Analysis
-
max time kernel
43s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 21:46
Behavioral task
behavioral1
Sample
atlx/Avtronu.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
atlx/Avtronu.exe
Resource
win10v2004-20240611-en
General
-
Target
atlx/Avtronu.exe
-
Size
3.5MB
-
MD5
a1210622f2a129c42bac9f532240b8a8
-
SHA1
623c295b9d17598e0e808382c0ada1185ebca771
-
SHA256
f4d9794ab16b4f21e84c8a1dfd1496d17cfa2c265235995d86f1613a24ff4f46
-
SHA512
6a30b3fc944f22ab02c4ba0756e14f9733ec21ca8ec7fa3a6478087b0d5edd086fbc35a0b5ec0fac4c658ae9dc3202b785417926f50d43313b47d223e81f4866
-
SSDEEP
49152:1bA37BhNKkGNXjkY1/eBIZXwOMUiWL91qGvN7K+59WIchmuAdM1TcH5La0r:1bqzCTuIZXwDxWLTvNEzhI2iLaQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\PortcrtNet\Crtdll.exe dcrat behavioral1/memory/2692-13-0x0000000000DA0000-0x00000000010BE000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
Crtdll.exepid process 2692 Crtdll.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2752 cmd.exe 2752 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Crtdll.exedescription pid process Token: SeDebugPrivilege 2692 Crtdll.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Avtronu.exeWScript.execmd.exedescription pid process target process PID 2164 wrote to memory of 3044 2164 Avtronu.exe WScript.exe PID 2164 wrote to memory of 3044 2164 Avtronu.exe WScript.exe PID 2164 wrote to memory of 3044 2164 Avtronu.exe WScript.exe PID 2164 wrote to memory of 3044 2164 Avtronu.exe WScript.exe PID 3044 wrote to memory of 2752 3044 WScript.exe cmd.exe PID 3044 wrote to memory of 2752 3044 WScript.exe cmd.exe PID 3044 wrote to memory of 2752 3044 WScript.exe cmd.exe PID 3044 wrote to memory of 2752 3044 WScript.exe cmd.exe PID 2752 wrote to memory of 2692 2752 cmd.exe Crtdll.exe PID 2752 wrote to memory of 2692 2752 cmd.exe Crtdll.exe PID 2752 wrote to memory of 2692 2752 cmd.exe Crtdll.exe PID 2752 wrote to memory of 2692 2752 cmd.exe Crtdll.exe PID 2752 wrote to memory of 2652 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2652 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2652 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2652 2752 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\atlx\Avtronu.exe"C:\Users\Admin\AppData\Local\Temp\atlx\Avtronu.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\PortcrtNet\qxDH4No15f3EsjB09ngd.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\PortcrtNet\0zsSFhiVuyt57TfUIw.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Roaming\PortcrtNet\Crtdll.exe"C:\Users\Admin\AppData\Roaming\PortcrtNet\Crtdll.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2652
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\PortcrtNet\0zsSFhiVuyt57TfUIw.batFilesize
145B
MD53e5d70a529a6b9f3b21d4bb37da2f3a8
SHA18f5a085af2469fec75a8cc6477cb9dbbeb499362
SHA2567ffb1337193c9f62799624f1662714eff09af1713febf3f4fdd573c4ed1f8098
SHA5126b100689cf9114cb071a791c488a84446f89eceea9faaf1e0a14fa7692310ca89c5662a30e3b80535217e21c6edd282a4ea4f4a2e8a19689c3968830ff669671
-
C:\Users\Admin\AppData\Roaming\PortcrtNet\qxDH4No15f3EsjB09ngd.vbeFilesize
212B
MD592dd38b0aa7eb75f379921f0ce168d84
SHA1244553e896f3cf11b2afd05875b7b568ea670c1e
SHA2569c88e1d45269af8c0e1dc3ed3c6314a74c539071534627413100b86e6b46780e
SHA5125451dc7cf1d2ee45624aed72c62669b539c41e17c21a34205c8ef9bf629d38753fa2e1299e8b4c76da2bf4a47430b358a2a69e7aa04faa5a369883c5bdbb9b72
-
\Users\Admin\AppData\Roaming\PortcrtNet\Crtdll.exeFilesize
3.1MB
MD584bd967d8484329937559675eae06444
SHA10d631cdd75d15000278dcf2edcd5befd20d114f2
SHA25622c28d34d8b911554af1f1c0b8801f4212012f732ce306be489ebc439e490607
SHA5126a3746ed177ae55162d3706fb105c3da8712d34253524d62135fb7dc2dd8f29599190d31cb0ca0b1221ddeeb21ca6cf8b5d4ee9b5e34a6d26d0ccb2629ea962d
-
memory/2692-13-0x0000000000DA0000-0x00000000010BE000-memory.dmpFilesize
3.1MB
-
memory/2692-14-0x00000000003D0000-0x00000000003DE000-memory.dmpFilesize
56KB