Overview

overview

10

Static

static

13f834e84b...f7.exe

windows7_x64

10

13f834e84b...f7.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    13-05-2022 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13f834e84beb9208eaba2a22a286bcf7.exe

  • Size

    1.5MB

  • MD5

    13f834e84beb9208eaba2a22a286bcf7

  • SHA1

    0c362d1880081df5e1101f2f6d5c60f29d5a2f8d

  • SHA256

    f3c0ce87c47d8a905458f935d7e1f09492dcc0e9e3d921d99391d7226961eb5d

  • SHA512

    f18801e6691980f17d4fe29c59db74084b78c3d203406803380f3d477ef337c5c9828bde585be04ea5646880d12e149af0da19c9eae77917463d4e015e23300c

Score
10/10
dcratinfostealerratspywarestealersuricata

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • suricata: ET MALWARE DCRAT Activity (GET)

    suricata: ET MALWARE DCRAT Activity (GET)

    suricata
  • DCRat Payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13f834e84beb9208eaba2a22a286bcf7.exe
    "C:\Users\Admin\AppData\Local\Temp\13f834e84beb9208eaba2a22a286bcf7.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainreview\egcCNJVTMxQySQYjogVX.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\chainreview\eQccdYwIKR90euD5Q0oan5EPG84.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\chainreview\.exe
          "C:\chainreview\.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\chainreview\.exe
    Filesize

    1.1MB

    MD5

    bab21aac84fcbf6ff5639c699b8e5273

    SHA1

    baa4a9333d2ebfdd521780c65f9e11c516877a82

    SHA256

    6e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6

    SHA512

    3dcdbf6f2c65701e5fb36a13471fbeff74c85d4318fffe1b120c1ec9a5d6a9a5f1f565fae0a8d8a02be75e9c8d53878ad686b1895e3b908ad4ad03044dd0f529

    Download Submit
  • C:\chainreview\.exe
    Filesize

    1.1MB

    MD5

    bab21aac84fcbf6ff5639c699b8e5273

    SHA1

    baa4a9333d2ebfdd521780c65f9e11c516877a82

    SHA256

    6e8a5bb847809a8171cc71ca1607cda9e464e73bf845bc06873ab477a6e366e6

    SHA512

    3dcdbf6f2c65701e5fb36a13471fbeff74c85d4318fffe1b120c1ec9a5d6a9a5f1f565fae0a8d8a02be75e9c8d53878ad686b1895e3b908ad4ad03044dd0f529

    Download Submit
  • C:\chainreview\eQccdYwIKR90euD5Q0oan5EPG84.bat
    Filesize

    21B

    MD5

    4b2d709c097bcecdacf548330a0f2704

    SHA1

    d2adee306617f4846b31727e1c03289d425fa8bb

    SHA256

    b4c73df97e2777d089313540a743479457b2098566588ce2ba541bb48c4a3c4b

    SHA512

    3043fc7b83d03788f5af852009571fe617e568514e3fcbd1f400e0f354fb0697257e540a708d049b7ab8e970588ec5d01d3e4a7fc444cd7eddaeddcc9e68c331

    Download Submit
  • C:\chainreview\egcCNJVTMxQySQYjogVX.vbe
    Filesize

    215B

    MD5

    fa51d6a3e958b8acbc6ef0c9d3b94315

    SHA1

    39235af0f705b2fb0d8ae2bf52b5a5eaf234e154

    SHA256

    2ed582be651c6a9310418da72e95ae630639ed42782d0875d5877ccd15992a7e

    SHA512

    746c3f22ea7b06ad00bafbadcfaa2967515ac78e46a207916191dab586ff1339505c1a5acf39493f588a27122f6fea4b5265b8317f41e499c1a97ee0edfb7722

    Download Submit
  • memory/1320-134-0x0000000000000000-mapping.dmp
    Download
  • memory/1320-137-0x0000000000320000-0x000000000044C000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1320-138-0x0000000002560000-0x00000000025B0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1320-139-0x000000001CE40000-0x000000001D368000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1320-140-0x00007FFB11F20000-0x00007FFB129E1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4152-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4656-133-0x0000000000000000-mapping.dmp
    Download