Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11-06-2024 15:16
General
-
Target
4d11c28e9ddfd0ea910b9ae2452dccf3.exe
-
Size
1.1MB
-
MD5
4d11c28e9ddfd0ea910b9ae2452dccf3
-
SHA1
9c5540ed7b779477d181382dc81a0621fc930971
-
SHA256
e5b3c145f4e3762e70e31a7a1b662f6711d8ca6b760cb8e166f6f9014c4b4280
-
SHA512
6f87a7f3607b9ae993acea64cc6b3bf2c6b593b2e1ecf9e35b187d39245d43812d46382f75fde0e26ea535e8fdca1b912c46393e33cd1571fd2c4556466b6938
-
SSDEEP
24576:U2G/nvxW3Ww0tR6q25E1hDUNoTAicnf6z8Kt:UbA30Fvhwi80
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d11c28e9ddfd0ea910b9ae2452dccf3.exe"C:\Users\Admin\AppData\Local\Temp\4d11c28e9ddfd0ea910b9ae2452dccf3.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Hypersurrogatefontreviewref\k2wxG4uaUkBbG1HJ4EpeboBys6oty.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hypersurrogatefontreviewref\Su7beFRaWTg0xRHyqfA5bDL.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Hypersurrogatefontreviewref\wininto.exe"C:\Users\Admin\AppData\Local\Temp\Hypersurrogatefontreviewref\wininto.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD58fd441a13337120576d6c5efe9dd4a27
SHA1001877207e0ad44d0dd057fbe94232eb9366cfe7
SHA2561d9ed55be6ca5c24ed4573a61a1a25f2ce691cab09947ea7e6402726c7ec80c6
SHA512ce5b5aba22a7cf988553c418874c022cd4f3d2a357f6b3907e99b5246b2d9164b892577c56e04f546febc14bcbbd8ce8a44c9521e47cf5afca78c0086af5f38b
-
Filesize
231B
MD52da320e60abaee9776c04c95d14360f8
SHA1d242565c64b2a488384813667a858a46d72c6a98
SHA25628324e5aaa8f0615c3050a11487aebe05b2117d72bfa46b89d364990e1be2d10
SHA512af3032e01bef2ed8a394051ebe5894a15f982bfe9d8d15da18804bd69a3eda1d343a62d01a358f6b5ad3ac476a8bb6cfa9c2ed5d900ae13719b398fab4f68c9b
-
Filesize
826KB
MD5c328a904a74492b29befb48f3dbed741
SHA17b3a39faae592c3e5a1d989ff9f0f06ce20cfcf7
SHA2560657ce3a271804cdb705c6f51ef64c8eab365d4fd040c402a6e2c2b94e4c638b
SHA5125479bb2a4d26347ad4d46ecbf326f6c004c438c23074a1c6a9761cf67778bad29a820ff614e4653ec7fedd0025c93856b99a69850d552fff994ee6c5bd1e6e19
-
Filesize
8KB
-
Filesize
856KB