Overview

overview

10

Static

static

10

38b9cc3cca...26.exe

windows7-x64

10

38b9cc3cca...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26.exe

  • Size

    675KB

  • MD5

    314420bac969bcfb9510a0e8cc3686d6

  • SHA1

    66f1d0a60a2727970476a105c88883f37270e30f

  • SHA256

    38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26

  • SHA512

    debf908add95aa0849451aef830e5e71724247d352dcb5dad6b02dca0d54e4e915a9430de80d970a4e7ef3749eb2fc7c6fa7839348d84f546d5934d713e7569c

  • SSDEEP

    12288:C9X1yJ7/pZY7fiCI/YBfULiXPrQfkXmm1RhdLB9XFy+nM6D+:CVc7EaCQYBfcE1ZM6D+

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26.exe
    "C:\Users\Admin\AppData\Local\Temp\38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4zXT1a7zio.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2356
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:2776
          • C:\Program Files\Windows Mail\ja-JP\38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26.exe
            "C:\Program Files\Windows Mail\ja-JP\38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2728

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        Filesize

        675KB

        MD5

        314420bac969bcfb9510a0e8cc3686d6

        SHA1

        66f1d0a60a2727970476a105c88883f37270e30f

        SHA256

        38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26

        SHA512

        debf908add95aa0849451aef830e5e71724247d352dcb5dad6b02dca0d54e4e915a9430de80d970a4e7ef3749eb2fc7c6fa7839348d84f546d5934d713e7569c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4zXT1a7zio.bat
        Filesize

        280B

        MD5

        11720303e4c4b934a575e6bd0a5bd820

        SHA1

        237acf6698fb1206519d9c059a0a0b0cc6c9bbda

        SHA256

        fac80ff470097aa7ddc0f331632632ca97105efa55d3a11f5e8de89ec77b4654

        SHA512

        1ad366e84503557aa19509395def3917ce443f4f4e9692c40d1348eb1f6d34b18e7a03a814a996b099138495c0a238f93be132e29e65616889edebcb8018cd2b

        Download Submit

      • memory/2668-0-0x000007FEF6113000-0x000007FEF6114000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2668-1-0x00000000010E0000-0x0000000001190000-memory.dmp

        Filesize

        704KB

        Download

      • memory/2668-2-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2668-4-0x0000000000440000-0x000000000045C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2668-6-0x0000000000460000-0x0000000000478000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2668-7-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2668-21-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2668-23-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2728-27-0x0000000001230000-0x00000000012E0000-memory.dmp

        Filesize

        704KB

        Download