Overview

overview

10

Static

static

3

8576F95A0E...83.exe

windows7-x64

10

8576F95A0E...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 03:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8576F95A0E018025E8B46367AE311E83.exe

  • Size

    4.6MB

  • MD5

    8576f95a0e018025e8b46367ae311e83

  • SHA1

    0d1c5e913dcc60910e454416e3c149c9d05f02f5

  • SHA256

    b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8

  • SHA512

    ef30324c2f5afdfe3639e7322e8e1845e661d55cd4ffff6f7bf65c85e8ac23d5d7c5b92f39d1807c9524a5fb29b21b45249a617f63f0e35ecd3803edd6dc7f30

  • SSDEEP

    98304:d++ALvAvoV3JDBQSBK5f7a6uBt9iofavIah:TmvvV5DpQ7a6ugoCvIw

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8576F95A0E018025E8B46367AE311E83.exe
    "C:\Users\Admin\AppData\Local\Temp\8576F95A0E018025E8B46367AE311E83.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\system32\cmd.exe
        "cmd" /c ipconfig /all
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:2856
      • C:\Windows\system32\cmd.exe
        "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2912
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2404 -s 1128
        3⤵
        • Loads dropped DLL
        PID:2272
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\ComponentReviewperfmonitor\Mscrt.exe
            "C:\ComponentReviewperfmonitor/Mscrt.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2848
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NMENkFjCyN.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2976
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:1032
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2004
                  • C:\ComponentReviewperfmonitor\Mscrt.exe
                    "C:\ComponentReviewperfmonitor\Mscrt.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2512

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat
        Filesize

        83B

        MD5

        514f93d92ae221458937c720626b46b3

        SHA1

        608eabeab6fd1b15449452c146dca0e08421b3e5

        SHA256

        630c846609cc08488485cd976ca51355f8c43666d59186df6936747ce06d383f

        SHA512

        83ec92c38be82ffb0e817ac97e545ef8c83c19e891474ca78fe469fe99da63a5e00c38449d04a7de31be543c64a99adb5732d2e7d966eaccc23998666e7aae28

        Download Submit

      • C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe
        Filesize

        216B

        MD5

        27f28b26b1a641e515a8c84280fc4638

        SHA1

        103d1e3b99c8900e4fde8cf88e91e9a30132e614

        SHA256

        7610dec18100d028feb67fd231ced9f363ffcf79a8788d8b37c909c5393bbd58

        SHA512

        aa2025dd4ffa8dd73838d10b6b2bd9b1a197ded1d4aa04645a2e51d33b5ee3d970c8b8dbeebfe2f23d728ccea83d63ca40501822ba57dde477ede93340c398c2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\NMENkFjCyN.bat
        Filesize

        215B

        MD5

        9da399b2ebf30875c9e0dcaeeb1a9929

        SHA1

        0ab7299dbe9b5f3b492bf0b487e1023bc7949c51

        SHA256

        e58771bc3b4ec783b151b5b4dfff56c64e83545b8da2918d9139ee927c33521b

        SHA512

        c25cdfab01f705c94421ba1d429c9abdbdcbd09374feea5ff7673fe992cd59031849947eba254176e9c6b7ac6a82444fc0f09d980929dc009d3f55589fc64daa

        Download Submit

      • \ComponentReviewperfmonitor\Mscrt.exe
        Filesize

        3.5MB

        MD5

        e7870cd0c30a52066c454c15a5a5a2f5

        SHA1

        fc64203e05c104a116e7e4c354c9ee77c99737d6

        SHA256

        e4a958444e72eb1b3be02f3a8bf29044a81f328405a4969a4f66515ef219774e

        SHA512

        3e0a40959eaba1fbf3cb7a11707bc658421f3066e4e1beea56088ac213c10524127d4d9e2500e549a1ee608887c113973892d54fb91fae6ea9db4eb9e818bebe

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        Filesize

        800KB

        MD5

        02c70d9d6696950c198db93b7f6a835e

        SHA1

        30231a467a49cc37768eea0f55f4bea1cbfb48e2

        SHA256

        8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

        SHA512

        431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

        Download Submit

      • \Users\Admin\AppData\Local\Temp\DCRatBuild.exe
        Filesize

        3.8MB

        MD5

        4680b7118d5d69d9d9aca7265a07fa8b

        SHA1

        47036b3ed3f8ac995680bb6e9d12c91d30d840be

        SHA256

        98b1a4b0f9d10a1310b30401147cbd7fbb328f03f00c4dd31b99ab6bedf651ff

        SHA512

        6593078d884dd5eeefb528c388dfd05f528b03d35b93e47ed73ed27ff35769b6ef5991dd837cb398a44139a35407ab0917bda82b90a39ed1eecab2a99cd1f3d7

        Download Submit

      • memory/2404-22-0x00000000012B0000-0x000000000137E000-memory.dmp

        Filesize

        824KB

        Download

      • memory/2512-97-0x00000000003B0000-0x000000000073E000-memory.dmp

        Filesize

        3.6MB

        Download

      • memory/2532-13-0x0000000000400000-0x00000000008A8000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2848-48-0x0000000000870000-0x0000000000882000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2848-56-0x0000000000660000-0x000000000066E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2848-38-0x00000000005A0000-0x00000000005B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-40-0x0000000000620000-0x0000000000638000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2848-42-0x00000000005B0000-0x00000000005C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-44-0x00000000005C0000-0x00000000005D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-46-0x0000000000640000-0x000000000064E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2848-34-0x0000000000200000-0x000000000020E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2848-50-0x0000000000650000-0x0000000000660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-52-0x00000000008B0000-0x00000000008C6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2848-54-0x00000000008D0000-0x00000000008E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2848-36-0x0000000000600000-0x000000000061C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2848-58-0x0000000000890000-0x00000000008A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-60-0x00000000008A0000-0x00000000008B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-62-0x0000000002460000-0x00000000024BA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2848-64-0x00000000008F0000-0x00000000008FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2848-66-0x0000000000900000-0x0000000000910000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2848-68-0x0000000000910000-0x000000000091E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2848-70-0x0000000000A60000-0x0000000000A78000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2848-72-0x0000000000920000-0x000000000092C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2848-74-0x00000000024C0000-0x000000000250E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2848-32-0x00000000005D0000-0x00000000005F6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2848-30-0x0000000000210000-0x000000000059E000-memory.dmp

        Filesize

        3.6MB

        Download