Overview

overview

10

Static

static

3

EC4891EC2E...15.exe

windows7-x64

10

EC4891EC2E...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EC4891EC2E1E54B6E32D1E1B3BDB5915.exe

  • Size

    1.8MB

  • MD5

    ec4891ec2e1e54b6e32d1e1b3bdb5915

  • SHA1

    c30c1fad6115013e814e288a1d06d2523aec6d95

  • SHA256

    44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6

  • SHA512

    3ab4c039d3cf22c55dedf8506851ec3ea221849eb4e132928eb314c67c38a650b403afc4270874c2d2c46875f1a9ec668b83f7619793ef75758bc2398b4cc7cc

  • SSDEEP

    24576:juhBQp12QFQP7U9QlUrNGWsm5wtgeZBN+HE3r13P+doHExf27vH/h6kcWqnxqlM:jMWYoQlUr4M4geZ2ktP+dCEeghxql

Score
10/10
dcratexecutioninfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EC4891EC2E1E54B6E32D1E1B3BDB5915.exe
    "C:\Users\Admin\AppData\Local\Temp\EC4891EC2E1E54B6E32D1E1B3BDB5915.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\taskhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\EC4891EC2E1E54B6E32D1E1B3BDB5915.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ptYtSYFx9o.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:908
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:1896
          • C:\Windows\Performance\WinSAT\DataStore\winlogon.exe
            "C:\Windows\Performance\WinSAT\DataStore\winlogon.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:316

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ptYtSYFx9o.bat
        Filesize

        228B

        MD5

        70efccb5db4fc4d75cd30589a5dd404e

        SHA1

        cf9420fd6241ac2df06d71355580f440acf025d8

        SHA256

        e108dfdc7b97f5fa7f36628e6d8bfe9dfe7cb9856b2e511ea59ba6dab468d6a3

        SHA512

        34b6a0d1b77609744aa5b90a842e5e6311cdb95da1c26e25a28aca9b31fbbc8c208846d07cb1885d3d243ceae7c99a0cc406f4a843a950f74ecddcc9ae072a6a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        539004b79cfdf5c86a2d862a1407478a

        SHA1

        37074c0edd6ba9cd90c74737d393a0a60978016f

        SHA256

        635ae772af6d094aab8158d33f4e3b670a614ddce01d636ef9e52e16a175982a

        SHA512

        eefc7293f383108a8642436683b196b3ef5625356c2dcbcd2b07d3cf70d8e95d7acc852cf03f0d9a324a308bf73dcffa08e5f66cf7ebc8e95f0e94b6cb120e96

        Download Submit

      • C:\Windows\Performance\WinSAT\DataStore\winlogon.exe
        Filesize

        1.8MB

        MD5

        ec4891ec2e1e54b6e32d1e1b3bdb5915

        SHA1

        c30c1fad6115013e814e288a1d06d2523aec6d95

        SHA256

        44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6

        SHA512

        3ab4c039d3cf22c55dedf8506851ec3ea221849eb4e132928eb314c67c38a650b403afc4270874c2d2c46875f1a9ec668b83f7619793ef75758bc2398b4cc7cc

        Download Submit

      • memory/316-128-0x0000000000E00000-0x0000000000FDA000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2012-124-0x000000001B580000-0x000000001B862000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2136-6-0x00000000006F0000-0x00000000006FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2136-26-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2136-10-0x0000000002100000-0x0000000002118000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2136-11-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2136-13-0x0000000000700000-0x000000000070C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2136-15-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2136-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2136-8-0x00000000020E0000-0x00000000020FC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2136-29-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2136-30-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2136-4-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2136-112-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2136-3-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2136-1-0x00000000000D0000-0x00000000002AA000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2136-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2856-125-0x00000000022D0000-0x00000000022D8000-memory.dmp

        Filesize

        32KB

        Download