Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 11:21
Static task
static1
Behavioral task
behavioral1
Sample
36debef0fda01710af9b0e7b6d990a37.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
36debef0fda01710af9b0e7b6d990a37.bin.exe
Resource
win10v2004-20230221-en
General
-
Target
36debef0fda01710af9b0e7b6d990a37.bin.exe
-
Size
1.1MB
-
MD5
36debef0fda01710af9b0e7b6d990a37
-
SHA1
b74d79014b30d14abbfbc7adac9a9c2a484f51b9
-
SHA256
5d61d2fe577e2a1feac949e6ee980fc9589e4b9472bc4ae249e5d50371ce0e9a
-
SHA512
a4fdeb9658b23abf6544344131d2504a72512773f9b041a1c83cee137bb248bf5ab28e11b07d21302fa54660e2eff8fb97f8c3b00d4c7cdee237c237f91befa4
-
SSDEEP
12288:7EOA56TrfgrfGA3hM6iM8QSArLmMcKDJW0lt6/9y4dne+qR/:o5IErf1hTP8ALrDc0lQ/9y4dne
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Panda Stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4648-176-0x0000000000400000-0x00000000004A3000-memory.dmp family_pandastealer behavioral2/memory/4648-178-0x0000000000400000-0x00000000004A3000-memory.dmp family_pandastealer behavioral2/memory/4648-179-0x0000000000400000-0x00000000004A3000-memory.dmp family_pandastealer behavioral2/memory/4648-182-0x0000000000400000-0x00000000004A3000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
resource yara_rule behavioral2/files/0x001000000002315e-166.dat dcrat behavioral2/files/0x001000000002315e-172.dat dcrat behavioral2/files/0x001000000002315e-171.dat dcrat behavioral2/memory/2956-173-0x00000000005F0000-0x0000000000702000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 36debef0fda01710af9b0e7b6d990a37.bin.exe -
Executes dropped EXE 1 IoCs
pid Process 2956 Xxcmfezhjmaxhvcomintoperf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 62 ipinfo.io 63 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1664 set thread context of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2664 powershell.exe 2664 powershell.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe 2956 Xxcmfezhjmaxhvcomintoperf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2956 Xxcmfezhjmaxhvcomintoperf.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2956 Xxcmfezhjmaxhvcomintoperf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2956 Xxcmfezhjmaxhvcomintoperf.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2664 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 86 PID 1664 wrote to memory of 2664 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 86 PID 1664 wrote to memory of 2664 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 86 PID 1664 wrote to memory of 2956 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 92 PID 1664 wrote to memory of 2956 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 92 PID 1664 wrote to memory of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94 PID 1664 wrote to memory of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94 PID 1664 wrote to memory of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94 PID 1664 wrote to memory of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94 PID 1664 wrote to memory of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94 PID 1664 wrote to memory of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94 PID 1664 wrote to memory of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94 PID 1664 wrote to memory of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94 PID 1664 wrote to memory of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94 PID 1664 wrote to memory of 4648 1664 36debef0fda01710af9b0e7b6d990a37.bin.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\36debef0fda01710af9b0e7b6d990a37.bin.exe"C:\Users\Admin\AppData\Local\Temp\36debef0fda01710af9b0e7b6d990a37.bin.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\Xxcmfezhjmaxhvcomintoperf.exe"C:\Users\Admin\AppData\Local\Temp\Xxcmfezhjmaxhvcomintoperf.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\36debef0fda01710af9b0e7b6d990a37.bin.exeC:\Users\Admin\AppData\Local\Temp\36debef0fda01710af9b0e7b6d990a37.bin.exe2⤵PID:4648
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD53a1aa0d3d3fad3ba324feda977846412
SHA1b1423f52ef9060e5c3d77394224f65af757f2f17
SHA2567606edcf0491794b631f9aaf1a7e34fd0960e542d30614b562c8423afc86e2c1
SHA512c9f6d5d9d53fa590c3499c4eeb73bdb2081c9dffdb9aa587672861e5af7b84ae80ff326bc0b738656117d762c1204e256538f4c8703451912d32b88bd171d68f
-
Filesize
1.0MB
MD53a1aa0d3d3fad3ba324feda977846412
SHA1b1423f52ef9060e5c3d77394224f65af757f2f17
SHA2567606edcf0491794b631f9aaf1a7e34fd0960e542d30614b562c8423afc86e2c1
SHA512c9f6d5d9d53fa590c3499c4eeb73bdb2081c9dffdb9aa587672861e5af7b84ae80ff326bc0b738656117d762c1204e256538f4c8703451912d32b88bd171d68f
-
Filesize
1.0MB
MD53a1aa0d3d3fad3ba324feda977846412
SHA1b1423f52ef9060e5c3d77394224f65af757f2f17
SHA2567606edcf0491794b631f9aaf1a7e34fd0960e542d30614b562c8423afc86e2c1
SHA512c9f6d5d9d53fa590c3499c4eeb73bdb2081c9dffdb9aa587672861e5af7b84ae80ff326bc0b738656117d762c1204e256538f4c8703451912d32b88bd171d68f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82