Overview

overview

10

Static

static

10

lfcdgbuksf.exe

windows7-x64

10

lfcdgbuksf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lfcdgbuksf.exe

  • Size

    1.6MB

  • MD5

    8c6e4c86c216b898f24ff14b417c4369

  • SHA1

    266e7d01ba11cd7914451c798199596f4d2f7b53

  • SHA256

    858fff104da670b640eff2a93b7fa4b794ae554c30a409864d00f3b7ecc1e09f

  • SHA512

    3f6416bf0b7989b522d399e151cc755783b9b7afe9cde559f8207fad6c043e24f85b22c3a583329e1620e862c7824249c536209b6be5e093a2b580c2fc52f660

  • SSDEEP

    24576:o2a0H/WPj+rsO6AOhaDxL/aySUYj79FcPX6t1:va0SKsOP1L/KzEP

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lfcdgbuksf.exe
    "C:\Users\Admin\AppData\Local\Temp\lfcdgbuksf.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EKWIzsz24d.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3704
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:4156
          • C:\Users\Admin\AppData\Local\staticfile.exe
            "C:\Users\Admin\AppData\Local\staticfile.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4852

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\EKWIzsz24d.bat
        Filesize

        219B

        MD5

        1c358307dd2a922b2fe0e95c36a0bd91

        SHA1

        afefd37edbf40bb3cec1a4b7e58a2b792a4f83f6

        SHA256

        8403741c8b2d6f0a1617aa638b8aa47afec3764f69904120a4f14ce133221c93

        SHA512

        2aa13ded8f8379b792f0732810d5345ec022da31e1d38544dc49b269750439da47a48faaec7a27e51b8cfeb960b6d720003de4ed0a90f5b47c7ad485b9992230

        Download Submit

      • C:\Users\Admin\AppData\Local\staticfile.exe
        Filesize

        1.6MB

        MD5

        8c6e4c86c216b898f24ff14b417c4369

        SHA1

        266e7d01ba11cd7914451c798199596f4d2f7b53

        SHA256

        858fff104da670b640eff2a93b7fa4b794ae554c30a409864d00f3b7ecc1e09f

        SHA512

        3f6416bf0b7989b522d399e151cc755783b9b7afe9cde559f8207fad6c043e24f85b22c3a583329e1620e862c7824249c536209b6be5e093a2b580c2fc52f660

        Download Submit

      • memory/3988-17-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3988-5-0x00000000031E0000-0x00000000031FC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3988-19-0x0000000003210000-0x000000000321E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3988-6-0x000000001BDE0000-0x000000001BE30000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3988-8-0x0000000003340000-0x0000000003358000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3988-10-0x0000000003360000-0x0000000003376000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3988-12-0x000000001BE30000-0x000000001BE42000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3988-13-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3988-21-0x000000001C070000-0x000000001C0BE000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3988-14-0x000000001C3A0000-0x000000001C8C8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3988-0-0x00007FF80F383000-0x00007FF80F385000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3988-4-0x0000000003200000-0x000000000321C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3988-16-0x000000001BF10000-0x000000001BF6A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/3988-22-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3988-28-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3988-29-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3988-30-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3988-33-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3988-2-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3988-1-0x0000000000FF0000-0x000000000118C000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4852-45-0x000000001BEC0000-0x000000001BFC2000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4852-46-0x000000001CC60000-0x000000001CD75000-memory.dmp

        Filesize

        1.1MB

        Download