Overview

overview

10

Static

static

8282EA0066...C1.exe

windows7_x64

10

8282EA0066...C1.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-06-2021 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8282EA0066E14F2E7CAF51B7A7D50DC1.exe

  • Size

    1.0MB

  • MD5

    8282ea0066e14f2e7caf51b7a7d50dc1

  • SHA1

    83c03517bb11c4ef01ced0b8df76cb35acbf4fdd

  • SHA256

    db57de1bf0b133303c2325117a527f1586e4bf6af56219391a17095efb09cc76

  • SHA512

    b48e2b9c226f57c50b5e58d716a906e9753f254136697e3e32c5f6aba2c6cc0a3175b0b290630949ddb4229a8eda53e5b62d03c969f5ef187963302ecc9e6841

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat Payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8282EA0066E14F2E7CAF51B7A7D50DC1.exe
    "C:\Users\Admin\AppData\Local\Temp\8282EA0066E14F2E7CAF51B7A7D50DC1.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontruntime\W54cK365JLW2iwfNl.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:68
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\fontruntime\R8YG6c.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\fontruntime\fontruntime.exe
          "C:\fontruntime\fontruntime.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\msrahc\dllhost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2264
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\chgport\SppExtComObj.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3328
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\Windows\System32\NgcProCsp\slui.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3868
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\fontruntime\fontdrvhost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2308
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Boot\Fonts\ShellExperienceHost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3160
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\fontruntime\tcqWpE8T6a.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1008
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:1288
              • C:\Windows\system32\PING.EXE
                ping -n 5 localhost
                6⤵
                • Runs ping.exe
                PID:2948
              • C:\Boot\Fonts\ShellExperienceHost.exe
                "C:\Boot\Fonts\ShellExperienceHost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:184

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Boot\Fonts\ShellExperienceHost.exe
      MD5

      37657f07638ec9a4f5edca0ef48318e9

      SHA1

      5e88e4d38743fc4bb6d2e4ada662315fb430bad4

      SHA256

      6e92e95e249505126d6013bcb0edc77f3de3fd0702999bf4dca7e7449b3702b6

      SHA512

      e64bfc73f99b6807b462d1c1826819e60a4095e3b40a0507e4423c3e136dd8f4d7657418af4a736b6c5c2470b8bfe5ead857067f1e6f20e8a3f201892095a9f3

      Download Submit
    • C:\Boot\Fonts\ShellExperienceHost.exe
      MD5

      37657f07638ec9a4f5edca0ef48318e9

      SHA1

      5e88e4d38743fc4bb6d2e4ada662315fb430bad4

      SHA256

      6e92e95e249505126d6013bcb0edc77f3de3fd0702999bf4dca7e7449b3702b6

      SHA512

      e64bfc73f99b6807b462d1c1826819e60a4095e3b40a0507e4423c3e136dd8f4d7657418af4a736b6c5c2470b8bfe5ead857067f1e6f20e8a3f201892095a9f3

      Download Submit
    • C:\fontruntime\R8YG6c.bat
      MD5

      0549e2d2679f2afeba43cb06997739e6

      SHA1

      1d14886a786af7bee891fd37f4bf84c81846c19e

      SHA256

      4b5eb60490f8970c80f17494fe936373855e82d1c29118847c9ddb099fcd2b2f

      SHA512

      7a18aedea52bb8f75cb2007ab3d53ae89dde128d4a2e42f738d3cea4e8a3e3b0c7852f067b4840f431a5f0863b031e9244b569124f3f0639c69e15ff345655ad

      Download Submit
    • C:\fontruntime\W54cK365JLW2iwfNl.vbe
      MD5

      a240231e90c46d69d3b65d947b284c4b

      SHA1

      706a7a426f01a650322ee1afd975795f2c8572a0

      SHA256

      a71b4327dd6dc56a311005c83db97c649f4011e3f809e2d42b14eb2fcf76e664

      SHA512

      56a67d4798e499297a85ee8351108f306ad31b6f4ce8cff3c8f7a95b52c5631418465db7c56006fc2587cfee3e46af76a80c87f8d4f77e28c45d1593ae2a687d

      Download Submit
    • C:\fontruntime\fontruntime.exe
      MD5

      37657f07638ec9a4f5edca0ef48318e9

      SHA1

      5e88e4d38743fc4bb6d2e4ada662315fb430bad4

      SHA256

      6e92e95e249505126d6013bcb0edc77f3de3fd0702999bf4dca7e7449b3702b6

      SHA512

      e64bfc73f99b6807b462d1c1826819e60a4095e3b40a0507e4423c3e136dd8f4d7657418af4a736b6c5c2470b8bfe5ead857067f1e6f20e8a3f201892095a9f3

      Download Submit
    • C:\fontruntime\fontruntime.exe
      MD5

      37657f07638ec9a4f5edca0ef48318e9

      SHA1

      5e88e4d38743fc4bb6d2e4ada662315fb430bad4

      SHA256

      6e92e95e249505126d6013bcb0edc77f3de3fd0702999bf4dca7e7449b3702b6

      SHA512

      e64bfc73f99b6807b462d1c1826819e60a4095e3b40a0507e4423c3e136dd8f4d7657418af4a736b6c5c2470b8bfe5ead857067f1e6f20e8a3f201892095a9f3

      Download Submit
    • C:\fontruntime\tcqWpE8T6a.bat
      MD5

      046526a909bae1f6dcc6f39bcb0edb0e

      SHA1

      a479b50e155b050b62bfcac9b3e3d5c6df9ac1b0

      SHA256

      3c53d94e90f0c079e53c21c43679d177112b631b645cf0c34d9b0551ae9170db

      SHA512

      4c83893fc2d5e5c85d61b7c59115ec3e8c7fbbeab9cac276fbddbf2e1f4f8fbd24b1a598a3be8d7cd0cad65347bf5da5cd1d861904d2b3fa9988b2d041e18fac

      Download Submit
    • memory/68-116-0x0000000000000000-mapping.dmp
      Download
    • memory/184-135-0x0000000000000000-mapping.dmp
      Download
    • memory/184-140-0x000001B8E8060000-0x000001B8E8062000-memory.dmp
      Filesize

      8KB

      Download
    • memory/184-143-0x000001B8CDE90000-0x000001B8CDE91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/184-142-0x000001B8CDE60000-0x000001B8CDE64000-memory.dmp
      Filesize

      16KB

      Download
    • memory/184-141-0x000001B8CDDF0000-0x000001B8CDDF5000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1008-131-0x0000000000000000-mapping.dmp
      Download
    • memory/1288-133-0x0000000000000000-mapping.dmp
      Download
    • memory/2264-126-0x0000000000000000-mapping.dmp
      Download
    • memory/2300-125-0x0000021780060000-0x0000021780062000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2300-123-0x00000217FE080000-0x00000217FE081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2300-120-0x0000000000000000-mapping.dmp
      Download
    • memory/2308-129-0x0000000000000000-mapping.dmp
      Download
    • memory/2580-119-0x0000000000000000-mapping.dmp
      Download
    • memory/2948-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3160-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3328-127-0x0000000000000000-mapping.dmp
      Download
    • memory/3868-128-0x0000000000000000-mapping.dmp
      Download