Overview

overview

10

Static

static

3

3a92479aa9...64.exe

windows7-x64

10

3a92479aa9...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    05-11-2024 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a92479aa98e55499bfa33bc2ea35b64.exe

  • Size

    1.9MB

  • MD5

    3a92479aa98e55499bfa33bc2ea35b64

  • SHA1

    2645ee34fe180b3c775fec79729f5ecee1dab95f

  • SHA256

    cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71

  • SHA512

    137fe77d848b628a212e52fb9c8bac86c42914b51a2914f60676c3799e3c346a03c9122a54ed899888dbc58a59990f9cbd381212e08cfb82d071a577892d8d48

  • SSDEEP

    24576:2TbBv5rUyXV/SgxSKCk+FpaARF5+dKz8It1s4o4NIbDc405+iPP+x2PMZ5S6re:IBJ/CFK3INhNIbDcykP+yiSf

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a92479aa98e55499bfa33bc2ea35b64.exe
    "C:\Users\Admin\AppData\Local\Temp\3a92479aa98e55499bfa33bc2ea35b64.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComponentSavesinto\Rvb4MehGYPWwP7mOC7L2KZoGBB7qbkXbVDhXcse7w1B6.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ComponentSavesinto\ZNtisV5JM91TmuX3tDFXvJx7ah2q8kJOB5hVZXHXTCGj5p.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\ComponentSavesinto\fontReviewsavesinto.exe
          "C:\ComponentSavesinto/fontReviewsavesinto.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W6bqrp3ns3.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2184
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:336
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1180
                • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe
                  "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1616

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ComponentSavesinto\Rvb4MehGYPWwP7mOC7L2KZoGBB7qbkXbVDhXcse7w1B6.vbe
        Filesize

        242B

        MD5

        3076c2a420abfae7929160ba4d0a72b7

        SHA1

        12b6bf6ab90923d5bdd316683b8eccd25b478904

        SHA256

        12790bc3e92339d3720214576ee78d7546292f985d5a06ee20c19aa6aea20344

        SHA512

        847910825012e426315c64fe5f949d63bcb3c60b51111c413198cc056e4ebc8475bf9c07b1cb021a82d8050b805606c1530a6431a8da5f5021b60e81dd56b37e

        Download Submit

      • C:\ComponentSavesinto\ZNtisV5JM91TmuX3tDFXvJx7ah2q8kJOB5hVZXHXTCGj5p.bat
        Filesize

        87B

        MD5

        0f0c1382d77519a4e9b29d9aa39e786b

        SHA1

        e230967a14b0854d217ebdbbd571f7bae14ba176

        SHA256

        1bff5ed332b1fb57070372efa426bdb201534c2050cb16dd68c86e8595bf727a

        SHA512

        8435f2224ffe087669e382746587c4f583a15c1f0fa5939849882aecff136c1a55557171a6f17e3b66a0fc0d0067888de40ec02dcc70b86e35ee49c841cb2556

        Download Submit

      • C:\ComponentSavesinto\fontReviewsavesinto.exe
        Filesize

        1.6MB

        MD5

        5b7391cd38f6218cd0e5c8f3899ab4dd

        SHA1

        c8fe062863454f2170cb5add5e38733311c48066

        SHA256

        4fa8244e62b244b9f543363577dbab6f4765809c4e4b09de4d42bd0b05384ff9

        SHA512

        a29e0820f2188af78133ba0ac8c1fa86a0f76038b222e15cbeb5167d1eb5f2a5e959d2ce5081fe694c458a204d1a222f92aea35d1049096807ccf25c68113d67

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\W6bqrp3ns3.bat
        Filesize

        248B

        MD5

        c4c7c61044d3cdc1159dcb48f7580679

        SHA1

        5699961921cc0086b6fc99fb0d2e991c72e6b7db

        SHA256

        e567a87443f622d564acc199d2aff09b31ff8448689bf5a8978b113150a1daeb

        SHA512

        49e8f183f566442aab541add91755d0f5da77e25f567a5535c399ff76d392f7d29e629e9bdb858bc5ec17e909efb4f14cbe464f8e2bdcdaaa19ec64481e57809

        Download Submit

      • memory/1616-32-0x0000000000F70000-0x0000000001108000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2768-13-0x0000000000910000-0x0000000000AA8000-memory.dmp

        Filesize

        1.6MB

        Download