Overview

overview

10

Static

static

3

iagj6m.exe

windows7-x64

10

iagj6m.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    iagj6m.exe

  • Size

    2.1MB

  • MD5

    468eaabf32f5b160b19b6ccbd88fadae

  • SHA1

    d8a2f93188429d790bd43f6dee836c96c287a57e

  • SHA256

    67a88132279e0e1d1febaa02fca35e77766d0adf1fefacda3c922174428a2f70

  • SHA512

    a7db93826a7193e7f4c890c180cb7a1cf71d12884b992cf29aa90faf3351c97f54797f5ecb52a91639219d707f8619c1d0ab04e663499ee6c4b281b2dd3780b6

  • SSDEEP

    49152:IBJoehuClT3DpSX+KfJunl9CJ0ouJfK2CKaKWdIuqKs:yyehTLFFKonPJapIF

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\iagj6m.exe
    "C:\Users\Admin\AppData\Local\Temp\iagj6m.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Medal\VILORd6SoVoEmyMpC3WEu.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Medal\xWGevBghcv54H0hXBv7583OlcwEyHK.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Medal\Medal.exe
          "C:\Medal/Medal.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rayyihlw\rayyihlw.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2BA.tmp" "c:\Windows\System32\CSCD0DF37EF7FC7420792D4F1666CB890BE.TMP"
              6⤵
                PID:2880
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2636
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2548
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2812
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2772
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\conhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2664
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Medal\Medal.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2864
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gYSuYyanDc.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1640
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1360
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1976
                • C:\Program Files (x86)\Windows NT\TableTextService\it-IT\conhost.exe
                  "C:\Program Files (x86)\Windows NT\TableTextService\it-IT\conhost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1800

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Medal\Medal.exe
        Filesize

        1.8MB

        MD5

        e27a4488cb35703f406fcf3a038a86c4

        SHA1

        926513f3ccca7cc4a86f281670cc9be1fdd4c613

        SHA256

        2dfeb67e47b8cf7b46385dc64ff9f48d88ca15699d6615151b2ba668bccf251b

        SHA512

        9fb695f3300f1b0a0edbc5413181230cf0d5eefcd09310e12f3e7b8b969332ebcb639a3944e4496e7b55b9e929823edb86ff21d59f92ed72fa5de7717aba9793

        Download Submit

      • C:\Medal\VILORd6SoVoEmyMpC3WEu.vbe
        Filesize

        213B

        MD5

        7469cc785296b1098b2d6816c0140169

        SHA1

        081467bcc09dc566bdff78cd199e35a13fd188fe

        SHA256

        52a3703c926b912943a2a5e9e66ffb080d985237c92fd8b0beea41f37c028e1f

        SHA512

        ac69e60cef79a1699d28bd7b29fda647d2a285ff06bcb5be7be339311707872eff4e3b897f7da719fb7174efa7b72e764df6e9a7ce61afab4893cfc76655428d

        Download Submit

      • C:\Medal\xWGevBghcv54H0hXBv7583OlcwEyHK.bat
        Filesize

        65B

        MD5

        f6c7cc62995e59628450f6b7e52837a3

        SHA1

        613a43f04cbd78f1d64343d66d9c41c2cd5d9f1d

        SHA256

        e5425359b32df369118a828185f523bdb19aee3039bdfab47d576e9b0903c3c3

        SHA512

        5b07a22c6afc546b15b573100538c3fc4a4b748860a5e3e37b02e93d75ed5c1a6d2cfc275e144b22d4327505719ff4c6aa65abb483472d352fc99694eaa0a89b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESD2BA.tmp
        Filesize

        1KB

        MD5

        94fe05f1c6504dc524ab4fbc987ad799

        SHA1

        75332610eb051eced5b663f8279450237afaea98

        SHA256

        d34868ec67cdaeeda10f7e37a85f8f90e317b5906d1c368644270abc9446e8a9

        SHA512

        0436b33e0f4a1ad84706f4ecc7a691486dacbe04d367590bf041baf9751bb6e11f34b57312e25cfde0afef9063244d96263ae601d0fe8fa626bc9f3fe100f4a2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gYSuYyanDc.bat
        Filesize

        196B

        MD5

        ff91101f0201426a6e1ef1ce2277f57e

        SHA1

        43b27a43a38fd4b5cff30c3ef62fffb46bbe5c3a

        SHA256

        75136b8afe3005f903707f4450f90f9f76768120518cea07ad8c99e514df75ca

        SHA512

        bb3108913ce9239af1d92437adfa3894d974674a0a94d55bf26be27f6589b0f125fefac5227aeecab8f1f533640e14c4a6d29c0e35cb6bd771dbe1fb4b44abed

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        f9f3934810c2a2f6d5fc400fb53fb893

        SHA1

        d19f828c3778dd5c45970abfc00bae95b3b5f718

        SHA256

        73a3bde331c465c90ee25e8a9574db770cf2046d304f872c0b21a03152331bda

        SHA512

        a9e5b28c40373eb202128489ae1e0973896b6b36aafc5c2b8a0d6fe5543eecc2b918cde069cd115d1e3fbda01e39eb2345da1827c7d4b00ae5cbca70fb599b31

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\rayyihlw\rayyihlw.0.cs
        Filesize

        382B

        MD5

        38546a9f97ee88a8fc26f3afab9f98d7

        SHA1

        23281e32a8092cbabe7480460c7e1992c19c0007

        SHA256

        180b3760cd46569dc746e0477a0175f17ee00174c779ea27f7ad2dbf3ca056b5

        SHA512

        513055ca82c099dc7781f120a5d178f77f1839574058d44c1e6917b41ab4c072fdc0e6f6a232910920b0ecbee2fa2b0e1a4383d08af8cc451dbae00f53312d10

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\rayyihlw\rayyihlw.cmdline
        Filesize

        235B

        MD5

        22a8da1fe5e56c2a6de64a014d45fc64

        SHA1

        c484272e4c7e3514f8fb3604f3854c97e4588e2f

        SHA256

        1dcde761dc3a0a75b829efe4985352612adfd9b1a3f47af8c2027f8b8a497f21

        SHA512

        86978ba6c2d05ea0011f947b71cb26df01c587c5cea3e88e6df0d66aa6b61a74d881939fc978b552952ae079dd8fd35fe701afc72e8f4123cdc1e911e1a5c8e1

        Download Submit

      • \??\c:\Windows\System32\CSCD0DF37EF7FC7420792D4F1666CB890BE.TMP
        Filesize

        1KB

        MD5

        8c85ef91c6071d33745325a8fa351c3e

        SHA1

        e3311ceef28823eec99699cc35be27c94eca52d2

        SHA256

        8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

        SHA512

        2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

        Download Submit

      • memory/1800-83-0x00000000012D0000-0x00000000014AA000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2168-21-0x0000000000290000-0x000000000029C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2168-19-0x0000000000450000-0x0000000000468000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2168-17-0x00000000002B0000-0x00000000002CC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2168-15-0x0000000000280000-0x000000000028E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2168-13-0x0000000000E70000-0x000000000104A000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2548-68-0x0000000001E10000-0x0000000001E18000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2772-63-0x000000001B540000-0x000000001B822000-memory.dmp

        Filesize

        2.9MB

        Download