Overview

overview

10

Static

static

3

3a92479aa9...64.exe

windows7-x64

10

3a92479aa9...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a92479aa98e55499bfa33bc2ea35b64.exe

  • Size

    1.9MB

  • MD5

    3a92479aa98e55499bfa33bc2ea35b64

  • SHA1

    2645ee34fe180b3c775fec79729f5ecee1dab95f

  • SHA256

    cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71

  • SHA512

    137fe77d848b628a212e52fb9c8bac86c42914b51a2914f60676c3799e3c346a03c9122a54ed899888dbc58a59990f9cbd381212e08cfb82d071a577892d8d48

  • SSDEEP

    24576:2TbBv5rUyXV/SgxSKCk+FpaARF5+dKz8It1s4o4NIbDc405+iPP+x2PMZ5S6re:IBJ/CFK3INhNIbDcykP+yiSf

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a92479aa98e55499bfa33bc2ea35b64.exe
    "C:\Users\Admin\AppData\Local\Temp\3a92479aa98e55499bfa33bc2ea35b64.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComponentSavesinto\Rvb4MehGYPWwP7mOC7L2KZoGBB7qbkXbVDhXcse7w1B6.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ComponentSavesinto\ZNtisV5JM91TmuX3tDFXvJx7ah2q8kJOB5hVZXHXTCGj5p.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4596
        • C:\ComponentSavesinto\fontReviewsavesinto.exe
          "C:\ComponentSavesinto/fontReviewsavesinto.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:532
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p3khZ6T8xi.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4876
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:3584
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1212
              • C:\Program Files\Windows Media Player\ja-JP\csrss.exe
                "C:\Program Files\Windows Media Player\ja-JP\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ComponentSavesinto\Rvb4MehGYPWwP7mOC7L2KZoGBB7qbkXbVDhXcse7w1B6.vbe
      Filesize

      242B

      MD5

      3076c2a420abfae7929160ba4d0a72b7

      SHA1

      12b6bf6ab90923d5bdd316683b8eccd25b478904

      SHA256

      12790bc3e92339d3720214576ee78d7546292f985d5a06ee20c19aa6aea20344

      SHA512

      847910825012e426315c64fe5f949d63bcb3c60b51111c413198cc056e4ebc8475bf9c07b1cb021a82d8050b805606c1530a6431a8da5f5021b60e81dd56b37e

      Download Submit

    • C:\ComponentSavesinto\ZNtisV5JM91TmuX3tDFXvJx7ah2q8kJOB5hVZXHXTCGj5p.bat
      Filesize

      87B

      MD5

      0f0c1382d77519a4e9b29d9aa39e786b

      SHA1

      e230967a14b0854d217ebdbbd571f7bae14ba176

      SHA256

      1bff5ed332b1fb57070372efa426bdb201534c2050cb16dd68c86e8595bf727a

      SHA512

      8435f2224ffe087669e382746587c4f583a15c1f0fa5939849882aecff136c1a55557171a6f17e3b66a0fc0d0067888de40ec02dcc70b86e35ee49c841cb2556

      Download Submit

    • C:\ComponentSavesinto\fontReviewsavesinto.exe
      Filesize

      1.6MB

      MD5

      5b7391cd38f6218cd0e5c8f3899ab4dd

      SHA1

      c8fe062863454f2170cb5add5e38733311c48066

      SHA256

      4fa8244e62b244b9f543363577dbab6f4765809c4e4b09de4d42bd0b05384ff9

      SHA512

      a29e0820f2188af78133ba0ac8c1fa86a0f76038b222e15cbeb5167d1eb5f2a5e959d2ce5081fe694c458a204d1a222f92aea35d1049096807ccf25c68113d67

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\p3khZ6T8xi.bat
      Filesize

      181B

      MD5

      18aa649cd618ddf195db16e9bcc467a2

      SHA1

      fac6f8ffa14d3b18b41f91bfb4da17dcbbd0df17

      SHA256

      b9358ec7e9664385f6a86030b278173ea13d79f2ffcd355fb0512cd0c47dfec3

      SHA512

      773e04b6f5930e691af06811fc8042128e55a269cea07e36d0289047c1cbb699df88c24baa590eb4cadd827dfc08662023e9f73660e1da56b26266047494c540

      Download Submit

    • memory/532-12-0x00007FFF130A3000-0x00007FFF130A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/532-13-0x0000000000390000-0x0000000000528000-memory.dmp

      Filesize

      1.6MB

      Download