Overview

overview

10

Static

static

3

b02038aa2e...05.exe

windows7-x64

10

b02038aa2e...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b02038aa2ee3194542d8e062aedcbb66015051ae31d5c0ec6a68dd7a26ef6205.exe

  • Size

    4.2MB

  • MD5

    2608e3e0677de70d9e1eb6b108f7bdfd

  • SHA1

    c7d42a6abb29fcbde1cdc13f681d449ced6b8a50

  • SHA256

    b02038aa2ee3194542d8e062aedcbb66015051ae31d5c0ec6a68dd7a26ef6205

  • SHA512

    e1664a02f3e0b101ada2ef5af8fdebc4b75aecc795c1fa04cab36e7b478c11516d8daba1f65159ad7d8c2b9680dd771fac5ba24218b861807851042f1ba82c9d

  • SSDEEP

    49152:2chlG/HMHyN4pAEx/7dvDhzETOIntW9y3yP2QAuxQzxEzwYjiwVTkO2kZBtk8hJq:

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b02038aa2ee3194542d8e062aedcbb66015051ae31d5c0ec6a68dd7a26ef6205.exe
    "C:\Users\Admin\AppData\Local\Temp\b02038aa2ee3194542d8e062aedcbb66015051ae31d5c0ec6a68dd7a26ef6205.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\sqls102.exe
      "C:\Users\Admin\AppData\Local\Temp\sqls102.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2068
    • C:\Users\Admin\AppData\Local\Temp\drivEn102.exe
      "C:\Users\Admin\AppData\Local\Temp\drivEn102.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\browserFont\TGs0Esj.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\browserFont\mb1tDxvM2A2eBj7RCoqZN.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\browserFont\surrogateProviderRuntime.exe
            "C:\browserFont/surrogateProviderRuntime.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5GcyhGFLdh.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1808
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:2876
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2792
                • C:\Program Files (x86)\Uninstall Information\taskhost.exe
                  "C:\Program Files (x86)\Uninstall Information\taskhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5GcyhGFLdh.bat
      Filesize

      185B

      MD5

      e996356ecf8f0dfc02050400ac94b9c4

      SHA1

      3cda80b91166fc3c8f0397b68bb20bf436193f7b

      SHA256

      1e01a1a18c8cc9255e83afa66da32c24ba1dfe719a87f6e60d5cb6006729eca8

      SHA512

      1976c52f57900ad8649504a824b3400caf4dbb7dca030d8a7e938a865e8e387467a1e8c43386151b5ffe82d2d9f5ed8278ee0cee42c50aa3ee6489f3e0edd6d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\drivEn102.exe
      Filesize

      1.4MB

      MD5

      c04481d4d848f2edb537085ffdef01c5

      SHA1

      d0c1d5c2efdc1460b577720eb633c23876ada172

      SHA256

      a9cefa666264302fae07664e374cc1cf3b29a956f1da1219013853c66b4b0c46

      SHA512

      f3edf74e3ee0438999a64496cafa5a6485efae74f54674d73a2b4979de0483c896e28fab2376c40399d9cd6d627c56fefe5c652ed00671487250dacb7a05833c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sqls102.exe
      Filesize

      130KB

      MD5

      f27a284ef9b018cdd2a98a7b78ccdcb3

      SHA1

      67e260b11e6227c18cae8925b4f6899103c607f2

      SHA256

      af86dc3f76d39b67b967a3b714e9e70ed43eec8d3871e9691cb45d84372b53fb

      SHA512

      9a8811f13517748539308a70933b126a3348407f397bf30f903019379f927532c64015853b94acf21bdbc554d638a0265d4394d026e289103db06fe93fe5524b

      Download Submit

    • C:\browserFont\TGs0Esj.vbe
      Filesize

      211B

      MD5

      fc357bcdbf37df98247d511ccd38d22d

      SHA1

      0c4678b855b654c4a7182acec115482f3c7e4c5c

      SHA256

      41e73fcfa7fda29c62dd424e2eef794ba21c69239a1d0e4f92f29257162d4dc1

      SHA512

      d5370ef435382cd3192cd2b79374b270cf107b3f87132c8b09ce159603062c7f331f8b155a90789a68eaae85908bb9a3a1593247594f215412018ad0b061879d

      Download Submit

    • C:\browserFont\mb1tDxvM2A2eBj7RCoqZN.bat
      Filesize

      85B

      MD5

      6bf7667bb9a6e818187ce67416332560

      SHA1

      57ebd093a1349a374aa13851cd1ff437b0c8fe14

      SHA256

      8ca638a3493bfef0418b1abc231eeac08d86f64853cbbf0ba8ad0d3d0d400d76

      SHA512

      1105eb7d88058d4a646a4cc0937c813ecbb36a988ce66e739a8b24147f2038860ed9f2ca4486ed7233d79692bdc2ee9ca933b3b00d8233d91fc3f9447f93a0be

      Download Submit

    • \browserFont\surrogateProviderRuntime.exe
      Filesize

      1.6MB

      MD5

      418fcd513c372d02a740a87d9c4d0d5f

      SHA1

      32180f6394d72e1f5ca2cfebbe683b6fbcb8da34

      SHA256

      67c96692f7eff8187ab7a8d54cb15cfa9ae91732c72a6bac093982d1b4838411

      SHA512

      6eb8ebc542e8653e4ef8133c23c3618cd12203adbc6761fb7871b0c1df65609182fec13536cf28687db618b7c9a21dd06f90f77018c4cc3e778cc7136cc07458

      Download Submit

    • memory/1708-48-0x0000000001220000-0x00000000013B8000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2156-0-0x000007FEF600E000-0x000007FEF600F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2156-3-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2156-7-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2156-13-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2692-28-0x00000000012B0000-0x0000000001448000-memory.dmp

      Filesize

      1.6MB

      Download