Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
09-06-2023 10:57
General
-
Target
71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe
-
Size
3.4MB
-
MD5
8136421aa9596cb02a6c30a99b376db5
-
SHA1
a4866f30925441944eb06e9540fd8740a7302b84
-
SHA256
71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8
-
SHA512
a6b2fcb864ecc6b10a2a08373d12d8f59f16e9ca22b1b014c2326807a1bb90ab84e1a0b9afd637a408c179f9025eee28f017e35bf6543fb59e06a12c9860bf8c
-
SSDEEP
24576:0BgrBN6i/BEuM75fCJaBSDVdMYHl6I4H8ykD3A:yIWqgBSDAYHl4cykD3A
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe"C:\Users\Admin\AppData\Local\Temp\71becff3e0037cf61458f416ee026d4c6db0a25ffb2d42b6a0eecad381825cb8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 4482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1672 -ip 16721⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1976-133-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1976-134-0x0000000006400000-0x00000000069A4000-memory.dmpFilesize
5.6MB
-
memory/1976-135-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1976-136-0x0000000006190000-0x00000000061F6000-memory.dmpFilesize
408KB
-
memory/1976-137-0x0000000006300000-0x0000000006350000-memory.dmpFilesize
320KB
-
memory/1976-138-0x00000000069B0000-0x0000000006A42000-memory.dmpFilesize
584KB
-
memory/1976-139-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1976-140-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1976-141-0x00000000073A0000-0x0000000007562000-memory.dmpFilesize
1.8MB
-
memory/1976-142-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1976-145-0x0000000007DE0000-0x000000000830C000-memory.dmpFilesize
5.2MB
-
memory/1976-144-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1976-143-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB