Overview

overview

10

Static

static

3

96a676b5a4...29.exe

windows7-x64

10

96a676b5a4...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2024 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe

  • Size

    1.0MB

  • MD5

    7b4ad4dbf6e4580b8f8c77b4cee261c3

  • SHA1

    a0ec2acea793dda997a3dfa1c869c66a3122341f

  • SHA256

    96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29

  • SHA512

    3349cad638cf58a3c15b7a16df797b15dc528dc181d5133b654312d8155a3dcaa2b239abfb44d55b0d5ef11f932da15683275f36052ee7ade43c390b04a2bf00

  • SSDEEP

    24576:a9yzNBe14PPPDj5pGSZb1iUyJxuxqH1jznDyLyF8pb5RG846Eg4Pi9:he1UPpp/1iVJxuxk1neLyQOp6ErPM

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 4 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe
    "C:\Users\Admin\AppData\Local\Temp\96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Users\Admin\AppData\Local\Temp\96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe
      "C:\Users\Admin\AppData\Local\Temp\96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe"
      2⤵
        PID:2176
      • C:\Users\Admin\AppData\Local\Temp\96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe
        "C:\Users\Admin\AppData\Local\Temp\96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe"
        2⤵
          PID:2304
        • C:\Users\Admin\AppData\Local\Temp\96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe
          "C:\Users\Admin\AppData\Local\Temp\96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe"
          2⤵
            PID:532
          • C:\Users\Admin\AppData\Local\Temp\96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe
            "C:\Users\Admin\AppData\Local\Temp\96a676b5a46cd2272459d16c6ba3bacb0c8d3f47059aeb08a94cefd2c9fa3f29.exe"
            2⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2568
            • C:\Users\Admin\AppData\Roaming\Yn5N0ejU23.exe
              "C:\Users\Admin\AppData\Roaming\Yn5N0ejU23.exe"
              3⤵
              • Executes dropped EXE
              PID:336
            • C:\Users\Admin\AppData\Roaming\zgWUToSpXG.exe
              "C:\Users\Admin\AppData\Roaming\zgWUToSpXG.exe"
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2448
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mDw5KalQvL.bat"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2780
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  5⤵
                    PID:2644
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    5⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:2808
                  • C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe
                    "C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe"
                    5⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2324

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\mDw5KalQvL.bat
            Filesize

            181B

            MD5

            409b5a029555748226dc739a87abc8d6

            SHA1

            c6ee08ee2e767b16a5ad33926ac6a5ce6af86407

            SHA256

            78d0850fb846c9b398da431e8ba65ded5750951e85ef7e8eea298b6333cbe8c2

            SHA512

            f3e59127f6a8145d109ac1afcbe996b0d7353cf5411609af5e63ef8e081e7bedec22318439e65bd5593a2ff79ced3f544f619bb954fdfd4d8abe0c199e8d67d0

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Yn5N0ejU23.exe
            Filesize

            18KB

            MD5

            f3edff85de5fd002692d54a04bcb1c09

            SHA1

            4c844c5b0ee7cb230c9c28290d079143e00cb216

            SHA256

            caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

            SHA512

            531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

            Download Submit

          • C:\Users\Admin\AppData\Roaming\zgWUToSpXG.exe
            Filesize

            675KB

            MD5

            314420bac969bcfb9510a0e8cc3686d6

            SHA1

            66f1d0a60a2727970476a105c88883f37270e30f

            SHA256

            38b9cc3ccae02c270e3d62e62e3b3b40e90ad7f898372b8a5035445ba32f4b26

            SHA512

            debf908add95aa0849451aef830e5e71724247d352dcb5dad6b02dca0d54e4e915a9430de80d970a4e7ef3749eb2fc7c6fa7839348d84f546d5934d713e7569c

            Download Submit

          • memory/340-0-0x00000000001AD000-0x00000000001AE000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2324-56-0x0000000000B10000-0x0000000000BC0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/2448-33-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2448-53-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2448-32-0x0000000000FD0000-0x0000000001080000-memory.dmp

            Filesize

            704KB

            Download

          • memory/2448-31-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2448-35-0x00000000002B0000-0x00000000002CC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2448-37-0x0000000000550000-0x0000000000568000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2568-14-0x0000000000400000-0x00000000004E6000-memory.dmp

            Filesize

            920KB

            Download

          • memory/2568-12-0x0000000000400000-0x00000000004E6000-memory.dmp

            Filesize

            920KB

            Download

          • memory/2568-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2568-8-0x0000000000400000-0x00000000004E6000-memory.dmp

            Filesize

            920KB

            Download

          • memory/2568-5-0x0000000000400000-0x00000000004E6000-memory.dmp

            Filesize

            920KB

            Download

          • memory/2568-1-0x0000000000400000-0x00000000004E6000-memory.dmp

            Filesize

            920KB

            Download

          • memory/2568-7-0x0000000000400000-0x00000000004E6000-memory.dmp

            Filesize

            920KB

            Download

          • memory/2568-28-0x0000000000400000-0x00000000004E6000-memory.dmp

            Filesize

            920KB

            Download

          • memory/2568-4-0x0000000000400000-0x00000000004E6000-memory.dmp

            Filesize

            920KB

            Download

          • memory/2568-16-0x0000000000190000-0x0000000000296000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2568-15-0x0000000000400000-0x00000000004E6000-memory.dmp

            Filesize

            920KB

            Download

          • memory/2568-6-0x0000000000400000-0x00000000004E6000-memory.dmp

            Filesize

            920KB

            Download