Analysis
-
max time kernel
60s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
13-05-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
13f834e84beb9208eaba2a22a286bcf7.exe
Resource
win7-20220414-en
General
-
Target
13f834e84beb9208eaba2a22a286bcf7.exe
-
Size
1.5MB
-
MD5
13f834e84beb9208eaba2a22a286bcf7
-
SHA1
0c362d1880081df5e1101f2f6d5c60f29d5a2f8d
-
SHA256
f3c0ce87c47d8a905458f935d7e1f09492dcc0e9e3d921d99391d7226961eb5d
-
SHA512
f18801e6691980f17d4fe29c59db74084b78c3d203406803380f3d477ef337c5c9828bde585be04ea5646880d12e149af0da19c9eae77917463d4e015e23300c
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
Processes:
resource yara_rule \chainreview\.exe dcrat \chainreview\.exe dcrat C:\chainreview\.exe dcrat C:\chainreview\.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
.exepid process 1724 .exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2012 cmd.exe 2012 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
.exepid process 1724 .exe 1724 .exe 1724 .exe 1724 .exe 1724 .exe 1724 .exe 1724 .exe 1724 .exe 1724 .exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
.exedescription pid process Token: SeDebugPrivilege 1724 .exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13f834e84beb9208eaba2a22a286bcf7.exeWScript.execmd.exedescription pid process target process PID 1048 wrote to memory of 1016 1048 13f834e84beb9208eaba2a22a286bcf7.exe WScript.exe PID 1048 wrote to memory of 1016 1048 13f834e84beb9208eaba2a22a286bcf7.exe WScript.exe PID 1048 wrote to memory of 1016 1048 13f834e84beb9208eaba2a22a286bcf7.exe WScript.exe PID 1048 wrote to memory of 1016 1048 13f834e84beb9208eaba2a22a286bcf7.exe WScript.exe PID 1016 wrote to memory of 2012 1016 WScript.exe cmd.exe PID 1016 wrote to memory of 2012 1016 WScript.exe cmd.exe PID 1016 wrote to memory of 2012 1016 WScript.exe cmd.exe PID 1016 wrote to memory of 2012 1016 WScript.exe cmd.exe PID 2012 wrote to memory of 1724 2012 cmd.exe .exe PID 2012 wrote to memory of 1724 2012 cmd.exe .exe PID 2012 wrote to memory of 1724 2012 cmd.exe .exe PID 2012 wrote to memory of 1724 2012 cmd.exe .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13f834e84beb9208eaba2a22a286bcf7.exe"C:\Users\Admin\AppData\Local\Temp\13f834e84beb9208eaba2a22a286bcf7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\chainreview\egcCNJVTMxQySQYjogVX.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\chainreview\eQccdYwIKR90euD5Q0oan5EPG84.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\chainreview\.exe"C:\chainreview\.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5bab21aac84fcbf6ff5639c699b8e5273
SHA1baa4a9333d2ebfdd521780c65f9e11c516877a82
SHA2566e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6
SHA5123dcdbf6f2c65701e5fb36a13471fbeff74c85d4318fffe1b120c1ec9a5d6a9a5f1f565fae0a8d8a02be75e9c8d53878ad686b1895e3b908ad4ad03044dd0f529
-
Filesize
1.1MB
MD5bab21aac84fcbf6ff5639c699b8e5273
SHA1baa4a9333d2ebfdd521780c65f9e11c516877a82
SHA2566e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6
SHA5123dcdbf6f2c65701e5fb36a13471fbeff74c85d4318fffe1b120c1ec9a5d6a9a5f1f565fae0a8d8a02be75e9c8d53878ad686b1895e3b908ad4ad03044dd0f529
-
Filesize
21B
MD54b2d709c097bcecdacf548330a0f2704
SHA1d2adee306617f4846b31727e1c03289d425fa8bb
SHA256b4c73df97e2777d089313540a743479457b2098566588ce2ba541bb48c4a3c4b
SHA5123043fc7b83d03788f5af852009571fe617e568514e3fcbd1f400e0f354fb0697257e540a708d049b7ab8e970588ec5d01d3e4a7fc444cd7eddaeddcc9e68c331
-
Filesize
215B
MD5fa51d6a3e958b8acbc6ef0c9d3b94315
SHA139235af0f705b2fb0d8ae2bf52b5a5eaf234e154
SHA2562ed582be651c6a9310418da72e95ae630639ed42782d0875d5877ccd15992a7e
SHA512746c3f22ea7b06ad00bafbadcfaa2967515ac78e46a207916191dab586ff1339505c1a5acf39493f588a27122f6fea4b5265b8317f41e499c1a97ee0edfb7722
-
Filesize
1.1MB
MD5bab21aac84fcbf6ff5639c699b8e5273
SHA1baa4a9333d2ebfdd521780c65f9e11c516877a82
SHA2566e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6
SHA5123dcdbf6f2c65701e5fb36a13471fbeff74c85d4318fffe1b120c1ec9a5d6a9a5f1f565fae0a8d8a02be75e9c8d53878ad686b1895e3b908ad4ad03044dd0f529
-
Filesize
1.1MB
MD5bab21aac84fcbf6ff5639c699b8e5273
SHA1baa4a9333d2ebfdd521780c65f9e11c516877a82
SHA2566e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6
SHA5123dcdbf6f2c65701e5fb36a13471fbeff74c85d4318fffe1b120c1ec9a5d6a9a5f1f565fae0a8d8a02be75e9c8d53878ad686b1895e3b908ad4ad03044dd0f529