Overview

overview

10

Static

static

3

8ac4f1dcdf...c7.exe

windows7-x64

5

8ac4f1dcdf...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe

  • Size

    3.9MB

  • MD5

    5db95c4de9b6e98c653ac3dec5dce83d

  • SHA1

    c3e1cb98b5450d21c8e9e975148c282afcf4ccae

  • SHA256

    8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7

  • SHA512

    42e5504904f0db4e62d56c03c8e7e302df0eba488a966259aa686e7d952db8a25eb56b5ac72731400cfd2541b6429d82e95e3bb8e87565bdf0cbe2b488c47368

  • SSDEEP

    98304:1VtCpBXG8uKobY22R0pbuov/BXG8uKobY22R0pbuovJ:2ghSRaCo3ghSRaCoR

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe
    "C:\Users\Admin\AppData\Local\Temp\8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Users\Admin\AppData\Local\Temp\8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe
      "C:\Users\Admin\AppData\Local\Temp\8ac4f1dcdf7ce5276d4ee9dbdaeaa4232aa8ad0c383bf804472f156ae2a879c7.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Users\Admin\AppData\Roaming\TCAuymFYVI.exe
        "C:\Users\Admin\AppData\Roaming\TCAuymFYVI.exe"
        3⤵
        • Executes dropped EXE
        PID:5020
      • C:\Users\Admin\AppData\Roaming\L5NekKdnpJ.exe
        "C:\Users\Admin\AppData\Roaming\L5NekKdnpJ.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kMS9V8c0aB.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:2404
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              5⤵
                PID:4832
              • C:\Recovery\WindowsRE\backgroundTaskHost.exe
                "C:\Recovery\WindowsRE\backgroundTaskHost.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:1164

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\kMS9V8c0aB.bat
        Filesize

        220B

        MD5

        62205ddefd2449eca2495d95a8b182a3

        SHA1

        cce80aeeecab6ce307cdd168f0c974bd1bb03bcc

        SHA256

        c6170b80af36e17529f002502ad4c1faba04a031d9514e1eb46e499618a42a96

        SHA512

        657f94a3dd868564953725f800f2a1cbc7cca0ad18b4206ada7c344e13ce992b0305a679d60fc3f7215c608e6f7ef48e15ee4ef9e9d941a75591ce5dff20750a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\L5NekKdnpJ.exe
        Filesize

        1.6MB

        MD5

        579fd24f4cacc972f63f47214f9c3c34

        SHA1

        20be9c6e9aa29d57b670d6809ffad1786a8508e5

        SHA256

        f80bd8eb42194df565e3152d35bad6a40fdae70e221e9e66873587bffb73d64b

        SHA512

        1a8f7918b931fa10cbc4b47a88405c0b28255360ac27e1d44ba00554186ed20139fbaaa278a362c34a20083f4fff30dc83876c3f382397f831f781fb6a9aab91

        Download Submit

      • C:\Users\Admin\AppData\Roaming\TCAuymFYVI.exe
        Filesize

        18KB

        MD5

        f3edff85de5fd002692d54a04bcb1c09

        SHA1

        4c844c5b0ee7cb230c9c28290d079143e00cb216

        SHA256

        caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

        SHA512

        531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

        Download Submit

      • memory/656-2-0x0000000000400000-0x00000000005DF000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/656-4-0x0000000000400000-0x00000000005DF000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/656-3-0x0000000000400000-0x00000000005DF000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/656-1-0x0000000000400000-0x00000000005DF000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/656-5-0x0000000000820000-0x0000000000C13000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/656-27-0x0000000000400000-0x00000000005DF000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/824-0-0x0000000000856000-0x0000000000857000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1580-40-0x000000001B830000-0x000000001B880000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1580-47-0x00000000023B0000-0x00000000023C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1580-34-0x0000000002370000-0x0000000002396000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1580-35-0x00007FFAAB720000-0x00007FFAAC1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1580-36-0x00007FFAAB720000-0x00007FFAAC1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1580-38-0x00000000023A0000-0x00000000023BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1580-30-0x0000000000240000-0x00000000003E8000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1580-39-0x0000000002340000-0x000000000235C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1580-42-0x00000000023A0000-0x00000000023B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1580-43-0x00007FFAAB720000-0x00007FFAAC1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1580-45-0x000000001B8A0000-0x000000001B8B8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1580-32-0x00007FFAAB720000-0x00007FFAAC1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1580-49-0x000000001B820000-0x000000001B830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1580-52-0x000000001B880000-0x000000001B88E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1580-50-0x00007FFAAB720000-0x00007FFAAC1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1580-56-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1580-54-0x000000001B890000-0x000000001B89C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1580-59-0x00007FFAAB720000-0x00007FFAAC1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1580-58-0x000000001B8F0000-0x000000001B906000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1580-61-0x000000001B970000-0x000000001B9CA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/1580-63-0x000000001B910000-0x000000001B928000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1580-64-0x00007FFAAB720000-0x00007FFAAC1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1580-80-0x00007FFAAB720000-0x00007FFAAC1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1580-31-0x00007FFAAB723000-0x00007FFAAB725000-memory.dmp

        Filesize

        8KB

        Download