Overview

overview

10

Static

static

3

517d21cbe4...6b.exe

windows7-x64

10

517d21cbe4...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    517d21cbe45c2a88930aa345c2a5c36b.exe

  • Size

    2.3MB

  • MD5

    517d21cbe45c2a88930aa345c2a5c36b

  • SHA1

    f8c2b259ed15eb455fc345f54a9ef9b0aace552c

  • SHA256

    4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9

  • SHA512

    b912bf7ea3fc0e929890ce6048e89ab797b0ebf4b54e87989bdf4f2eb06cb68e1accd52200105c1079336ba57525aa200cd48c769e24ce1827906948d6f28d3f

  • SSDEEP

    49152:IBJQcFZTdUJWxOOZPHst87uOLOkMRxJgSrSmMsce:yOczpGWdZPHu9WuRx9rrJT

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\517d21cbe45c2a88930aa345c2a5c36b.exe
    "C:\Users\Admin\AppData\Local\Temp\517d21cbe45c2a88930aa345c2a5c36b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainagentComponent\PWC9d9T0TgxIE17d8kEvKaBzSy5sS4bSkqUfKmaENJQQSQ4ECN.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ChainagentComponent\q14QT1c6LK4xpgG0MrqndXYweJYHdEecuYXEv1hUkMNQcqj9DhhAaajtNw.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4048
        • C:\ChainagentComponent\ChainFontruntimeCrt.exe
          "C:\ChainagentComponent/ChainFontruntimeCrt.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU8S3gBqHz.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1584
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:3276
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:5012
                • C:\Program Files\Windows Portable Devices\fontdrvhost.exe
                  "C:\Program Files\Windows Portable Devices\fontdrvhost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1044

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ChainagentComponent\ChainFontruntimeCrt.exe
        Filesize

        1.9MB

        MD5

        64105cb19ac25a6275c7d929937090a0

        SHA1

        4b0ab4a6fa17feed05e183029f3a240d7860437d

        SHA256

        cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898c

        SHA512

        7152d54def3ff633787549e7353330b949bb51af3753b77a52b6fa24465ce635c985cbe28d7fc8ecbe4fe4e7b0b39933f79ad4e56817aac45f8abffc0918e4b6

        Download Submit

      • C:\ChainagentComponent\PWC9d9T0TgxIE17d8kEvKaBzSy5sS4bSkqUfKmaENJQQSQ4ECN.vbe
        Filesize

        252B

        MD5

        82ea3a77040d884456b51fc284d887a3

        SHA1

        e5caba4399ce043a758f78840d2323ffce3d41b8

        SHA256

        345cb6db98f74263a91a2dabde35f4d2af5bbb909f1904d7b9b1d5d75864a2d8

        SHA512

        79147ccbd6bafbeec3d7d21fc0e3f0f85cb340e54263b2925b42bbda539d9f5b921d8e9dc950e51a7a1da942ae75988a92470dac6c6e73fdbef76047eefafd91

        Download Submit

      • C:\ChainagentComponent\q14QT1c6LK4xpgG0MrqndXYweJYHdEecuYXEv1hUkMNQcqj9DhhAaajtNw.bat
        Filesize

        77B

        MD5

        21c1a26270a6ac361060ef54b50810bc

        SHA1

        11d3abd6d008458760130e6ffcc61d812a976094

        SHA256

        4e5619470e12d0f050c33e88f7075267812240fcf2f38e8732486eea3967ac40

        SHA512

        42fa950a07f5edd1c48f6523395ed1816ee1b31eb9d8b905e3c92c31dec692465862bff4a840c845d879b1447593ffeff5924fd0ab4206061df257c2dc980ae8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SU8S3gBqHz.bat
        Filesize

        233B

        MD5

        6c0741a3a8919d559fabc71ebd2fd557

        SHA1

        d14d1fc0d265fbc6bca59ae0f70dc251add8211a

        SHA256

        bba274247abb144458e3d43ed0334b22e5d4bd44d185d6d1ebf00249666ae3fb

        SHA512

        dfefe6fa43acfed973ab86b4731fa55c23e009cacaa6ec3dec6595fcbbd320be57e43af18eb5fecd079eb4967bee9e5ee6fa6c4f65d6c06cb4307e7f9744bd84

        Download Submit

      • memory/1044-57-0x000000001C200000-0x000000001C2A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/2712-20-0x000000001B7C0000-0x000000001B7D8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2712-17-0x000000001B7A0000-0x000000001B7BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2712-18-0x000000001B840000-0x000000001B890000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2712-15-0x0000000002E40000-0x0000000002E4E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2712-22-0x000000001B780000-0x000000001B78E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2712-24-0x000000001B790000-0x000000001B79E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2712-26-0x000000001B7E0000-0x000000001B7EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2712-28-0x000000001B7F0000-0x000000001B7FC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2712-45-0x000000001C140000-0x000000001C1E9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/2712-13-0x0000000000A70000-0x0000000000C6A000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2712-12-0x00007FFC4B1C3000-0x00007FFC4B1C5000-memory.dmp

        Filesize

        8KB

        Download