Overview

overview

10

Static

static

10

lfcdgbuksf.exe

windows7-x64

10

lfcdgbuksf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lfcdgbuksf.exe

  • Size

    1.6MB

  • MD5

    8c6e4c86c216b898f24ff14b417c4369

  • SHA1

    266e7d01ba11cd7914451c798199596f4d2f7b53

  • SHA256

    858fff104da670b640eff2a93b7fa4b794ae554c30a409864d00f3b7ecc1e09f

  • SHA512

    3f6416bf0b7989b522d399e151cc755783b9b7afe9cde559f8207fad6c043e24f85b22c3a583329e1620e862c7824249c536209b6be5e093a2b580c2fc52f660

  • SSDEEP

    24576:o2a0H/WPj+rsO6AOhaDxL/aySUYj79FcPX6t1:va0SKsOP1L/KzEP

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lfcdgbuksf.exe
    "C:\Users\Admin\AppData\Local\Temp\lfcdgbuksf.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ArAzJktLiV.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:468
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:412
          • C:\Users\Admin\AppData\Local\staticfile.exe
            "C:\Users\Admin\AppData\Local\staticfile.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ArAzJktLiV.bat
        Filesize

        219B

        MD5

        bf5906432f09272a57cf0a06eafd80ea

        SHA1

        aa417cc9bc70b138e8450c5d1260bed785297aa8

        SHA256

        2374a190184ff4fcf8cc2158dabd5f9c7ce047c4cb3b4c39e54a220ff6d9120f

        SHA512

        44df0cb82014d54c486dde682d4032a076c372ffae340797da167ee1d88acef13bd89517c06ba8ecfb65a4d7ff855b2446494170b2ba82acabc99f99d370453b

        Download Submit

      • C:\Users\Admin\AppData\Local\staticfile.exe
        Filesize

        1.6MB

        MD5

        8c6e4c86c216b898f24ff14b417c4369

        SHA1

        266e7d01ba11cd7914451c798199596f4d2f7b53

        SHA256

        858fff104da670b640eff2a93b7fa4b794ae554c30a409864d00f3b7ecc1e09f

        SHA512

        3f6416bf0b7989b522d399e151cc755783b9b7afe9cde559f8207fad6c043e24f85b22c3a583329e1620e862c7824249c536209b6be5e093a2b580c2fc52f660

        Download Submit

      • memory/1608-48-0x000000001D0B0000-0x000000001D17D000-memory.dmp

        Filesize

        820KB

        Download

      • memory/4308-16-0x000000001C1A0000-0x000000001C6C8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4308-19-0x000000001BC70000-0x000000001BCCA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/4308-6-0x0000000003120000-0x0000000003170000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4308-7-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4308-9-0x0000000001730000-0x0000000001748000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4308-11-0x0000000001750000-0x0000000001766000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4308-12-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4308-14-0x0000000003290000-0x00000000032A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4308-15-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4308-0-0x00007FFA102C3000-0x00007FFA102C5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4308-17-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4308-5-0x00000000016F0000-0x000000000170C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4308-20-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4308-22-0x0000000001720000-0x000000000172E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4308-24-0x000000001BDD0000-0x000000001BE1E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4308-25-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4308-28-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4308-32-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4308-37-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4308-4-0x00000000016A0000-0x00000000016BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4308-35-0x000000001C7D0000-0x000000001C89D000-memory.dmp

        Filesize

        820KB

        Download

      • memory/4308-2-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4308-1-0x0000000000D40000-0x0000000000EDC000-memory.dmp

        Filesize

        1.6MB

        Download