Overview

overview

10

Static

static

10

65fa57c7a8...5c.exe

windows7-x64

10

65fa57c7a8...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65fa57c7a8ac3956292be0a17e56f35fff14fb060cd6022889665901a6ecda5c.exe

  • Size

    1.4MB

  • MD5

    4ad4cc9b5b82fc59756523b5b49da103

  • SHA1

    239321573ab48845b649af41908eecadd972dc04

  • SHA256

    65fa57c7a8ac3956292be0a17e56f35fff14fb060cd6022889665901a6ecda5c

  • SHA512

    96c8164723c4ada3ab78a63a94e8b35ed41bebdbdf1591f452453a0209f264120572e1c11e60962ca8b1e2fd96f686f1627eab94d0fbeb86e1c931d803a0ca4b

  • SSDEEP

    24576:U2G/nvxW3Ww0teOtQEIQ/E8pi63hn89pN3bfqaeTBHLChWFBAtlIBGIP5M:UbA30cn8Y6d89f3e5LhFSnIBhG

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\65fa57c7a8ac3956292be0a17e56f35fff14fb060cd6022889665901a6ecda5c.exe
    "C:\Users\Admin\AppData\Local\Temp\65fa57c7a8ac3956292be0a17e56f35fff14fb060cd6022889665901a6ecda5c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providerbrowserWebFont\YIgtMaExFJFBncNn1em9wJcGNWr3f.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providerbrowserWebFont\5cmX3eeCizBMduOP4xHF1p.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\providerbrowserWebFont\bridgereviewwin.exe
          "C:\providerbrowserWebFont\bridgereviewwin.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3712
          • C:\Windows\L2Schemas\csrss.exe
            "C:\Windows\L2Schemas\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3268
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\providerbrowserWebFont\5cmX3eeCizBMduOP4xHF1p.bat
    Filesize

    47B

    MD5

    e9d505caa65e63b5d93b82e1877f2062

    SHA1

    0276dfd379ea89be367b66950300a1455a583571

    SHA256

    21badcf7822aac68d4d060e89fd6f04df3ff68dcd39217ba3863d7503237d101

    SHA512

    077eb5a528e0015e7c6f8ead1b2351d16abf0a05b6132e04a640b9c40a12234091bae5f9268eeb61b75886449320465619cacdacb7733b502d76b7bc3016d917

    Download Submit

  • C:\providerbrowserWebFont\YIgtMaExFJFBncNn1em9wJcGNWr3f.vbe
    Filesize

    221B

    MD5

    06865e53406b18d46604d04a3bd9b396

    SHA1

    d9e26ebaa48e997333364143c3d8441eb984dca7

    SHA256

    956279f84b64c8db50862edddfcd9fc43266cab11fced78a0e6d3d2a47e429cc

    SHA512

    1d8b16ed4aa71712900c394b61f2133c305644fc28266ee95e314c09cbb7671d69ed199a544fdbbc618c1ebb803935203da723909da94b2d9d2b3dbec4f7284b

    Download Submit

  • C:\providerbrowserWebFont\bridgereviewwin.exe
    Filesize

    1.1MB

    MD5

    8a6b7ad242f380978aa7318c3fdafe4f

    SHA1

    c78489883e9ce873f7a67c0d3ad662adef9a0c61

    SHA256

    f7a4bc7bacb5fce2daafe9b4db183f60f87528a02832e814417d089a6f6bc2b3

    SHA512

    198e5fe3fb97f7541ec69511a60cb3baffed07046560f6f4455cc403f71d66f17ddf733511d6bd810312028d22d013897be28e66ddcb6eaa1ba5a91b0ab2079c

    Download Submit

  • memory/3712-12-0x00007FF9DE8E3000-0x00007FF9DE8E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3712-13-0x00000000000A0000-0x00000000001C4000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3712-14-0x0000000000A30000-0x0000000000A4C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3712-15-0x00000000024A0000-0x00000000024F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3712-16-0x0000000000A70000-0x0000000000A86000-memory.dmp

    Filesize

    88KB

    Download