Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    13-05-2022 21:31

General

  • Target

    245ed2db66c841556f3d7b52ab251030.exe

  • Size

    1.2MB

  • MD5

    245ed2db66c841556f3d7b52ab251030

  • SHA1

    8f12f472db36bf57ac7f2a02f21549d1559c672c

  • SHA256

    f698f53c372a26a4ab1ecd516064546fcd24da106293786c04e638de3582b2cd

  • SHA512

    6d5cdac70c9f090d472d4baa378c87d0bc7b582606f2767938b011401bfa6822cd7159c62ff58369c2d2c017654624a49134687879229f42673e4a785f47a0d6

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • suricata: ET MALWARE DCRAT Activity (GET)

    suricata: ET MALWARE DCRAT Activity (GET)

  • DCRat Payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\245ed2db66c841556f3d7b52ab251030.exe
    "C:\Users\Admin\AppData\Local\Temp\245ed2db66c841556f3d7b52ab251030.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainreview\TMWNv3mE2TIbawdkFU0NZqVs.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\chainreview\hVeVLdt7YgrTd9f5EBWZj5Lf.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\chainreview\.exe
          "C:\chainreview\.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1788

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\chainreview\.exe

    Filesize

    828KB

    MD5

    c95eaf6c0946234a5ae4d8cc18fabb01

    SHA1

    19d9507d5c6bc789f9ff0c27a6da4c7d415d3157

    SHA256

    f088eb6b6fc42f625c0d93872779819cddf1dea74eb8e87ad6c607912075c4c7

    SHA512

    8216ed40179963cd7ff766f4d62fdf525f1c89ed0e944f73f3dbf603ff929c734b79bc6f730979191b5d92e229ef15e9ab6e6b24ef4ad3b1ad86f57ca91388f0

  • C:\chainreview\.exe

    Filesize

    828KB

    MD5

    c95eaf6c0946234a5ae4d8cc18fabb01

    SHA1

    19d9507d5c6bc789f9ff0c27a6da4c7d415d3157

    SHA256

    f088eb6b6fc42f625c0d93872779819cddf1dea74eb8e87ad6c607912075c4c7

    SHA512

    8216ed40179963cd7ff766f4d62fdf525f1c89ed0e944f73f3dbf603ff929c734b79bc6f730979191b5d92e229ef15e9ab6e6b24ef4ad3b1ad86f57ca91388f0

  • C:\chainreview\TMWNv3mE2TIbawdkFU0NZqVs.vbe

    Filesize

    212B

    MD5

    c754e26593c070e05dbb6ca50b277202

    SHA1

    55c260c08200e12bd2cff1cd1367a86aa75b70a4

    SHA256

    7ec888e0d565acff5594b6fad96e6c39e35fba928837ec2ca7c31669ef09dade

    SHA512

    4c87df6a307222d90794425c314bf66d78cdef84a7f9ba54c47dc19eb59ee89fde53b5d9d9908fb4e9b26b58eb8b1cb2c2d5a5b37aa04f851bf1116297d8952d

  • C:\chainreview\hVeVLdt7YgrTd9f5EBWZj5Lf.bat

    Filesize

    21B

    MD5

    4b2d709c097bcecdacf548330a0f2704

    SHA1

    d2adee306617f4846b31727e1c03289d425fa8bb

    SHA256

    b4c73df97e2777d089313540a743479457b2098566588ce2ba541bb48c4a3c4b

    SHA512

    3043fc7b83d03788f5af852009571fe617e568514e3fcbd1f400e0f354fb0697257e540a708d049b7ab8e970588ec5d01d3e4a7fc444cd7eddaeddcc9e68c331

  • memory/1572-130-0x0000000000000000-mapping.dmp

  • memory/1788-134-0x0000000000000000-mapping.dmp

  • memory/1788-137-0x0000000000AA0000-0x0000000000B76000-memory.dmp

    Filesize

    856KB

  • memory/1788-138-0x00007FF821BF0000-0x00007FF8226B1000-memory.dmp

    Filesize

    10.8MB

  • memory/2488-133-0x0000000000000000-mapping.dmp