Overview

overview

10

Static

static

10

eb70291aeb...9N.exe

windows7-x64

10

eb70291aeb...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2025 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb70291aebfca69fae386dfcdc209c8f9b36e135e882088c890c46308fa6df69N.exe

  • Size

    2.7MB

  • MD5

    9ce973d39537cd129e27ab0ed843c920

  • SHA1

    a0fce68a43511da1cbd63600b8e824cf684d9617

  • SHA256

    eb70291aebfca69fae386dfcdc209c8f9b36e135e882088c890c46308fa6df69

  • SHA512

    20dbb88bc9d5862ede036633a8e3937f47e49321872f78706d1b5881071167ab75c08da10c9a8e03a5d747f233ff97c2b0cb8e572297c309cc1497658030f404

  • SSDEEP

    24576:2TbBv5rUyXVnI++nluNY4Cw7sULqPyZwSxIshnWIjm7vZAjX+ez87TkQPI1Q7SGS:IBJI++n8NY+lwSx9WkiLekTk1JMrs

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 4 IoCs
    rat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb70291aebfca69fae386dfcdc209c8f9b36e135e882088c890c46308fa6df69N.exe
    "C:\Users\Admin\AppData\Local\Temp\eb70291aebfca69fae386dfcdc209c8f9b36e135e882088c890c46308fa6df69N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Blockmonitor\HeUwcB4baJ09hxtgLFYnrYRurWpCBdRotBlDKLgEXR4j0GQXLf0GLW.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Blockmonitor\i2PbrgOOwQRRChofjSNVXl67BG60nzl0wUfDSUyfdly0UjRL.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Blockmonitor\bridgechainsurrogateserverBrowser.exe
          "C:\Blockmonitor/bridgechainsurrogateserverBrowser.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zEYVC2l170.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:1764
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:236
              • C:\Users\Default\Saved Games\sppsvc.exe
                "C:\Users\Default\Saved Games\sppsvc.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:400
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:448
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    8⤵
                      PID:2112
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      8⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:1736
                    • C:\Users\Default\Saved Games\sppsvc.exe
                      "C:\Users\Default\Saved Games\sppsvc.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:912
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MGTgtuIFSm.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1032
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          10⤵
                            PID:2784
                          • C:\Windows\system32\PING.EXE
                            ping -n 10 localhost
                            10⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:1996
                          • C:\Users\Default\Saved Games\sppsvc.exe
                            "C:\Users\Default\Saved Games\sppsvc.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2812

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Blockmonitor\HeUwcB4baJ09hxtgLFYnrYRurWpCBdRotBlDKLgEXR4j0GQXLf0GLW.vbe
          Filesize

          239B

          MD5

          3e63707e4d8b55019daddbf38b91a5aa

          SHA1

          8079c688efbac523116d6466faf7364a7a3eeeeb

          SHA256

          707f7fdea6e382b7df65eb229634645d2bf48b37485381e78061e117c85d1d21

          SHA512

          b0004124ed88fe3a13247787bfbd82a9b8b545902d2c36c688270a357e7cae0259d2fcff028fc04b4270c1ef6e85b65cffc903ccb8d90173b13d92188dbcade7

          Download Submit

        • C:\Blockmonitor\i2PbrgOOwQRRChofjSNVXl67BG60nzl0wUfDSUyfdly0UjRL.bat
          Filesize

          104B

          MD5

          267273f89b4dfe0e94294134e8cdd20e

          SHA1

          530eba1aacce08a71715c0c5ebf1e7312fbf9274

          SHA256

          d2aea7c169666ee3c82d1c366030c1a2264142941f0693ba3a79acaca46b48f9

          SHA512

          da167fab4faf015416b42ddc45de43e3779dca6523f96624df2ce6e5073024e5365c33dbf641da25219ba9957a328e1a8f742453b3ce6af790d642d440a0d5d5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MGTgtuIFSm.bat
          Filesize

          167B

          MD5

          c7cb0405464b554f573bf6812a256b9c

          SHA1

          703965eca49d791f9b1b134002667f7eca0961fd

          SHA256

          1d3507c15b3c0df8552169a99dcf89eb41b8c7888b46169062e3c7d452430526

          SHA512

          a739b1e443fa0c9d4769308b956456c5730bb78d862c62bb00fc596761f83e5b5b97d89cba3a3d585d5cba336d875f1f2d970e52093bc08eadb772fc4ec65ad5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat
          Filesize

          167B

          MD5

          650b185d7802565999642f5f383beb63

          SHA1

          efa35bb320e1c3b6b97467178eb7b4a395109107

          SHA256

          30c4763afb0bb4ac5a0c5ba9e5ec5d378c9cd0c9570e80910c9f1b47779d311e

          SHA512

          7847c5840778e375425a90bcd65e61d30dee42e1981bea460c78de1c456586e5c5101c2f6ee99cb2f0ee6dfc2af932a8d9f3535e19dad870a6197d2db37b7c9a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zEYVC2l170.bat
          Filesize

          167B

          MD5

          60f942676572a2466af3d025719e42ef

          SHA1

          6654b1c5ccc7cfa5a77215d9c7a8a425aefba0ea

          SHA256

          fa513769c082fd14c9720d25e440c70f296f95a48fc9d065b02fa5fc18e05a29

          SHA512

          d7d6c67e8660c6dc4f4b1d83e1bda8d990cd98f85c0807b41f65d723ded2225ad906f04bb8fe02d0754b4254686985f04636c87fe46b3bf5cdd4e2dd804de449

          Download Submit

        • \Blockmonitor\bridgechainsurrogateserverBrowser.exe
          Filesize

          2.4MB

          MD5

          90ec39d1b525bd236ffbe02fac42f53d

          SHA1

          0c7d6ec16d26546a13ba98daef26c20eaee9e35f

          SHA256

          df2bc338a5f3ade391666a46efa5bc59d0bf88fe224bb7c9a79f934a155cad10

          SHA512

          e9acf468d7782cfbc4334aa4689cbb7d5aedadb2c3f06ae2e3d6a49c7691a53761d4fd1e1348299dad60b105c63f2c8a122336c12067f411f19768cfd2f97374

          Download Submit

        • memory/400-73-0x0000000000030000-0x000000000029E000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/912-101-0x0000000001320000-0x000000000158E000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2564-35-0x0000000002140000-0x0000000002156000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2564-45-0x00000000022A0000-0x00000000022FA000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2564-27-0x00000000008F0000-0x0000000000900000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2564-29-0x0000000000900000-0x000000000090E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2564-31-0x0000000000960000-0x0000000000972000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2564-33-0x0000000000940000-0x0000000000950000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2564-23-0x0000000000910000-0x0000000000928000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2564-37-0x0000000002160000-0x0000000002172000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2564-39-0x0000000000950000-0x000000000095E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2564-41-0x0000000002120000-0x0000000002130000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2564-43-0x0000000002130000-0x0000000002140000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2564-25-0x0000000000780000-0x0000000000790000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2564-47-0x0000000002180000-0x000000000218E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2564-49-0x0000000002190000-0x00000000021A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2564-51-0x00000000021A0000-0x00000000021AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2564-53-0x00000000021D0000-0x00000000021E8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2564-55-0x000000001A990000-0x000000001A9DE000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2564-21-0x0000000000770000-0x0000000000780000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2564-19-0x0000000000790000-0x00000000007AC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2564-17-0x0000000000760000-0x000000000076E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2564-15-0x00000000008C0000-0x00000000008E6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2564-13-0x00000000001D0000-0x000000000043E000-memory.dmp

          Filesize

          2.4MB

          Download