Overview

overview

10

Static

static

3

ff3ec61937...50.exe

windows7-x64

10

ff3ec61937...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 03:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff3ec61937bba7d0b4fd993698f3d2a8ba77e4630ed293e4a3e3d0254dc1de50.exe

  • Size

    1.7MB

  • MD5

    6697a39548b61fcfcf800b206bdbd696

  • SHA1

    85229cee44c412c1f0f6a17562272a1296072815

  • SHA256

    ff3ec61937bba7d0b4fd993698f3d2a8ba77e4630ed293e4a3e3d0254dc1de50

  • SHA512

    6d0a4dc554e9df2fac49edbf8589e50e891481f6601c1a1e537d0c1243a8d7d873e54f84ccce04edd5346b50857f7601fafeb8856fc3e75d4283581071521572

  • SSDEEP

    49152:IBJMrYgX9QdEa4gVH+pPnyBS8V6HU5NtvAWn2/x:yO3X9QVbIpavZ5NX8x

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff3ec61937bba7d0b4fd993698f3d2a8ba77e4630ed293e4a3e3d0254dc1de50.exe
    "C:\Users\Admin\AppData\Local\Temp\ff3ec61937bba7d0b4fd993698f3d2a8ba77e4630ed293e4a3e3d0254dc1de50.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\webCrt\gSYhm1mlqujwdrrg55.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\webCrt\bGFjXvZl1lSOMhHdLYZAxlDgwJSuyymnPovMq1RpYbZnEgpXBO1nwlMonY.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3580
        • C:\webCrt\Surrogatedll.exe
          "C:\webCrt/Surrogatedll.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4692
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CVkp3Lzwzf.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5088
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:4044
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:676
              • C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe
                "C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CVkp3Lzwzf.bat
      Filesize

      188B

      MD5

      c2c698bd89d2235acd0b5800283a3535

      SHA1

      2150495459c92859b5d73d9f49290f3be120ab8c

      SHA256

      956fb02ae6081bf8531131bc418b47f78acf85b7b720fd971ee72fbc6dc0dc56

      SHA512

      ffaebaedcf37c88794f658a88b828c410c657e2c8c6fdbb46c35003de866a393b2e29974da476ce4b6203e4e7e34a68c487c39366b4ec07f8bac5605589a8e38

      Download Submit

    • C:\webCrt\Surrogatedll.exe
      Filesize

      1.8MB

      MD5

      9fc3ab56804d6ba50e840846783e8ac1

      SHA1

      ed6d70605ebe68934004c571a7f503b1432feb77

      SHA256

      13e5168099ca33f17c96a1f842ded5e99555d0aefed8e4f8efef96fbdcac7bba

      SHA512

      593bbd2ac3d0ac8a445d7cc7214e5f1a8aed2120ab098cbea2e3120a901480e707b45300a81e0e699a82342e516aff31c70026406b48d428d1a82e4d25db5de9

      Download Submit

    • C:\webCrt\bGFjXvZl1lSOMhHdLYZAxlDgwJSuyymnPovMq1RpYbZnEgpXBO1nwlMonY.bat
      Filesize

      86B

      MD5

      94c4e83cdeb3852269278ef44dc2f811

      SHA1

      93f3f8aa1d9ebe13989beb442e06bfe708a6e375

      SHA256

      2b24e9c2ddbbbf496644f38cd4ec9a90d980af7c773f9617e8632f08a0182a0d

      SHA512

      8fbb0ef6de20e68aa47e912fddeea4ee2559db978f15033d6e3f7d5881fed735680d6746df8494471436e3abc0b6e2b478b1290beb1e4c29a2c3602e67322c97

      Download Submit

    • C:\webCrt\gSYhm1mlqujwdrrg55.vbe
      Filesize

      242B

      MD5

      474ab11abe2a295e033dbc94baab19b2

      SHA1

      fc07a5e2f7246d11b9a06d5656fed8a99e0ca24e

      SHA256

      4eba79e794eac54029a51c2b8ad5a012f316bdc92e7ce8ef5018ef8ab726ea2b

      SHA512

      890c9867d3eb6d36ec87a135d204de4a6168b9b3de21f2fda6abd1cff99518e90698870f0d5a78cb97d785125090ddf78543473245dfc2e16b83620147dde910

      Download Submit

    • memory/4692-12-0x00007FF840743000-0x00007FF840745000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4692-13-0x00000000003B0000-0x000000000058A000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4692-15-0x0000000002630000-0x000000000263E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4692-17-0x000000001B2C0000-0x000000001B2DC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4692-18-0x000000001B550000-0x000000001B5A0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4692-20-0x000000001B500000-0x000000001B518000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4692-22-0x0000000002640000-0x000000000264C000-memory.dmp

      Filesize

      48KB

      Download