Analysis

  • max time kernel
    60s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13-05-2022 04:07

General

  • Target

    13f834e84beb9208eaba2a22a286bcf7.exe

  • Size

    1.5MB

  • MD5

    13f834e84beb9208eaba2a22a286bcf7

  • SHA1

    0c362d1880081df5e1101f2f6d5c60f29d5a2f8d

  • SHA256

    f3c0ce87c47d8a905458f935d7e1f09492dcc0e9e3d921d99391d7226961eb5d

  • SHA512

    f18801e6691980f17d4fe29c59db74084b78c3d203406803380f3d477ef337c5c9828bde585be04ea5646880d12e149af0da19c9eae77917463d4e015e23300c

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • suricata: ET MALWARE DCRAT Activity (GET)

    suricata: ET MALWARE DCRAT Activity (GET)

  • DCRat Payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13f834e84beb9208eaba2a22a286bcf7.exe
    "C:\Users\Admin\AppData\Local\Temp\13f834e84beb9208eaba2a22a286bcf7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainreview\egcCNJVTMxQySQYjogVX.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\chainreview\eQccdYwIKR90euD5Q0oan5EPG84.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\chainreview\.exe
          "C:\chainreview\.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\chainreview\.exe

    Filesize

    1.1MB

    MD5

    bab21aac84fcbf6ff5639c699b8e5273

    SHA1

    baa4a9333d2ebfdd521780c65f9e11c516877a82

    SHA256

    6e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6

    SHA512

    3dcdbf6f2c65701e5fb36a13471fbeff74c85d4318fffe1b120c1ec9a5d6a9a5f1f565fae0a8d8a02be75e9c8d53878ad686b1895e3b908ad4ad03044dd0f529

  • C:\chainreview\.exe

    Filesize

    1.1MB

    MD5

    bab21aac84fcbf6ff5639c699b8e5273

    SHA1

    baa4a9333d2ebfdd521780c65f9e11c516877a82

    SHA256

    6e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6

    SHA512

    3dcdbf6f2c65701e5fb36a13471fbeff74c85d4318fffe1b120c1ec9a5d6a9a5f1f565fae0a8d8a02be75e9c8d53878ad686b1895e3b908ad4ad03044dd0f529

  • C:\chainreview\eQccdYwIKR90euD5Q0oan5EPG84.bat

    Filesize

    21B

    MD5

    4b2d709c097bcecdacf548330a0f2704

    SHA1

    d2adee306617f4846b31727e1c03289d425fa8bb

    SHA256

    b4c73df97e2777d089313540a743479457b2098566588ce2ba541bb48c4a3c4b

    SHA512

    3043fc7b83d03788f5af852009571fe617e568514e3fcbd1f400e0f354fb0697257e540a708d049b7ab8e970588ec5d01d3e4a7fc444cd7eddaeddcc9e68c331

  • C:\chainreview\egcCNJVTMxQySQYjogVX.vbe

    Filesize

    215B

    MD5

    fa51d6a3e958b8acbc6ef0c9d3b94315

    SHA1

    39235af0f705b2fb0d8ae2bf52b5a5eaf234e154

    SHA256

    2ed582be651c6a9310418da72e95ae630639ed42782d0875d5877ccd15992a7e

    SHA512

    746c3f22ea7b06ad00bafbadcfaa2967515ac78e46a207916191dab586ff1339505c1a5acf39493f588a27122f6fea4b5265b8317f41e499c1a97ee0edfb7722

  • \chainreview\.exe

    Filesize

    1.1MB

    MD5

    bab21aac84fcbf6ff5639c699b8e5273

    SHA1

    baa4a9333d2ebfdd521780c65f9e11c516877a82

    SHA256

    6e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6

    SHA512

    3dcdbf6f2c65701e5fb36a13471fbeff74c85d4318fffe1b120c1ec9a5d6a9a5f1f565fae0a8d8a02be75e9c8d53878ad686b1895e3b908ad4ad03044dd0f529

  • \chainreview\.exe

    Filesize

    1.1MB

    MD5

    bab21aac84fcbf6ff5639c699b8e5273

    SHA1

    baa4a9333d2ebfdd521780c65f9e11c516877a82

    SHA256

    6e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6

    SHA512

    3dcdbf6f2c65701e5fb36a13471fbeff74c85d4318fffe1b120c1ec9a5d6a9a5f1f565fae0a8d8a02be75e9c8d53878ad686b1895e3b908ad4ad03044dd0f529

  • memory/1016-55-0x0000000000000000-mapping.dmp

  • memory/1048-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

    Filesize

    8KB

  • memory/1724-63-0x0000000000000000-mapping.dmp

  • memory/1724-65-0x0000000001250000-0x000000000137C000-memory.dmp

    Filesize

    1.2MB

  • memory/1724-66-0x0000000000440000-0x000000000045C000-memory.dmp

    Filesize

    112KB

  • memory/1724-67-0x00000000002B0000-0x00000000002C2000-memory.dmp

    Filesize

    72KB

  • memory/1724-68-0x0000000000480000-0x000000000048E000-memory.dmp

    Filesize

    56KB

  • memory/2012-59-0x0000000000000000-mapping.dmp