Overview

overview

10

Static

static

8

5b74fabd26...98.exe

windows7_x64

10

5b74fabd26...98.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 23:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe

  • Size

    2.1MB

  • MD5

    cd41c9fd80fc79506911ae3a97676eb6

  • SHA1

    8a53a31dabf4c6bc373d6d83b75723e1eae1a384

  • SHA256

    5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598

  • SHA512

    6d1657a837906d61d1a48fea8b1397bdbf638954981b4f519a4ba62ef27ba974467d886832d4b56ff09029193553bb21cc48af37c3111391734c0030e5cb443a

Score
10/10
dcratevasioninfostealerratsuricata

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • suricata: ET MALWARE DCRat Initial CnC Activity

    suricata: ET MALWARE DCRat Initial CnC Activity

    suricata
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe
    "C:\Users\Admin\AppData\Local\Temp\5b74fabd26372fb02de33316f41adba1dd5d9e0c84961699cf2f9a475729b598.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontsvc\System.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\fontsvc\fImP8pZE2f1erUZpTAHRXHRmAfXtCE.bat" "
        3⤵
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\fontsvc\fontwin.exe
          "C:\fontsvc\fontwin.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3424
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 3424 -s 1604
            5⤵
            • Program crash
            PID:3956
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:3524
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 468 -p 3424 -ip 3424
    1⤵
      PID:2124

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\fontsvc\System.lnk
      Filesize

      337B

      MD5

      7a3332f58f216e5af60285829fed062e

      SHA1

      6c44878aaf762640d5734b17511bd863cc77489a

      SHA256

      cbc53cd132e90ce7e1723394a3784b0e4796f6294ad57ef801467cd73b009d77

      SHA512

      5152543f5747446bdff9a1c51a2f5ca5d30cb0817eae918eaa01c2393aef93a43f8fad08766873c978a64c396a764a297057ed91116b018881e03331704b01f1

      Download Submit
    • C:\fontsvc\System.vbe
      Filesize

      366B

      MD5

      08d1b73b3ebafa4fdc59aad6855288c2

      SHA1

      74e059014c139a5071b7c51c0c2795dd891b674c

      SHA256

      367e82e5ad4d288f6b41076bed049f5ccb9f7279d439f19610a1fedc1268d252

      SHA512

      e7a81648ab124d747b2a8333dfd9cbbf987fce4cc4744c9fda66a376d72211e983a22267d07f16a1cc3bf964a8e22254c8fcac8f8bacae17e628f96d3a6cbbcc

      Download Submit
    • C:\fontsvc\fImP8pZE2f1erUZpTAHRXHRmAfXtCE.bat
      Filesize

      833B

      MD5

      7f2fe99aa89ebaa4f4c0f008e7820434

      SHA1

      996fd0408f67ce90f39db8da574c19f8a7dbf894

      SHA256

      6e7fa0e1d108798d9a914e790cc0ffddefeff5d5161d1aab3da9b250eccf5121

      SHA512

      ff71f66583de98dae1593cf584d0e9d459894c7709279d554cc65a105996b14d065f038f2b9211dda2883e938640101b5b8b5886e95f4b47a9b4b86ce47b74e9

      Download Submit
    • C:\fontsvc\fontwin.exe
      Filesize

      2.2MB

      MD5

      409efdc11afb323a6e0225b66c4a0f93

      SHA1

      0fbe66e14b3921bc5d9263ff05c3f14610895856

      SHA256

      6fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db

      SHA512

      e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66

      Download Submit
    • C:\fontsvc\fontwin.exe
      Filesize

      2.2MB

      MD5

      409efdc11afb323a6e0225b66c4a0f93

      SHA1

      0fbe66e14b3921bc5d9263ff05c3f14610895856

      SHA256

      6fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db

      SHA512

      e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66

      Download Submit
    • C:\fontsvc\vmcheck32.dll
      Filesize

      596B

      MD5

      cc7bbc6a1d386fe2023c805e00865e8c

      SHA1

      906de1c94454d226a96fea1b2651884ba4dd0ee3

      SHA256

      19fb7a8d91f33b384891b965f94a119325c71c06336ededb042bf82088917232

      SHA512

      acb5d30e730fe227c047d0f86e7c7445c3f540c5f768c0736bb846952719086a23acf91aa6ce9aabd82a907a6ce2ecb8accf6210befe46fac3ec4ab8fc4700d1

      Download Submit
    • memory/444-130-0x0000000000000000-mapping.dmp
      Download
    • memory/2580-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3424-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3424-138-0x00000203E8170000-0x00000203E83A4000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/3424-139-0x00007FFE19650000-0x00007FFE1A111000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3524-141-0x0000000000000000-mapping.dmp
      Download