Overview

overview

10

Static

static

1e9d648839...b1.exe

windows7-x64

10

1e9d648839...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2023 03:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e9d648839d6df31421c48fc5a58fdb1.exe

  • Size

    1.3MB

  • MD5

    1e9d648839d6df31421c48fc5a58fdb1

  • SHA1

    8824a936225692b169bf16491e85f71149a15a90

  • SHA256

    c66b91cd0446d231445052af25b86edc15127b4313e40457f6697850da21810d

  • SHA512

    02a41349d165462c777970bbc41c5b3b86ad2b5af68c62e7f6e248fb3e169d9ac065039630848d1631a0e10ef43b6870d69c85f20e24904c8e638b6cf8e0f7ea

  • SSDEEP

    24576:kOHLrVJI42Vq2TjMqmMdTjtFSV3pwcaHigoqOIW1Khv:h1JCVm5UxFsGVl

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e9d648839d6df31421c48fc5a58fdb1.exe
    "C:\Users\Admin\AppData\Local\Temp\1e9d648839d6df31421c48fc5a58fdb1.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UaJRNF11a2.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3764
        • C:\Windows\InputMethod\WmiPrvSE.exe
          "C:\Windows\InputMethod\WmiPrvSE.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:5064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\InputMethod\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:64
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2356

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\UaJRNF11a2.bat
      Filesize

      200B

      MD5

      5dd1249b4a403ecb992e5258361f3367

      SHA1

      4ac643c905ac3b896be560bd77de33efab29f669

      SHA256

      e2cce541a2fa33cff82ef1f1e64b2d59b52dcad0d87720e5db5a21bb36a5ea71

      SHA512

      0d888003af066c21183470b191a25745428386a62c3a9600c377392a5d13decb301015d2dfd3723139c8c591e468b35918427564c842da4a65220b5daf28012c

      Download Submit

    • C:\Windows\InputMethod\WmiPrvSE.exe
      Filesize

      1.3MB

      MD5

      1e9d648839d6df31421c48fc5a58fdb1

      SHA1

      8824a936225692b169bf16491e85f71149a15a90

      SHA256

      c66b91cd0446d231445052af25b86edc15127b4313e40457f6697850da21810d

      SHA512

      02a41349d165462c777970bbc41c5b3b86ad2b5af68c62e7f6e248fb3e169d9ac065039630848d1631a0e10ef43b6870d69c85f20e24904c8e638b6cf8e0f7ea

      Download Submit

    • C:\Windows\InputMethod\WmiPrvSE.exe
      Filesize

      1.3MB

      MD5

      1e9d648839d6df31421c48fc5a58fdb1

      SHA1

      8824a936225692b169bf16491e85f71149a15a90

      SHA256

      c66b91cd0446d231445052af25b86edc15127b4313e40457f6697850da21810d

      SHA512

      02a41349d165462c777970bbc41c5b3b86ad2b5af68c62e7f6e248fb3e169d9ac065039630848d1631a0e10ef43b6870d69c85f20e24904c8e638b6cf8e0f7ea

      Download Submit

    • memory/3764-137-0x0000000000000000-mapping.dmp

      Download

    • memory/5036-138-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5036-132-0x0000000000C60000-0x0000000000DBA000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5036-134-0x0000000002ED0000-0x0000000002F20000-memory.dmp

      Filesize

      320KB

      Download

    • memory/5036-133-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5064-139-0x0000000000000000-mapping.dmp

      Download

    • memory/5064-142-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5064-143-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5064-144-0x000000001DD10000-0x000000001DED2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/5108-135-0x0000000000000000-mapping.dmp

      Download