Overview

overview

10

Static

static

8282EA0066...C1.exe

windows7_x64

10

8282EA0066...C1.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-06-2021 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8282EA0066E14F2E7CAF51B7A7D50DC1.exe

  • Size

    1.0MB

  • MD5

    8282ea0066e14f2e7caf51b7a7d50dc1

  • SHA1

    83c03517bb11c4ef01ced0b8df76cb35acbf4fdd

  • SHA256

    db57de1bf0b133303c2325117a527f1586e4bf6af56219391a17095efb09cc76

  • SHA512

    b48e2b9c226f57c50b5e58d716a906e9753f254136697e3e32c5f6aba2c6cc0a3175b0b290630949ddb4229a8eda53e5b62d03c969f5ef187963302ecc9e6841

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat Payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8282EA0066E14F2E7CAF51B7A7D50DC1.exe
    "C:\Users\Admin\AppData\Local\Temp\8282EA0066E14F2E7CAF51B7A7D50DC1.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontruntime\W54cK365JLW2iwfNl.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:68
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\fontruntime\R8YG6c.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\fontruntime\fontruntime.exe
          "C:\fontruntime\fontruntime.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\msrahc\dllhost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2264
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\chgport\SppExtComObj.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3328
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\Windows\System32\NgcProCsp\slui.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3868
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\fontruntime\fontdrvhost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2308
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Boot\Fonts\ShellExperienceHost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3160
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\fontruntime\tcqWpE8T6a.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1008
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:1288
              • C:\Windows\system32\PING.EXE
                ping -n 5 localhost
                6⤵
                • Runs ping.exe
                PID:2948
              • C:\Boot\Fonts\ShellExperienceHost.exe
                "C:\Boot\Fonts\ShellExperienceHost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:184

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/184-140-0x000001B8E8060000-0x000001B8E8062000-memory.dmp

      Filesize

      8KB

      Download

    • memory/184-143-0x000001B8CDE90000-0x000001B8CDE91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/184-142-0x000001B8CDE60000-0x000001B8CDE64000-memory.dmp

      Filesize

      16KB

      Download

    • memory/184-141-0x000001B8CDDF0000-0x000001B8CDDF5000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2300-125-0x0000021780060000-0x0000021780062000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2300-123-0x00000217FE080000-0x00000217FE081000-memory.dmp

      Filesize

      4KB

      Download