Overview

overview

10

Static

static

f4787944e9...20.exe

windows7_x64

10

f4787944e9...20.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    02-04-2021 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4787944e95596ad1847910ce4180a20.exe

  • Size

    942KB

  • MD5

    f4787944e95596ad1847910ce4180a20

  • SHA1

    f6ec2109ff3f3985ee6f73d0cf680343a90c8b2b

  • SHA256

    08acc4229c4d8424570ee93f20f7c60a0e9e0605f7dc8594d14d52209b72ce00

  • SHA512

    5466b793806093f291a0712846510c3573654bb7d0ded3b9f2a91a0238bd14ae4926fb1f1111a62b1c4e570f9ece54c2019c16c60b9c1af145b67ef9607e894b

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat Payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4787944e95596ad1847910ce4180a20.exe
    "C:\Users\Admin\AppData\Local\Temp\f4787944e95596ad1847910ce4180a20.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\FontsavesInto\m8aBJ5FB2D94qk25GJ.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\FontsavesInto\5X6xHq8OosomjmO.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\FontsavesInto\FontsavesIntorefperf.exe
          "C:\FontsavesInto\FontsavesIntorefperf.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3484
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WsmAgent\WmiPrvSE.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2424
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDSF\fontdrvhost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3116
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64\OfficeClickToRun.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4084
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\srumapi\sihost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2928
          • C:\Windows\System32\srumapi\sihost.exe
            "C:\Windows\System32\srumapi\sihost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3484-10-0x0000018AE53C0000-0x0000018AE53C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-12-0x0000018AFF900000-0x0000018AFF902000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3484-9-0x00007FFCA1E60000-0x00007FFCA284C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3612-20-0x00007FFCA1E60000-0x00007FFCA284C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3612-23-0x0000026290D90000-0x0000026290D92000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3612-24-0x0000026290DC0000-0x0000026290DC1000-memory.dmp

    Filesize

    4KB

    Download