Overview

overview

10

Static

static

10

766b497466...6a.exe

windows7-x64

10

766b497466...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe

  • Size

    987KB

  • MD5

    8f81ac89b9f6dbccf07a86af59faa6ba

  • SHA1

    0d97a27bacaae103f2f15637f623d3d13a568d91

  • SHA256

    766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a

  • SHA512

    452c04ec647dd84123ffb84f1ff37aef81057edf0c1a069113d0b1d89f2462c373301aa84355d0fafd8bb6c4b3d4b6bf580952f29189157edaea376711be16ea

  • SSDEEP

    24576:2TbBv5rUyXVUxJMVI3SyKnUh9E1bm67+f:IBJcJMrEh9mbc

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 6 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe
    "C:\Users\Admin\AppData\Local\Temp\766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4020
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Intorefnet\hyperBlockCrtCommon.exe
          "C:\Intorefnet/hyperBlockCrtCommon.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1476
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S5ycJkoYQs.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3388
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2368
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1380
              • C:\Recovery\WindowsRE\explorer.exe
                "C:\Recovery\WindowsRE\explorer.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:212
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3376
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    8⤵
                      PID:3516
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:3660
                      • C:\Recovery\WindowsRE\explorer.exe
                        "C:\Recovery\WindowsRE\explorer.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3644
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BXcMvhxfI2.bat"
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4340
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:3552
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:4812
                              • C:\Recovery\WindowsRE\explorer.exe
                                "C:\Recovery\WindowsRE\explorer.exe"
                                10⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:4984
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D1HctEwNfs.bat"
                                  11⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3912
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:4088
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:3092
                                    • C:\Recovery\WindowsRE\explorer.exe
                                      "C:\Recovery\WindowsRE\explorer.exe"
                                      12⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:4032
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KduBpxWBgt.bat"
                                        13⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:1004
                                        • C:\Windows\system32\chcp.com
                                          chcp 65001
                                          14⤵
                                            PID:1852
                                          • C:\Windows\system32\PING.EXE
                                            ping -n 10 localhost
                                            14⤵
                                            • System Network Configuration Discovery: Internet Connection Discovery
                                            • Runs ping.exe
                                            PID:832
                                          • C:\Recovery\WindowsRE\explorer.exe
                                            "C:\Recovery\WindowsRE\explorer.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2124

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat
                  Filesize

                  84B

                  MD5

                  7fef6d8e0a11e2dec6af7a0e3b952b06

                  SHA1

                  b95534abb31712b49087005da4cdd4c92fe35edd

                  SHA256

                  6bb327123f7ec740bb03b3405c5cd790199ba132091d1ceae4f098a29c0e9592

                  SHA512

                  2c19d8ac297e3e0d790f844aedac3be3934a274ba834b66f36994ccdfd8e8c49b836d7a0df1e28de999cec7e1b5984a90199f4e08bc30d8113c4852fb9a27703

                  Download Submit

                • C:\Intorefnet\hyperBlockCrtCommon.exe
                  Filesize

                  673KB

                  MD5

                  88475ffcf70bafda27644064bd214f2a

                  SHA1

                  650deb8eee1f3614ff924c2ac5dad5a2f230dce1

                  SHA256

                  f2bd4f56c501098299b88cefecfd79e763d95d801016eaaf4e2707c5ffc7c767

                  SHA512

                  c3e7c4d38d43571fd81926aecf3f0bd75f728f1e7056af02955eed96bea67efd30f295089300df809841c0565a9ea4aa793e2f5c6b93e3eb86132cccc267376f

                  Download Submit

                • C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe
                  Filesize

                  206B

                  MD5

                  926c428eaa357b6ff5474252ee2821fe

                  SHA1

                  623205127383f9cc804a3af035448cc396e704e3

                  SHA256

                  80675c3ae85f284b0e291b368560cc5727d416f1f52577e6505db41b0add9bc1

                  SHA512

                  cdb460848edbc5b8053b0b5211fce7d5f5eb92b347526b3e1d98becbfe1d4f8fb277ac3c58eab64b532f57c4c3b6f5642a9fad04c22f2910eecb0633079fb4ac

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log
                  Filesize

                  1KB

                  MD5

                  04d89472c65d3bbaa3a172551b5c71e1

                  SHA1

                  b9f21e7cac5c00602ee172f2752c568d5dd26121

                  SHA256

                  e8d0e562df3559ad023471fd3ea147e4c3892365b0dfcf0632dfa9c98336e105

                  SHA512

                  665109418a1f4bf3f54bf4b87321595a3acf8114d5e2874db245b00b41dc98cfbcb77a2542f711a9146c849bfbf7163bcab286f8fc1774a48cf39b611cddee8f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\BXcMvhxfI2.bat
                  Filesize

                  210B

                  MD5

                  a821b1a70f330134b73b5e1ca2c2e95a

                  SHA1

                  da0a1dafe59a3ac822f3153d5d5c03304d63a937

                  SHA256

                  e40229b714d746e2cf4d20cd71c937f81cff1dd50d6ec62dba98e46b09cfccc7

                  SHA512

                  a645199ab480ddacaab64e9b05b4ed0e333fd362a58a5d69b951741755fc32be29682023966b269997d28b326132d862c4ae1030399b4debfbe18a5fd76bb4fb

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\D1HctEwNfs.bat
                  Filesize

                  162B

                  MD5

                  258cbaea6b1866c021a2b5194e384227

                  SHA1

                  28f056e6ad8517bc33062f80318840f328112d5e

                  SHA256

                  0beb7b6e0c495c1d3a4343c03d4bc6c69bad90c4f4f6c02b887e80d79d6a90ff

                  SHA512

                  42a10e87d584387eb74cbb035eabe598961c14d9e0c2091a2da3a06a9f2ce469cad9f49ac322fca709627015243d6f6e39e8a3e7e5c7fe58430878f6f0c348d5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\KduBpxWBgt.bat
                  Filesize

                  162B

                  MD5

                  b96ee34f6fcce7109ae6c1c8a2b0ac75

                  SHA1

                  33d291e21f4b2738bc170385b1028a46964112cb

                  SHA256

                  4a3e3c30d415a020aabe319f49957d36d1b0116c576ceccafa98380db798f07a

                  SHA512

                  065703bae4d6559571dd59f474c9d7669ce5048d3b1994b0866e83b02688eb3c5ec58e601e572a624beaf58f2121dc3ce7cad3a7fee3595032ad3670dd53b4a2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\S5ycJkoYQs.bat
                  Filesize

                  162B

                  MD5

                  521e8fc71c1f4019587fe1ca187a7643

                  SHA1

                  38650df0bfad0d1c00b8ba778c953be1d0538685

                  SHA256

                  9b0a493730e4a11b8b7e71e235d05e01a5a60e53ca14fd8dd69ccf0ffcf7462a

                  SHA512

                  554b4889e067f1398ad9c25188f87a9a12b53ef43156bbb10994b9c31bf554a592b348a18cae3ad09f9634694af761826734feef1e5cc05234f11678733a7092

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat
                  Filesize

                  210B

                  MD5

                  9a472e9c30354cdeeac4493f4933ae79

                  SHA1

                  29e58fff611a520d1fdb44ecc182714dbea51f30

                  SHA256

                  1025f437e17beaf8ead11510223679a9949ddfbfd1a258b06e3d6354e5d8ccf4

                  SHA512

                  2ce07500f14704386092a1a9d71f015bd7b8723110fc2055fb3081c3827c36ebdaeeb574d745c266319a92744ec04cbb9de4440abae60e1f8062f8dd207f801f

                  Download Submit

                • memory/1476-12-0x00007FFCBFA33000-0x00007FFCBFA35000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1476-18-0x00000000024C0000-0x00000000024D8000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/1476-16-0x0000000002510000-0x0000000002560000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/1476-15-0x00000000024A0000-0x00000000024BC000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/1476-13-0x0000000000360000-0x000000000040E000-memory.dmp

                  Filesize

                  696KB

                  Download