Overview

overview

10

Static

static

3

e4a958444e...4e.exe

windows7-x64

10

e4a958444e...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4a958444e72eb1b3be02f3a8bf29044a81f328405a4969a4f66515ef219774e.exe

  • Size

    3.5MB

  • MD5

    e7870cd0c30a52066c454c15a5a5a2f5

  • SHA1

    fc64203e05c104a116e7e4c354c9ee77c99737d6

  • SHA256

    e4a958444e72eb1b3be02f3a8bf29044a81f328405a4969a4f66515ef219774e

  • SHA512

    3e0a40959eaba1fbf3cb7a11707bc658421f3066e4e1beea56088ac213c10524127d4d9e2500e549a1ee608887c113973892d54fb91fae6ea9db4eb9e818bebe

  • SSDEEP

    98304:sALvAvoV3JDBQSBK5f7a6uBt9iofavIa:smvvV5DpQ7a6ugoCvI

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4a958444e72eb1b3be02f3a8bf29044a81f328405a4969a4f66515ef219774e.exe
    "C:\Users\Admin\AppData\Local\Temp\e4a958444e72eb1b3be02f3a8bf29044a81f328405a4969a4f66515ef219774e.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Um11VS1bm.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1512
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3004
        • C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe
          "C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\WindowsRE\OfficeClickToRun.exe
      Filesize

      3.5MB

      MD5

      e7870cd0c30a52066c454c15a5a5a2f5

      SHA1

      fc64203e05c104a116e7e4c354c9ee77c99737d6

      SHA256

      e4a958444e72eb1b3be02f3a8bf29044a81f328405a4969a4f66515ef219774e

      SHA512

      3e0a40959eaba1fbf3cb7a11707bc658421f3066e4e1beea56088ac213c10524127d4d9e2500e549a1ee608887c113973892d54fb91fae6ea9db4eb9e818bebe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\0Um11VS1bm.bat
      Filesize

      193B

      MD5

      ad42dee3d7db65f8e48183596bec0ea5

      SHA1

      6421480309ff80fe5eb123ddfd0c45ae68edb04b

      SHA256

      d99183125cc9f3f754de1371d7aae413f8c5c466e3e3449c4f67c5213178cdac

      SHA512

      e02379a7cf454b65291a08d427f4047d480ff4fc9b4746723e46d275087915f1de388c57963e107cc3df5fdb927c6f4cdfc8910a46e8d8946c96526591fe9e3e

      Download Submit

    • memory/724-104-0x000000001D050000-0x000000001D058000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4648-27-0x000000001BB10000-0x000000001BB1E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4648-59-0x000000001C2C0000-0x000000001C30E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4648-7-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-6-0x000000001BB30000-0x000000001BB56000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4648-8-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-9-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-30-0x000000001BF20000-0x000000001BF32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-12-0x00000000016A0000-0x00000000016AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4648-15-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-16-0x000000001BED0000-0x000000001BF20000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4648-14-0x000000001BE60000-0x000000001BE7C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4648-18-0x00000000016B0000-0x00000000016C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4648-20-0x000000001BE80000-0x000000001BE98000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4648-22-0x000000001B8E0000-0x000000001B8F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4648-25-0x000000001BB00000-0x000000001BB10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4648-23-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-28-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-35-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-10-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-4-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-0-0x00007FFDDEDD3000-0x00007FFDDEDD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4648-32-0x000000001BEA0000-0x000000001BEB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4648-37-0x000000001BF60000-0x000000001BF72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-38-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-39-0x000000001C4B0000-0x000000001C9D8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4648-41-0x000000001BEB0000-0x000000001BEBE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4648-43-0x000000001BEC0000-0x000000001BED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4648-45-0x000000001BF80000-0x000000001BF90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4648-47-0x000000001BFF0000-0x000000001C04A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4648-49-0x000000001BF90000-0x000000001BF9E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4648-51-0x000000001BFA0000-0x000000001BFB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4648-53-0x000000001BFB0000-0x000000001BFBE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4648-55-0x000000001C050000-0x000000001C068000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4648-57-0x000000001BFC0000-0x000000001BFCC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4648-34-0x000000001BF40000-0x000000001BF56000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4648-3-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-76-0x000000001C9E0000-0x000000001CB89000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4648-78-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-2-0x00007FFDDEDD0000-0x00007FFDDF891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-1-0x0000000000A40000-0x0000000000DCE000-memory.dmp

      Filesize

      3.6MB

      Download