Overview

overview

10

Static

static

4ced2056e4...0c.exe

windows7_x64

10

4ced2056e4...0c.exe

windows10_x64

10

Resubmissions

11-01-2021 13:09

210111-dlhjyngw66 8

11-01-2021 07:36

210111-xfhgmxjy6n 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-01-2021 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ced2056e4efe1c93b9f4adaaeaba20c.exe

  • Size

    607KB

  • MD5

    4ced2056e4efe1c93b9f4adaaeaba20c

  • SHA1

    b975777c42d7d8fb04c34a2efc64dc5e4c574712

  • SHA256

    f6a307d243c407c27489de37adac83e9205be531cbb4e2cb71545627faf813fd

  • SHA512

    014df0ad54bf23335f964fa4e313a91b60b3ea2c62b73a306e973177830b573666aaebc1932cafa766042f34b8e32adcfabe3027aae2cc09341fd138a8963eaf

Score
10/10
dcratevasioninfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DC Rat Payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ced2056e4efe1c93b9f4adaaeaba20c.exe
    "C:\Users\Admin\AppData\Local\Temp\4ced2056e4efe1c93b9f4adaaeaba20c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRAR\wSmIzsMZSTGIPjXygtTeiEZYkIjJjD.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\WinRAR\wAcLjfo4uMcnTa1rAjnz0eLcoo04D9.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Users\Admin\AppData\Roaming\WinRAR\HoykwG9pmLZ7sZbSP8eb.exe
          HoykwG9pmLZ7sZbSP8eb.exe -p2e840a597483ac4423c7c5ec1a09b39042cbf75d
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1252
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRAR\tPKG2uMJtmCS4Bv6TMepBvdoqxAPGa.vbe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1028
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Roaming\WinRAR\mQE440b4P9lIBPO3Qboqf8inqaQoJr.bat" "
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1064
              • C:\Users\Admin\AppData\Roaming\WinRAR\winrar-x84.exe
                "C:\Users\Admin\AppData\Roaming\WinRAR\winrar-x84.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1528
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\WmiPrvSE.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1636
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1856
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1188
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1396
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\sppsvc.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1864
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1388
                • C:\PerfLogs\Admin\WmiPrvSE.exe
                  "C:\PerfLogs\Admin\WmiPrvSE.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:268
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                7⤵
                • Modifies registry key
                PID:544

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/268-34-0x0000000000E10000-0x0000000000E11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/268-32-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1028-15-0x00000000026F0000-0x00000000026F4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1528-21-0x0000000000120000-0x0000000000121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1528-20-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1812-6-0x00000000026B0000-0x00000000026B4000-memory.dmp

    Filesize

    16KB

    Download