Overview

overview

10

Static

static

10

38b9cc3cca...26.exe

windows7-x64

10

38b9cc3cca...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26.exe

  • Size

    675KB

  • MD5

    314420bac969bcfb9510a0e8cc3686d6

  • SHA1

    66f1d0a60a2727970476a105c88883f37270e30f

  • SHA256

    38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26

  • SHA512

    debf908add95aa0849451aef830e5e71724247d352dcb5dad6b02dca0d54e4e915a9430de80d970a4e7ef3749eb2fc7c6fa7839348d84f546d5934d713e7569c

  • SSDEEP

    12288:C9X1yJ7/pZY7fiCI/YBfULiXPrQfkXmm1RhdLB9XFy+nM6D+:CVc7EaCQYBfcE1ZM6D+

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26.exe
    "C:\Users\Admin\AppData\Local\Temp\38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w30cntzK4R.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2580
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2448
        • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe
          "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe
      Filesize

      675KB

      MD5

      314420bac969bcfb9510a0e8cc3686d6

      SHA1

      66f1d0a60a2727970476a105c88883f37270e30f

      SHA256

      38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26

      SHA512

      debf908add95aa0849451aef830e5e71724247d352dcb5dad6b02dca0d54e4e915a9430de80d970a4e7ef3749eb2fc7c6fa7839348d84f546d5934d713e7569c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\w30cntzK4R.bat
      Filesize

      202B

      MD5

      3394ab91fd0a2dd7d7b99c4a652291c4

      SHA1

      4aaf4d5c06237cd0883d6c3fbf683c4f12d9f8b5

      SHA256

      52daa1e2427b4d6688259cbf4d338482cc11553cba31c2387297c5a3d5bfc6c9

      SHA512

      0a4af3d9f06b22f4f4434bcd323641450576710f24d2fa470e7b3626bfa66b583022cfb1bffd211c5f00223bed49a06852832ffdd4de61ec2cf91838e8298fb3

      Download Submit

    • memory/1780-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1780-1-0x0000000000250000-0x0000000000300000-memory.dmp

      Filesize

      704KB

      Download

    • memory/1780-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1780-4-0x0000000000450000-0x000000000046C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1780-7-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1780-6-0x0000000000470000-0x0000000000488000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1780-21-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1780-24-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2412-27-0x00000000001B0000-0x0000000000260000-memory.dmp

      Filesize

      704KB

      Download