Overview

overview

10

Static

static

f4787944e9...20.exe

windows7_x64

10

f4787944e9...20.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    02-04-2021 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4787944e95596ad1847910ce4180a20.exe

  • Size

    942KB

  • MD5

    f4787944e95596ad1847910ce4180a20

  • SHA1

    f6ec2109ff3f3985ee6f73d0cf680343a90c8b2b

  • SHA256

    08acc4229c4d8424570ee93f20f7c60a0e9e0605f7dc8594d14d52209b72ce00

  • SHA512

    5466b793806093f291a0712846510c3573654bb7d0ded3b9f2a91a0238bd14ae4926fb1f1111a62b1c4e570f9ece54c2019c16c60b9c1af145b67ef9607e894b

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat Payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4787944e95596ad1847910ce4180a20.exe
    "C:\Users\Admin\AppData\Local\Temp\f4787944e95596ad1847910ce4180a20.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\FontsavesInto\m8aBJ5FB2D94qk25GJ.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\FontsavesInto\5X6xHq8OosomjmO.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\FontsavesInto\FontsavesIntorefperf.exe
          "C:\FontsavesInto\FontsavesIntorefperf.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3484
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WsmAgent\WmiPrvSE.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2424
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDSF\fontdrvhost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3116
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64\OfficeClickToRun.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4084
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\srumapi\sihost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2928
          • C:\Windows\System32\srumapi\sihost.exe
            "C:\Windows\System32\srumapi\sihost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FontsavesInto\5X6xHq8OosomjmO.bat
    MD5

    69a93d9784094ed30087e525d8e5ca93

    SHA1

    e441ac2e33082d55745c23ff7d6eef726f6c716a

    SHA256

    f91a106ad3e48562b43ee4145edb307f4994eff2aac723032c45c838c9b15b58

    SHA512

    80079b263f6e7cd0a6accd8bd4b5ed7726efdfda5263957c60a904e1e622691e0e2b63ff9c3029e03e377049adbf06c50204cdb9ec47d535d52e331c72ba3fb6

    Download Submit
  • C:\FontsavesInto\FontsavesIntorefperf.exe
    MD5

    6bea156153d2dcd0bb45e379333f8da8

    SHA1

    9383d9f769297fd43591390b9642d8b3ee6c47ec

    SHA256

    16d74e63bd0f09ecb21133532c18c3fbb6582b4696914277c0e7a986dd40a40d

    SHA512

    40fd958f6cefb12b92fe757ec3d8fec8e56f0c91a627e3b5587d8e751d04d0af7eea78b05e73067800cb306d45a7d4ea00683423b92582c2fdb07017c1127251

    Download Submit
  • C:\FontsavesInto\FontsavesIntorefperf.exe
    MD5

    6bea156153d2dcd0bb45e379333f8da8

    SHA1

    9383d9f769297fd43591390b9642d8b3ee6c47ec

    SHA256

    16d74e63bd0f09ecb21133532c18c3fbb6582b4696914277c0e7a986dd40a40d

    SHA512

    40fd958f6cefb12b92fe757ec3d8fec8e56f0c91a627e3b5587d8e751d04d0af7eea78b05e73067800cb306d45a7d4ea00683423b92582c2fdb07017c1127251

    Download Submit
  • C:\FontsavesInto\m8aBJ5FB2D94qk25GJ.vbe
    MD5

    190d748d25680584fe1b63a74f480b29

    SHA1

    71e99245cb768b3d4fbcb532dbe0f9e48f46c4ff

    SHA256

    ac99dee81aaf04088144ec0926ff227e0ada78e2c4d1a4c0e6f5cd3106e69b21

    SHA512

    294b2f4fafafcfa12d7c11477486492709b3e61e3ddd98eddfe5e44574e3c0cb5e1bf8adbf7bad9074a0912c16a114b11bd2c487312a21c3b806e282ae8e62a9

    Download Submit
  • C:\Windows\System32\srumapi\sihost.exe
    MD5

    6bea156153d2dcd0bb45e379333f8da8

    SHA1

    9383d9f769297fd43591390b9642d8b3ee6c47ec

    SHA256

    16d74e63bd0f09ecb21133532c18c3fbb6582b4696914277c0e7a986dd40a40d

    SHA512

    40fd958f6cefb12b92fe757ec3d8fec8e56f0c91a627e3b5587d8e751d04d0af7eea78b05e73067800cb306d45a7d4ea00683423b92582c2fdb07017c1127251

    Download Submit
  • C:\Windows\System32\srumapi\sihost.exe
    MD5

    6bea156153d2dcd0bb45e379333f8da8

    SHA1

    9383d9f769297fd43591390b9642d8b3ee6c47ec

    SHA256

    16d74e63bd0f09ecb21133532c18c3fbb6582b4696914277c0e7a986dd40a40d

    SHA512

    40fd958f6cefb12b92fe757ec3d8fec8e56f0c91a627e3b5587d8e751d04d0af7eea78b05e73067800cb306d45a7d4ea00683423b92582c2fdb07017c1127251

    Download Submit
  • memory/2424-13-0x0000000000000000-mapping.dmp
    Download
  • memory/2928-16-0x0000000000000000-mapping.dmp
    Download
  • memory/3116-14-0x0000000000000000-mapping.dmp
    Download
  • memory/3484-10-0x0000018AE53C0000-0x0000018AE53C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3484-12-0x0000018AFF900000-0x0000018AFF902000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3484-6-0x0000000000000000-mapping.dmp
    Download
  • memory/3484-9-0x00007FFCA1E60000-0x00007FFCA284C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3532-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3612-17-0x0000000000000000-mapping.dmp
    Download
  • memory/3612-20-0x00007FFCA1E60000-0x00007FFCA284C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3612-23-0x0000026290D90000-0x0000026290D92000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3612-24-0x0000026290DC0000-0x0000026290DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4036-5-0x0000000000000000-mapping.dmp
    Download
  • memory/4084-15-0x0000000000000000-mapping.dmp
    Download