Overview

overview

10

Static

static

3

4b9cb0b6b9...c9.exe

windows7-x64

10

4b9cb0b6b9...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe

  • Size

    2.3MB

  • MD5

    517d21cbe45c2a88930aa345c2a5c36b

  • SHA1

    f8c2b259ed15eb455fc345f54a9ef9b0aace552c

  • SHA256

    4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9

  • SHA512

    b912bf7ea3fc0e929890ce6048e89ab797b0ebf4b54e87989bdf4f2eb06cb68e1accd52200105c1079336ba57525aa200cd48c769e24ce1827906948d6f28d3f

  • SSDEEP

    49152:IBJQcFZTdUJWxOOZPHst87uOLOkMRxJgSrSmMsce:yOczpGWdZPHu9WuRx9rrJT

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe
    "C:\Users\Admin\AppData\Local\Temp\4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainagentComponent\PWC9d9T0TgxIE17d8kEvKaBzSy5sS4bSkqUfKmaENJQQSQ4ECN.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ChainagentComponent\q14QT1c6LK4xpgG0MrqndXYweJYHdEecuYXEv1hUkMNQcqj9DhhAaajtNw.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:824
        • C:\ChainagentComponent\ChainFontruntimeCrt.exe
          "C:\ChainagentComponent/ChainFontruntimeCrt.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EKsYy0yhsZ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2068
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2096
              • C:\Users\Admin\Start Menu\services.exe
                "C:\Users\Admin\Start Menu\services.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:404

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ChainagentComponent\ChainFontruntimeCrt.exe
      Filesize

      1.9MB

      MD5

      64105cb19ac25a6275c7d929937090a0

      SHA1

      4b0ab4a6fa17feed05e183029f3a240d7860437d

      SHA256

      cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898c

      SHA512

      7152d54def3ff633787549e7353330b949bb51af3753b77a52b6fa24465ce635c985cbe28d7fc8ecbe4fe4e7b0b39933f79ad4e56817aac45f8abffc0918e4b6

      Download Submit

    • C:\ChainagentComponent\PWC9d9T0TgxIE17d8kEvKaBzSy5sS4bSkqUfKmaENJQQSQ4ECN.vbe
      Filesize

      252B

      MD5

      82ea3a77040d884456b51fc284d887a3

      SHA1

      e5caba4399ce043a758f78840d2323ffce3d41b8

      SHA256

      345cb6db98f74263a91a2dabde35f4d2af5bbb909f1904d7b9b1d5d75864a2d8

      SHA512

      79147ccbd6bafbeec3d7d21fc0e3f0f85cb340e54263b2925b42bbda539d9f5b921d8e9dc950e51a7a1da942ae75988a92470dac6c6e73fdbef76047eefafd91

      Download Submit

    • C:\ChainagentComponent\q14QT1c6LK4xpgG0MrqndXYweJYHdEecuYXEv1hUkMNQcqj9DhhAaajtNw.bat
      Filesize

      77B

      MD5

      21c1a26270a6ac361060ef54b50810bc

      SHA1

      11d3abd6d008458760130e6ffcc61d812a976094

      SHA256

      4e5619470e12d0f050c33e88f7075267812240fcf2f38e8732486eea3967ac40

      SHA512

      42fa950a07f5edd1c48f6523395ed1816ee1b31eb9d8b905e3c92c31dec692465862bff4a840c845d879b1447593ffeff5924fd0ab4206061df257c2dc980ae8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EKsYy0yhsZ.bat
      Filesize

      166B

      MD5

      4238968a2aa42d16de641db61746ff28

      SHA1

      edecfdfb4a057a1d9aa2a59ac3558954502c4b21

      SHA256

      0f4582293370358ca9370df0dc1e6e2b56c65e8e66e216cec9db6a1e57a9f568

      SHA512

      bcff0e917a26289574e8f11757bc2bbcd4d999ccbb6f7c7ace7fd85e9756d3eee075bc779cbd75713e9f6ff43d5fab685a05efeb83b8bb1fa5be522b3929e6d3

      Download Submit

    • memory/404-46-0x0000000001370000-0x000000000156A000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2808-19-0x0000000000440000-0x0000000000458000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2808-17-0x0000000000420000-0x000000000043C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2808-21-0x0000000000410000-0x000000000041E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2808-23-0x0000000000460000-0x000000000046E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2808-25-0x0000000000470000-0x000000000047E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2808-27-0x0000000000490000-0x000000000049C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2808-15-0x00000000003F0000-0x00000000003FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2808-13-0x0000000000990000-0x0000000000B8A000-memory.dmp

      Filesize

      2.0MB

      Download