Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 21:26
Behavioral task
behavioral1
Sample
3d71f1e177234c396f2a5d7d852a2376.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3d71f1e177234c396f2a5d7d852a2376.exe
Resource
win10v2004-20240508-en
General
-
Target
3d71f1e177234c396f2a5d7d852a2376.exe
-
Size
1.4MB
-
MD5
3d71f1e177234c396f2a5d7d852a2376
-
SHA1
fe960120b965c91a3021fbea60e1b2c77ec78b63
-
SHA256
c0db54d6ec9c0e2310d4c8bfd1739f079a0fd85adcf088ff8876f54485a61f2c
-
SHA512
e2bc7e6027b32088580ab4e2a074d23c8be77ef5992f502fadb0875316a2b2f79bd9d1668568d99867715d5e60ee2fa236c903ba668cfd868142e3d18bbda82c
-
SSDEEP
24576:U2G/nvxW3Ww0tHzmBv0vDGt3r6+yWJmgHgwSRADpDial:UbA30HzFGnJ2wS+1ic
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe dcrat behavioral2/memory/4428-13-0x0000000000800000-0x0000000000924000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3d71f1e177234c396f2a5d7d852a2376.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 3d71f1e177234c396f2a5d7d852a2376.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
RAT.exepid process 4428 RAT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
3d71f1e177234c396f2a5d7d852a2376.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings 3d71f1e177234c396f2a5d7d852a2376.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
RAT.exepid process 4428 RAT.exe 4428 RAT.exe 4428 RAT.exe 4428 RAT.exe 4428 RAT.exe 4428 RAT.exe 4428 RAT.exe 4428 RAT.exe 4428 RAT.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RAT.exepid process 4428 RAT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RAT.exedescription pid process Token: SeDebugPrivilege 4428 RAT.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3d71f1e177234c396f2a5d7d852a2376.exeWScript.execmd.exedescription pid process target process PID 3228 wrote to memory of 4644 3228 3d71f1e177234c396f2a5d7d852a2376.exe WScript.exe PID 3228 wrote to memory of 4644 3228 3d71f1e177234c396f2a5d7d852a2376.exe WScript.exe PID 3228 wrote to memory of 4644 3228 3d71f1e177234c396f2a5d7d852a2376.exe WScript.exe PID 4644 wrote to memory of 4228 4644 WScript.exe cmd.exe PID 4644 wrote to memory of 4228 4644 WScript.exe cmd.exe PID 4644 wrote to memory of 4228 4644 WScript.exe cmd.exe PID 4228 wrote to memory of 4428 4228 cmd.exe RAT.exe PID 4228 wrote to memory of 4428 4228 cmd.exe RAT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d71f1e177234c396f2a5d7d852a2376.exe"C:\Users\Admin\AppData\Local\Temp\3d71f1e177234c396f2a5d7d852a2376.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DCRAT\u3Ah4o8.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\DCRAT\VmabnRVk3Q0Z4Rsmx4y.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Roaming\DCRAT\RAT.exe"C:\Users\Admin\AppData\Roaming\\DCRAT\RAT.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD54cf21cf4fe938861269eee0dce7ab40a
SHA18edccf6b4ce1a73419d25632d9707d1e473bfedc
SHA256267c6d4e9f47e320bc83d14ae62a3b3942b5bc52271981a62634be7859d3e41a
SHA512c5cdf840d65ab2e78480c1a172250696860a70953dade41463352d47f89183c40c15d0672c9268fea68711eb432ff5167189de0bac90fc83b81d563a808f2879
-
Filesize
26B
MD56938225aa9b06be749c03e2ed1d0a8a1
SHA19c18762161a7b0fb2ba460d649fa3797d6b048e3
SHA256298f4bc92dc502984c2b53207f096788fd77e095ca3f66a512a49ff2d8fd6b59
SHA5121be9139357b9ffe68a36bf4ba59141b9940ff5f54caa331bdcfe046f52a1f973542b54d2c383e9dea8ea01b4f3154d74d5c7a2af71910d9414ef79ff20d41327
-
Filesize
206B
MD5d25609d0ea00bd9b4034f6c115d73176
SHA19b4e9ce99da10017399de6ef8d9ac055f1f6fb5f
SHA2561be67ff6caccef7bc37346582d6ee3ffec585ce4a139c23a4d8fa1a2cad0836e
SHA512c976d90d4b8f2d8aa7f8810e858acc13d51b2eb366fc1780145d24ded22fcb32c08bdb275db29d414cb217e4591fa821a42984149b1072660d28af2932348221