Overview

overview

10

Static

static

10

Allergies ...df.zip

windows10-2004-x64

1

Allergies ...df.scr

windows10-2004-x64

10

Resubmissions

14-06-2023 00:49

230614-a6lm7acd45 10

14-06-2023 00:49

230614-a6ejwacd44 10

14-06-2023 00:21

230614-and6dscd27 10

Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2023 00:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Allergies List and Allowed Substances.numb05151.pdf.scr

  • Size

    920.3MB

  • MD5

    491c5ac82977262ef24bd22ad312c622

  • SHA1

    1f0555370f07e94182059701f63e940429757157

  • SHA256

    ea770032c44e773b9c9865d4ff3bfb10f76b003ace1bbfbe45755ffff227e5fe

  • SHA512

    a9974fe623a979e12d8493200f36aa4aab5763ea97ed4d5924fb1f579038d686bb10d789d576343ce4ca4c8a4657ed9404b7ffb52f701f6f880eb75e766f6734

  • SSDEEP

    393216:rc8yiMPNWZV4nXF12elEA7YKsHES/Sl50l:rcOMPNWTM2elpBtSwW

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • .NET Reactor proctector 34 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 40 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Allergies List and Allowed Substances.numb05151.pdf.scr
    "C:\Users\Admin\AppData\Local\Temp\Allergies List and Allowed Substances.numb05151.pdf.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3376
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1384
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4076
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7737a2b1-6fc2-4642-99fc-97d1aa9f5df5.tmp"
        2⤵
        • Checks processor information in registry
        • Suspicious use of SetWindowsHookEx
        PID:1080

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3200-133-0x0000000000A00000-0x0000000003366000-memory.dmp
      Filesize

      41.4MB

      Download
    • memory/3200-134-0x0000000005470000-0x0000000005480000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3200-136-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-135-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-138-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-140-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-142-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-144-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-146-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-148-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-150-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-152-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-154-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-156-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-158-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-160-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-162-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-164-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-166-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-168-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-170-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-172-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-174-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-176-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-178-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-180-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-182-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-184-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-186-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-188-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-190-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-192-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-194-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-196-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-198-0x000000001E090000-0x000000001E1E0000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3200-538-0x0000000005470000-0x0000000005480000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3376-8738-0x0000000000400000-0x00000000004D0000-memory.dmp
      Filesize

      832KB

      Download
    • memory/3376-8739-0x00000000061B0000-0x0000000006754000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3376-8740-0x00000000055B0000-0x00000000055C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3376-8741-0x0000000005F40000-0x0000000005F90000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3376-8742-0x0000000006030000-0x00000000060C2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3376-8743-0x0000000006140000-0x00000000061A6000-memory.dmp
      Filesize

      408KB

      Download