hxxps://cdn[.]discordapp[.]com/attachments/1074433987998646383/1074438108579373196/DonutCrystal[.]zip?ex=66262a37&is=6624d8b7&hm=5b285834875c7058fca31877c53ebeb8f178e52ae84fca05279b7793a33d9ec7&

Analysis

max time kernel
149s
max time network
138s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
21-04-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1074433987998646383/1074438108579373196/DonutCrystal.zip?ex=66262a37&is=6624d8b7&hm=5b285834875c7058fca31877c53ebeb8f178e52ae84fca05279b7793a33d9ec7&

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581767231572876"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DonutCrystal.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3568	chrome.exe
3568	chrome.exe
2716	chrome.exe
2716	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3568	chrome.exe
3568	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe
Token: SeShutdownPrivilege	3568	chrome.exe
Token: SeCreatePagefilePrivilege	3568	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4040	3568	chrome.exe	77
PID 3568 wrote to memory of 4040	3568	chrome.exe	77
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 1364	3568	chrome.exe	78
PID 3568 wrote to memory of 3548	3568	chrome.exe	79
PID 3568 wrote to memory of 3548	3568	chrome.exe	79
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80
PID 3568 wrote to memory of 3176	3568	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1074433987998646383/1074438108579373196/DonutCrystal.zip?ex=66262a37&is=6624d8b7&hm=5b285834875c7058fca31877c53ebeb8f178e52ae84fca05279b7793a33d9ec7&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84320ab58,0x7ff84320ab68,0x7ff84320ab78
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1828,i,14100541278062682415,5778960362370343532,131072 /prefetch:2
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1828,i,14100541278062682415,5778960362370343532,131072 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2140 --field-trial-handle=1828,i,14100541278062682415,5778960362370343532,131072 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1828,i,14100541278062682415,5778960362370343532,131072 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1828,i,14100541278062682415,5778960362370343532,131072 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4344 --field-trial-handle=1828,i,14100541278062682415,5778960362370343532,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1828,i,14100541278062682415,5778960362370343532,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1828,i,14100541278062682415,5778960362370343532,131072 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=740 --field-trial-handle=1828,i,14100541278062682415,5778960362370343532,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\816328a1-4ae5-4445-8c89-f9ac3febc923.tmp

Filesize
1KB

MD5
449a8c0769b2eae739146bbe056e952f

SHA1
dba338eedda27619dd481febd40915d67c70b6eb

SHA256
49dfe9516ec9ff5c3252f4587c35350b3261a3f9ed6e92cf786e97a767e9c455

SHA512
7e682ca4f052e3b3e8bea5b594ed22859450c3b1307699aebdce2bfd3d96277ead69dca67a970a7c7204c38504898875fa598397d1422de85f718058cc1396a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4825edfeb24ff9a959075e4150d2c991

SHA1
b85e29ed9cc40ca30b0ae51cafb0b8e5ae463776

SHA256
533cf283e577a86f6a290ad4ddbd64307c75ba7c6ae27033cca4ae45e791513f

SHA512
8789e3df7b9c6f634a70dd0adfd8e73ec85a636023b411b074cfbc9ebb641151d3542b950cdd7c88559d428b7fbb7cbb2bc643e90654406a51b45d8f8d008a4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
8ff139a2a67348eba9b2ae2dad3cbbc5

SHA1
1171fa60a25ea3094cc0f9d711d3d03ed7899e15

SHA256
e8426e8707dd8236caeb57650c3604610c7e04784408f38293ce83be4b8d008f

SHA512
65c28a35b830f1815bd122abe9d787dbcb333474f672ebed23094530319fae42f64942c0925c64d7629981f58cd80232cc4a891f98c9f0bc103901e9e3cee8c3

Download Submit
C:\Users\Admin\Downloads\DonutCrystal.zip.crdownload

Filesize
690KB

MD5
d3ef2f88bac15028104756b9b2451448

SHA1
cddeb52324e991f1b73449a85e37000edd746b8e

SHA256
199157ad5d08dbfd19f9878eb614122c9d21cfd6cdc3c62c3878ac2048840627

SHA512
3bd4ed1fcec087f19ef0175c5c13f3f19555490f8422800529099c13243f209946eba12ef23d477a932611194699005adfabe06c4d6ba36d77d015cb6c0e2708

Download Submit
C:\Users\Admin\Downloads\DonutCrystal.zip:Zone.Identifier

Filesize
224B

MD5
cd8e0261736ac0d72d24f58857197d93

SHA1
b1a7d40f5289180dce26fa16e58337e93d2ffa5a

SHA256
0090c8cbaa976c47330391908d2a706c9dde1ba16a4b16af0745eef9a1965f65

SHA512
379b5a34581c83d4df0e21ad3209cb649bce13b8062b197939c288ea629ac671df40ef88816fbd0a8c6cf120217d708bc24376757a677b9ddac94cba03227d5e

Download Submit