f57400c458ed6d0d0f1b3b94fb61bb1641aa21366121dd4b3c

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GRAK832B710FV3B25Q8D.temp
            Filesize

            7KB

            MD5

            59477c5e1491f38cbd0a5897d6c72a7a

            SHA1

            0b038dd4509f1cd47f8b0b330590ed848de9c818

            SHA256

            cf4321cfab10a2c4f374530162b844c0eb25d553302608877a5b218cb77ffa8b

            SHA512

            e604355ffe8b89edda6ea1af5cb34c333b661d223bf09019c03a467501cef3c2fd30cebd8a44dcfc9a4e7b8601ec98246113cb42beb38157d1315c2f098b67b6

            Download Submit
          • memory/328-52-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
            Filesize

            2.9MB

            Download
          • memory/2200-58-0x000000001AE90000-0x000000001AEE6000-memory.dmp
            Filesize

            344KB

            Download
          • memory/2200-57-0x0000000000B20000-0x0000000000B32000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2200-56-0x0000000000EA0000-0x000000000117A000-memory.dmp
            Filesize

            2.9MB

            Download
          • memory/2200-59-0x000000001A970000-0x000000001A982000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2388-53-0x0000000001F40000-0x0000000001F48000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2660-34-0x000000001AB50000-0x000000001AB5C000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2660-29-0x00000000023B0000-0x00000000023BC000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2660-31-0x00000000025B0000-0x00000000025BE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2660-26-0x00000000008D0000-0x00000000008DC000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2660-33-0x000000001A9D0000-0x000000001A9DA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2660-32-0x000000001A9C0000-0x000000001A9CC000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2660-24-0x0000000000830000-0x000000000083C000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2660-23-0x0000000000560000-0x0000000000572000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2660-20-0x00000000004B0000-0x00000000004BC000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2660-19-0x0000000002250000-0x00000000022A6000-memory.dmp
            Filesize

            344KB

            Download
          • memory/2660-30-0x00000000023C0000-0x00000000023CA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2660-25-0x00000000008C0000-0x00000000008C8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2660-28-0x0000000002560000-0x0000000002568000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2660-27-0x00000000022A0000-0x00000000022AC000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2660-22-0x00000000004D0000-0x00000000004DC000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2660-21-0x00000000004C0000-0x00000000004C8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2660-18-0x0000000000490000-0x000000000049A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2660-17-0x00000000004A0000-0x00000000004B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2660-16-0x0000000000480000-0x0000000000492000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2660-15-0x00000000003F0000-0x00000000003F8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2660-14-0x00000000003D0000-0x00000000003EC000-memory.dmp
            Filesize

            112KB

            Download
          • memory/2660-13-0x00000000008E0000-0x0000000000BBA000-memory.dmp
            Filesize

            2.9MB

            Download