Overview

overview

10

Static

static

10

787F845B90...C0.exe

windows7_x64

10

787F845B90...C0.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-06-2021 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    787F845B904FD7FC0F36F5CCAB9691C0.exe

  • Size

    1.5MB

  • MD5

    787f845b904fd7fc0f36f5ccab9691c0

  • SHA1

    d25cd2bf2986862d7c4d5923a144b5c6d11690ac

  • SHA256

    a7629346a7228cd9b9d1db57a2d25c12c87506db851f43dd99fcb5e8f0e520ec

  • SHA512

    05ab7acb67cd7852620a4e835ebaadbe1b709c01dd025e701be7ec04c63abc4b8e045f50911c6aa0f7253c3b1349a0174f08fd0f54b5d0fed9524c719c6135d3

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat Payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe
    "C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
          "C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\Windows\System32\thumbcache\slui.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2340
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\WindowsShell\explorer.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4092
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3356
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Client\conhost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3200
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uRKTj1oKgu.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2324
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:744
              • C:\Windows\system32\PING.EXE
                ping -n 5 localhost
                6⤵
                • Runs ping.exe
                PID:4044
              • C:\Windows\System32\thumbcache\slui.exe
                "C:\Windows\System32\thumbcache\slui.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:3488

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\uRKTj1oKgu.bat
      MD5

      ff54012c47ae9c9f236137e38587fca0

      SHA1

      2857ccad29bf99eed8fed5d911e196472a6ca738

      SHA256

      a13babe04b160e7e4a0bb26c43cb2c9d00b02eb9256e3a10db1e765ba10a6c35

      SHA512

      d5ae6d3fb19703a85e3f3269bd55d6b004bda0875efa48ba1496e116cbdf20f2f14cd6c7fbdeeb132ea1a46082dd24c88435157661b5aaf92a10debc07bce8be

      Download Submit
    • C:\Windows\System32\thumbcache\slui.exe
      MD5

      ed0551481fa342d10d1513feaeaa07f1

      SHA1

      a7c1effe9f14d07d03d55285896d9ef1c8af62c6

      SHA256

      1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

      SHA512

      02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

      Download Submit
    • C:\Windows\System32\thumbcache\slui.exe
      MD5

      ed0551481fa342d10d1513feaeaa07f1

      SHA1

      a7c1effe9f14d07d03d55285896d9ef1c8af62c6

      SHA256

      1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

      SHA512

      02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

      Download Submit
    • C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbe
      MD5

      77392f6900492949787a7d7967eb10b6

      SHA1

      84767159f4baadbf75043355e691877e75fcdf12

      SHA256

      2e5a321119df0fac677de8fc52c4ae82c87d64012ed1ef3c8ee39df96c2f5627

      SHA512

      8ce6af44fc77636d0e5d2719ebb82144ea47dfd4bb798c7519a1bdfab3bc3723f9531629deb0fba25f298c471705347502ab5a0c8198c1c16a213a0a7f970fa5

      Download Submit
    • C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.bat
      MD5

      3bb4b3b2af3807680dfa1867b0290279

      SHA1

      1c13ea22c5b7b084ff2562f2289c222ab0897e93

      SHA256

      799a39579ea7c43e5dc9dbfafc22d3e563fa8692c5bf97442bd788bda03d95d5

      SHA512

      eadd2cf766c4dce412e0f25f936bedd97fd71f031e52c0f09196571979211fd6d817fa2f4758e1677d4d9efa06b2dc0e9bcb838434eb19c0af2d8fafe983445b

      Download Submit
    • C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
      MD5

      ed0551481fa342d10d1513feaeaa07f1

      SHA1

      a7c1effe9f14d07d03d55285896d9ef1c8af62c6

      SHA256

      1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

      SHA512

      02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

      Download Submit
    • C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
      MD5

      ed0551481fa342d10d1513feaeaa07f1

      SHA1

      a7c1effe9f14d07d03d55285896d9ef1c8af62c6

      SHA256

      1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

      SHA512

      02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

      Download Submit
    • memory/744-132-0x0000000000000000-mapping.dmp
      Download
    • memory/776-119-0x0000000000000000-mapping.dmp
      Download
    • memory/2324-130-0x0000000000000000-mapping.dmp
      Download
    • memory/2340-126-0x0000000000000000-mapping.dmp
      Download
    • memory/2860-123-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2860-120-0x0000000000000000-mapping.dmp
      Download
    • memory/2860-125-0x000000001AE10000-0x000000001AE12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3200-129-0x0000000000000000-mapping.dmp
      Download
    • memory/3356-128-0x0000000000000000-mapping.dmp
      Download
    • memory/3488-143-0x0000000002E10000-0x0000000002E14000-memory.dmp
      Filesize

      16KB

      Download
    • memory/3488-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3488-139-0x000000001BB30000-0x000000001BB32000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3488-140-0x0000000001500000-0x0000000001506000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3488-141-0x0000000002E30000-0x0000000002E35000-memory.dmp
      Filesize

      20KB

      Download
    • memory/3488-142-0x0000000001510000-0x0000000001512000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3488-144-0x0000000002E20000-0x0000000002E22000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3488-145-0x0000000002E50000-0x0000000002E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3488-146-0x0000000002E60000-0x0000000002E62000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3488-147-0x0000000003010000-0x0000000003011000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3856-116-0x0000000000000000-mapping.dmp
      Download
    • memory/4044-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4092-127-0x0000000000000000-mapping.dmp
      Download