Overview

overview

10

Static

static

3

517d21cbe4...6b.exe

windows7-x64

10

517d21cbe4...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2024 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    517d21cbe45c2a88930aa345c2a5c36b.exe

  • Size

    2.3MB

  • MD5

    517d21cbe45c2a88930aa345c2a5c36b

  • SHA1

    f8c2b259ed15eb455fc345f54a9ef9b0aace552c

  • SHA256

    4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9

  • SHA512

    b912bf7ea3fc0e929890ce6048e89ab797b0ebf4b54e87989bdf4f2eb06cb68e1accd52200105c1079336ba57525aa200cd48c769e24ce1827906948d6f28d3f

  • SSDEEP

    49152:IBJQcFZTdUJWxOOZPHst87uOLOkMRxJgSrSmMsce:yOczpGWdZPHu9WuRx9rrJT

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\517d21cbe45c2a88930aa345c2a5c36b.exe
    "C:\Users\Admin\AppData\Local\Temp\517d21cbe45c2a88930aa345c2a5c36b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainagentComponent\PWC9d9T0TgxIE17d8kEvKaBzSy5sS4bSkqUfKmaENJQQSQ4ECN.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ChainagentComponent\q14QT1c6LK4xpgG0MrqndXYweJYHdEecuYXEv1hUkMNQcqj9DhhAaajtNw.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\ChainagentComponent\ChainFontruntimeCrt.exe
          "C:\ChainagentComponent/ChainFontruntimeCrt.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FRDUb5avyZ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2716
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2792
                • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\dllhost.exe
                  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\dllhost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2628

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ChainagentComponent\PWC9d9T0TgxIE17d8kEvKaBzSy5sS4bSkqUfKmaENJQQSQ4ECN.vbe
        Filesize

        252B

        MD5

        82ea3a77040d884456b51fc284d887a3

        SHA1

        e5caba4399ce043a758f78840d2323ffce3d41b8

        SHA256

        345cb6db98f74263a91a2dabde35f4d2af5bbb909f1904d7b9b1d5d75864a2d8

        SHA512

        79147ccbd6bafbeec3d7d21fc0e3f0f85cb340e54263b2925b42bbda539d9f5b921d8e9dc950e51a7a1da942ae75988a92470dac6c6e73fdbef76047eefafd91

        Download Submit

      • C:\ChainagentComponent\q14QT1c6LK4xpgG0MrqndXYweJYHdEecuYXEv1hUkMNQcqj9DhhAaajtNw.bat
        Filesize

        77B

        MD5

        21c1a26270a6ac361060ef54b50810bc

        SHA1

        11d3abd6d008458760130e6ffcc61d812a976094

        SHA256

        4e5619470e12d0f050c33e88f7075267812240fcf2f38e8732486eea3967ac40

        SHA512

        42fa950a07f5edd1c48f6523395ed1816ee1b31eb9d8b905e3c92c31dec692465862bff4a840c845d879b1447593ffeff5924fd0ab4206061df257c2dc980ae8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FRDUb5avyZ.bat
        Filesize

        259B

        MD5

        77e59e04f6341121019c0ecf81639a74

        SHA1

        69c767746ad54d8c7f7c855e897ebb3fed998f66

        SHA256

        d72d4e0dd31764c4e176855b85ce00f67ba0874886bb0f3f0abac0537b7a0179

        SHA512

        d91dff089b25945b53161cc6a632ae1b37f2b02393039eaddac241c1a72aafd10c80648ecc861d2e2ceb20cbef2e530d8ecbad338b0ebb372041f21425583bb5

        Download Submit

      • \ChainagentComponent\ChainFontruntimeCrt.exe
        Filesize

        1.9MB

        MD5

        64105cb19ac25a6275c7d929937090a0

        SHA1

        4b0ab4a6fa17feed05e183029f3a240d7860437d

        SHA256

        cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898c

        SHA512

        7152d54def3ff633787549e7353330b949bb51af3753b77a52b6fa24465ce635c985cbe28d7fc8ecbe4fe4e7b0b39933f79ad4e56817aac45f8abffc0918e4b6

        Download Submit

      • memory/2628-46-0x0000000000DC0000-0x0000000000FBA000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2820-19-0x0000000000350000-0x0000000000368000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2820-17-0x0000000000330000-0x000000000034C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2820-21-0x0000000000310000-0x000000000031E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2820-23-0x0000000000320000-0x000000000032E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2820-25-0x0000000000480000-0x000000000048E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2820-27-0x0000000000490000-0x000000000049C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2820-15-0x0000000000300000-0x000000000030E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2820-13-0x00000000008A0000-0x0000000000A9A000-memory.dmp

        Filesize

        2.0MB

        Download