Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 10:41
Static task
static1
Behavioral task
behavioral1
Sample
1daeb81d9c3201beb8ea848fd869fc80.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1daeb81d9c3201beb8ea848fd869fc80.exe
Resource
win10v2004-20230220-en
General
-
Target
1daeb81d9c3201beb8ea848fd869fc80.exe
-
Size
807KB
-
MD5
1daeb81d9c3201beb8ea848fd869fc80
-
SHA1
33aaf3d172952a169e97b4912506b08df3e01c75
-
SHA256
5d3511735bed246367c3fa97c21ce7bdc9ade8ce5212d4a40504ddc9a9330122
-
SHA512
1b998a59a2c4d746b270ba5fddd1c1000f457d627c2bef114ea6d116085004deffbfd83d0f50ad56bc1bc366b3647da2499357b704fc4a303e3bbc74f242c115
-
SSDEEP
24576:KUHKH42cH3Gz0BwDbu2fglQPvX+QZZUI1L3:KuKHGHWgIu+f+QD3
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral1/memory/1748-56-0x0000000000400000-0x00000000004A4000-memory.dmp dcrat behavioral1/memory/1748-62-0x0000000000400000-0x00000000004A4000-memory.dmp dcrat behavioral1/memory/1748-63-0x0000000000400000-0x00000000004A4000-memory.dmp dcrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1daeb81d9c3201beb8ea848fd869fc80.exedescription pid process target process PID 1768 set thread context of 1748 1768 1daeb81d9c3201beb8ea848fd869fc80.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
AppLaunch.exepid process 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe 1748 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 1748 AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1daeb81d9c3201beb8ea848fd869fc80.exedescription pid process target process PID 1768 wrote to memory of 1748 1768 1daeb81d9c3201beb8ea848fd869fc80.exe AppLaunch.exe PID 1768 wrote to memory of 1748 1768 1daeb81d9c3201beb8ea848fd869fc80.exe AppLaunch.exe PID 1768 wrote to memory of 1748 1768 1daeb81d9c3201beb8ea848fd869fc80.exe AppLaunch.exe PID 1768 wrote to memory of 1748 1768 1daeb81d9c3201beb8ea848fd869fc80.exe AppLaunch.exe PID 1768 wrote to memory of 1748 1768 1daeb81d9c3201beb8ea848fd869fc80.exe AppLaunch.exe PID 1768 wrote to memory of 1748 1768 1daeb81d9c3201beb8ea848fd869fc80.exe AppLaunch.exe PID 1768 wrote to memory of 1748 1768 1daeb81d9c3201beb8ea848fd869fc80.exe AppLaunch.exe PID 1768 wrote to memory of 1748 1768 1daeb81d9c3201beb8ea848fd869fc80.exe AppLaunch.exe PID 1768 wrote to memory of 1748 1768 1daeb81d9c3201beb8ea848fd869fc80.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1daeb81d9c3201beb8ea848fd869fc80.exe"C:\Users\Admin\AppData\Local\Temp\1daeb81d9c3201beb8ea848fd869fc80.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1748-55-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1748-56-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1748-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1748-62-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1748-63-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1748-64-0x0000000004C90000-0x0000000004CD0000-memory.dmpFilesize
256KB
-
memory/1748-65-0x00000000003E0000-0x00000000003FC000-memory.dmpFilesize
112KB
-
memory/1748-66-0x0000000000500000-0x0000000000516000-memory.dmpFilesize
88KB
-
memory/1748-67-0x0000000004C90000-0x0000000004CD0000-memory.dmpFilesize
256KB