Overview

overview

10

Static

static

3

cc8ffd4632...71.exe

windows7-x64

10

cc8ffd4632...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2024 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe

  • Size

    1.9MB

  • MD5

    3a92479aa98e55499bfa33bc2ea35b64

  • SHA1

    2645ee34fe180b3c775fec79729f5ecee1dab95f

  • SHA256

    cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71

  • SHA512

    137fe77d848b628a212e52fb9c8bac86c42914b51a2914f60676c3799e3c346a03c9122a54ed899888dbc58a59990f9cbd381212e08cfb82d071a577892d8d48

  • SSDEEP

    24576:2TbBv5rUyXV/SgxSKCk+FpaARF5+dKz8It1s4o4NIbDc405+iPP+x2PMZ5S6re:IBJ/CFK3INhNIbDcykP+yiSf

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe
    "C:\Users\Admin\AppData\Local\Temp\cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComponentSavesinto\Rvb4MehGYPWwP7mOC7L2KZoGBB7qbkXbVDhXcse7w1B6.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ComponentSavesinto\ZNtisV5JM91TmuX3tDFXvJx7ah2q8kJOB5hVZXHXTCGj5p.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\ComponentSavesinto\fontReviewsavesinto.exe
          "C:\ComponentSavesinto/fontReviewsavesinto.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OiLi34xpVR.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2968
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2604
                • C:\Windows\Setup\State\services.exe
                  "C:\Windows\Setup\State\services.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:768

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ComponentSavesinto\Rvb4MehGYPWwP7mOC7L2KZoGBB7qbkXbVDhXcse7w1B6.vbe
        Filesize

        242B

        MD5

        3076c2a420abfae7929160ba4d0a72b7

        SHA1

        12b6bf6ab90923d5bdd316683b8eccd25b478904

        SHA256

        12790bc3e92339d3720214576ee78d7546292f985d5a06ee20c19aa6aea20344

        SHA512

        847910825012e426315c64fe5f949d63bcb3c60b51111c413198cc056e4ebc8475bf9c07b1cb021a82d8050b805606c1530a6431a8da5f5021b60e81dd56b37e

        Download Submit

      • C:\ComponentSavesinto\ZNtisV5JM91TmuX3tDFXvJx7ah2q8kJOB5hVZXHXTCGj5p.bat
        Filesize

        87B

        MD5

        0f0c1382d77519a4e9b29d9aa39e786b

        SHA1

        e230967a14b0854d217ebdbbd571f7bae14ba176

        SHA256

        1bff5ed332b1fb57070372efa426bdb201534c2050cb16dd68c86e8595bf727a

        SHA512

        8435f2224ffe087669e382746587c4f583a15c1f0fa5939849882aecff136c1a55557171a6f17e3b66a0fc0d0067888de40ec02dcc70b86e35ee49c841cb2556

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\OiLi34xpVR.bat
        Filesize

        211B

        MD5

        b3b57bab7b63c22bcf2b455bc0349881

        SHA1

        75297a203c7b425037c7d5ebf457fb7feed58c94

        SHA256

        e51ef290085e1b2c8e83bdee52aac937f9cb78cf7285a269cc6c0ab705fe784f

        SHA512

        4c254ea8f77867479dec2c8c1d8360246363ee6e0789f916734c1eb74eac88b4cefa9f567df395643b86bd0b40db28197ed215436fc094591c7f5606c412c0e4

        Download Submit

      • \ComponentSavesinto\fontReviewsavesinto.exe
        Filesize

        1.6MB

        MD5

        5b7391cd38f6218cd0e5c8f3899ab4dd

        SHA1

        c8fe062863454f2170cb5add5e38733311c48066

        SHA256

        4fa8244e62b244b9f543363577dbab6f4765809c4e4b09de4d42bd0b05384ff9

        SHA512

        a29e0820f2188af78133ba0ac8c1fa86a0f76038b222e15cbeb5167d1eb5f2a5e959d2ce5081fe694c458a204d1a222f92aea35d1049096807ccf25c68113d67

        Download Submit

      • memory/768-32-0x00000000011A0000-0x0000000001338000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2384-13-0x0000000000180000-0x0000000000318000-memory.dmp

        Filesize

        1.6MB

        Download