Overview

overview

10

Static

static

ad7507c908...36.exe

windows7_x64

10

ad7507c908...36.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-01-2022 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad7507c90821598ae3ed6e8b6c3fdb36.exe

  • Size

    1.3MB

  • MD5

    ad7507c90821598ae3ed6e8b6c3fdb36

  • SHA1

    b94839035eb055acacef724166489e2c0cb60eaa

  • SHA256

    785ebbdf0f15d1bb1fd3bbe1fb5a3486dead09dae463c91368653510c3814aee

  • SHA512

    ca43450c10e387a95ad6763e2f888096d7f87dc274bdb3f6720e4bc7fa3d214af72bc10a47f7ac2f00b44823511709ed1ad0f86201122bae3707c23463dff179

Score
10/10
dcratinfostealerpersistenceratspywarestealersuricata

Malware Config

Signatures

  • DcRat 5 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE DCRAT Activity (GET)

    suricata: ET MALWARE DCRAT Activity (GET)

    suricata
  • Executes dropped EXE 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad7507c90821598ae3ed6e8b6c3fdb36.exe
    "C:\Users\Admin\AppData\Local\Temp\ad7507c90821598ae3ed6e8b6c3fdb36.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\DriversavesRuntimecommon\OkPX18dWDtVLA0gJUAYq8tEymJIvb.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\DriversavesRuntimecommon\i8SeDW7.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exe
          "C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exe"
          4⤵
          • DcRat
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3768
          • C:\Windows\System32\adrclient\spoolsv.exe
            "C:\Windows\System32\adrclient\spoolsv.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2652
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\DriversavesRuntimecommon\file.vbs"
      2⤵
        PID:3484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\DriversavesRuntimecommon\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\adrclient\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3676
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 79fb6385a1be29e4a75d9bad96454fec M47BRkgQTUyhsRmoBvSRng.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3412

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exe
      MD5

      8daa2fddfdf7939d8f6af197a459086b

      SHA1

      d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b

      SHA256

      f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e

      SHA512

      4c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5

      Download Submit
    • C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exe
      MD5

      8daa2fddfdf7939d8f6af197a459086b

      SHA1

      d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b

      SHA256

      f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e

      SHA512

      4c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5

      Download Submit
    • C:\DriversavesRuntimecommon\OkPX18dWDtVLA0gJUAYq8tEymJIvb.vbe
      MD5

      d71998b7f7a50d7f82c3cb8240b75ef1

      SHA1

      278f6bc21583b6258b248c34a6b65cfcc752b4be

      SHA256

      bb473710e90bc6be56e175b4fdb382aad5cdfd77571b313235db621ede9e6c41

      SHA512

      c89201101b21d62a3327ab0365edeeaf1379d4c7bf6fe3449ee211707e82e8f8a78132ba8777bd935bc450684d63d8353540811dad0da76ae532a565d2919b7e

      Download Submit
    • C:\DriversavesRuntimecommon\file.vbs
      MD5

      677cc4360477c72cb0ce00406a949c61

      SHA1

      b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

      SHA256

      f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

      SHA512

      7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

      Download Submit
    • C:\DriversavesRuntimecommon\i8SeDW7.bat
      MD5

      39a43637ff068395e3f1cc29d619b61d

      SHA1

      7832b43422507b545276b0338362619529e7f964

      SHA256

      6b74040331ca65b2959ced9dd6768cc93c7e22db31f603e9497ba88d1e5b0d79

      SHA512

      b2a17cde1425cf59659fc941250134487f567b28a2ced716771a7152888739a2cbf61296625b9a9f21269fb2c81df3f2431d4239cb359c9bfea94685e4fb7dd7

      Download Submit
    • C:\Windows\System32\adrclient\spoolsv.exe
      MD5

      8daa2fddfdf7939d8f6af197a459086b

      SHA1

      d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b

      SHA256

      f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e

      SHA512

      4c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5

      Download Submit
    • C:\Windows\System32\adrclient\spoolsv.exe
      MD5

      8daa2fddfdf7939d8f6af197a459086b

      SHA1

      d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b

      SHA256

      f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e

      SHA512

      4c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5

      Download Submit
    • memory/2652-142-0x0000000000EA0000-0x0000000000EB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3768-137-0x0000000000D60000-0x0000000000E5E000-memory.dmp
      Filesize

      1016KB

      Download
    • memory/3768-138-0x000000001C250000-0x000000001C778000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3768-139-0x000000001BA10000-0x000000001BA12000-memory.dmp
      Filesize

      8KB

      Download