Overview

overview

10

Static

static

417676e1e6...ca.exe

windows7-x64

10

417676e1e6...ca.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe

  • Size

    433KB

  • MD5

    2e421d1efddf596ee6487321df0ae484

  • SHA1

    38cdf0bd60efdb86c0ea363cfb3c5fbd2ddf997b

  • SHA256

    417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca

  • SHA512

    72a642acfccfc83f84ab7723c9e5f31c678233d8959c11a8afcdc8a1f8e98940d33865a77ea93a4ec477bb068a9310b8d427e14f6078668d5ad578acdf65b247

  • SSDEEP

    12288:0Qnk3GDYKGcblwtX+t4Y8vd9CaOUG5Y+mh:IAOcZwXYO2J5zE

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe
    "C:\Users\Admin\AppData\Local\Temp\417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\perfinto\i48JYD4oJA0cMfil2yKzMD37Ydu3jL.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\perfinto\ERovcdbkxlUoLK71txXW3cA964JSkD.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\perfinto\crtwin.exe
          "C:\perfinto\crtwin.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4744
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4888
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:620
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\perfinto\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1812
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3640
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Documents and Settings\conhost.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2812
          • C:\Documents and Settings\conhost.exe
            "C:\Documents and Settings\conhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents and Settings\conhost.exe
    Filesize

    356KB

    MD5

    922a77e55160186e8d3558c88f45f0fd

    SHA1

    97981a4019c4c0f8aae6ddc20aeae64bf1927718

    SHA256

    40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

    SHA512

    04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

    Download Submit
  • C:\Users\conhost.exe
    Filesize

    356KB

    MD5

    922a77e55160186e8d3558c88f45f0fd

    SHA1

    97981a4019c4c0f8aae6ddc20aeae64bf1927718

    SHA256

    40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

    SHA512

    04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

    Download Submit
  • C:\perfinto\ERovcdbkxlUoLK71txXW3cA964JSkD.bat
    Filesize

    24B

    MD5

    56e3a5d60991108ba8d984f67c27d59d

    SHA1

    f0ca46ab72e8f9237660ee112d9077abe59dc71d

    SHA256

    9be93ab4ea35cccd861162176e9e1cb49f753ff071f44bc8531885cf7b5171db

    SHA512

    dfcb1b4742d0daa4c8b0de16249d7d44e7dc5f4d0befa696915846f1bbd0c145888b9db32cd4d07ca6e7b7974aec6b4125af759663065eeff8baf643248eb061

    Download Submit
  • C:\perfinto\crtwin.exe
    Filesize

    356KB

    MD5

    922a77e55160186e8d3558c88f45f0fd

    SHA1

    97981a4019c4c0f8aae6ddc20aeae64bf1927718

    SHA256

    40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

    SHA512

    04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

    Download Submit
  • C:\perfinto\crtwin.exe
    Filesize

    356KB

    MD5

    922a77e55160186e8d3558c88f45f0fd

    SHA1

    97981a4019c4c0f8aae6ddc20aeae64bf1927718

    SHA256

    40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

    SHA512

    04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

    Download Submit
  • C:\perfinto\i48JYD4oJA0cMfil2yKzMD37Ydu3jL.vbe
    Filesize

    220B

    MD5

    224d54950cf34464d6cf812c3d6ac98b

    SHA1

    2861f8019ec27a520c0751cbe196e7d19e1e93a8

    SHA256

    9890d7cd354a1444ca02970c09721238ff6223c305f8819cd2219bf8724627b2

    SHA512

    ff8b1dff61f8dd8c68a57b5b43a3a4a5156fe5dd0704e9264e0fb71e6da5a4d3bbd114881a58ebc79d4e06d24abf21a42e027ee9a4824fb378e0299579a4b73f

    Download Submit
  • memory/212-147-0x0000000000000000-mapping.dmp
    Download
  • memory/212-153-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/212-152-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/212-151-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/620-143-0x0000000000000000-mapping.dmp
    Download
  • memory/1796-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1812-144-0x0000000000000000-mapping.dmp
    Download
  • memory/2812-146-0x0000000000000000-mapping.dmp
    Download
  • memory/3640-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4744-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4744-139-0x00000206906F0000-0x0000020690750000-memory.dmp
    Filesize

    384KB

    Download
  • memory/4744-150-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4744-141-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4744-140-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4820-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4888-142-0x0000000000000000-mapping.dmp
    Download