Overview

overview

10

Static

static

10

7c00e76d20...70.exe

windows7-x64

10

7c00e76d20...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2022 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c00e76d200bb61ac4ad205703541d6d9e11898333759fb876bd5fef0d1fed70.exe

  • Size

    1.3MB

  • MD5

    e8ab7211bb9f1d8f7853a408c0c4237d

  • SHA1

    b201acf68589dce527a2f64496933a524a2a828f

  • SHA256

    7c00e76d200bb61ac4ad205703541d6d9e11898333759fb876bd5fef0d1fed70

  • SHA512

    fe3b7e3a3b9008aa802d7660b11c1a2b7b953cd222c99287ad891792c35bea51e1523f267e7b1cb0fe80cd140985a52f238fdba835f702b18ac58a00b1cd9c27

  • SSDEEP

    24576:U2G/nvxW3Ww0tiZJVZke3TAJ41sh2D0N6ZotQhiY3obwMGgp9FUQ:UbA30iDV6nJmTh3obXGgp9Fl

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c00e76d200bb61ac4ad205703541d6d9e11898333759fb876bd5fef0d1fed70.exe
    "C:\Users\Admin\AppData\Local\Temp\7c00e76d200bb61ac4ad205703541d6d9e11898333759fb876bd5fef0d1fed70.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\mPQTi.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\0VgGij1TsQ7fEUJcEhLUmBiDHo.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\fontmonitorcommon.exe
          "C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\fontmonitorcommon.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4564
          • C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\dllhost.exe
            "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\dllhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2564
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2564 -s 1264
              6⤵
              • Program crash
              PID:396
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2996
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3788
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\odt\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5024
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3620
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4656
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 444 -p 2564 -ip 2564
    1⤵
      PID:2296

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\dllhost.exe
      Filesize

      1.0MB

      MD5

      c0eddd00487c0f62c72b17565d15cf13

      SHA1

      6d4a29f825e27891a88d22ac70aabed01f65a6c0

      SHA256

      1dd6bfec90e902000d5fc42fe313588c605fec708b678ec0d53a08ca76bfed1c

      SHA512

      3f57a54c9af324b442056bd1477d2e2e29cccf1808d089cbfb30885c5abd4a490fd678ea3e837980fbc8b1b72d5144e27ea75a0f2e83cc2f108ea532098930e2

      Download Submit

    • C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\dllhost.exe
      Filesize

      1.0MB

      MD5

      c0eddd00487c0f62c72b17565d15cf13

      SHA1

      6d4a29f825e27891a88d22ac70aabed01f65a6c0

      SHA256

      1dd6bfec90e902000d5fc42fe313588c605fec708b678ec0d53a08ca76bfed1c

      SHA512

      3f57a54c9af324b442056bd1477d2e2e29cccf1808d089cbfb30885c5abd4a490fd678ea3e837980fbc8b1b72d5144e27ea75a0f2e83cc2f108ea532098930e2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\0VgGij1TsQ7fEUJcEhLUmBiDHo.bat
      Filesize

      59B

      MD5

      89803afd00942423ddc4bd21ece57e63

      SHA1

      525a07e5effd35533a75672123dbbf9da73c4d57

      SHA256

      bd260c7f3f5b57e0fa4e12391887a58d2dd3aa9939941b86d98bf4e458f8a1a5

      SHA512

      63b4331cc960837a9701ed80920ca9dfff98816f6c911bee9afc7f22c6f9b7932bcd865dd419704fbda404602535725632c06a97aabaa629b71e74f5dfb81d3e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\fontmonitorcommon.exe
      Filesize

      1.0MB

      MD5

      5d4bd5f30909e3553904956c07f575e8

      SHA1

      70c340703499a5ad54e9fe205330e3d295d81c38

      SHA256

      af8557b923fca616c04d38072a1d280afaf868ebcce244aec6385f756fecbf8a

      SHA512

      bbecba1ced46b83690e3f15f36898f8ebd5708991f0942fa92f04eae8c8f6fb5c0b745bdb4bcb898c28be287377b7b078b7f519fb6e4b9c58d95806aec5dec25

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\fontmonitorcommon.exe
      Filesize

      1.0MB

      MD5

      5d4bd5f30909e3553904956c07f575e8

      SHA1

      70c340703499a5ad54e9fe205330e3d295d81c38

      SHA256

      af8557b923fca616c04d38072a1d280afaf868ebcce244aec6385f756fecbf8a

      SHA512

      bbecba1ced46b83690e3f15f36898f8ebd5708991f0942fa92f04eae8c8f6fb5c0b745bdb4bcb898c28be287377b7b078b7f519fb6e4b9c58d95806aec5dec25

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SurrogateReviewdriverHost\mPQTi.vbe
      Filesize

      235B

      MD5

      058e84411de105b1405e3c9f27a26d0c

      SHA1

      e2fff2146a8d83f1c2a8f43f7e4be774a0966252

      SHA256

      6919b7d4b838c5693b3c0e565aaf7fd16e941acc2abdf90348c808c4e9411b53

      SHA512

      caa79323cb92408ad2dafd8c5a98cf9a31ecc092748106fbaf0d83432ab6ce59d56850e7b59224fe2b03e405b758626a6849a099a1bb0b211a24d732ad00bf0f

      Download Submit

    • memory/1456-135-0x0000000000000000-mapping.dmp

      Download

    • memory/2404-132-0x0000000000000000-mapping.dmp

      Download

    • memory/2564-143-0x0000000000000000-mapping.dmp

      Download

    • memory/2564-150-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2564-156-0x000000001C6D4000-0x000000001C6D7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2564-155-0x000000001C6D0000-0x000000001C6D4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2564-154-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2564-153-0x000000001C6D4000-0x000000001C6D7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2564-146-0x0000000000360000-0x000000000046A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2564-152-0x000000001C6D0000-0x000000001C6D4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2564-151-0x0000000002499000-0x000000000249F000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4564-136-0x0000000000000000-mapping.dmp

      Download

    • memory/4564-149-0x000000001C9C0000-0x000000001C9C4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4564-148-0x00000000023F9000-0x00000000023FF000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4564-147-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4564-141-0x00000000023F9000-0x00000000023FF000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4564-139-0x0000000000230000-0x000000000033A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4564-140-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4564-142-0x000000001C9C0000-0x000000001C9C4000-memory.dmp

      Filesize

      16KB

      Download