Analysis

  • max time kernel
    45s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 21:46

General

  • Target

    atlx/Avtronu.exe

  • Size

    3.5MB

  • MD5

    a1210622f2a129c42bac9f532240b8a8

  • SHA1

    623c295b9d17598e0e808382c0ada1185ebca771

  • SHA256

    f4d9794ab16b4f21e84c8a1dfd1496d17cfa2c265235995d86f1613a24ff4f46

  • SHA512

    6a30b3fc944f22ab02c4ba0756e14f9733ec21ca8ec7fa3a6478087b0d5edd086fbc35a0b5ec0fac4c658ae9dc3202b785417926f50d43313b47d223e81f4866

  • SSDEEP

    49152:1bA37BhNKkGNXjkY1/eBIZXwOMUiWL91qGvN7K+59WIchmuAdM1TcH5La0r:1bqzCTuIZXwDxWLTvNEzhI2iLaQ

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\atlx\Avtronu.exe
    "C:\Users\Admin\AppData\Local\Temp\atlx\Avtronu.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\PortcrtNet\qxDH4No15f3EsjB09ngd.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\PortcrtNet\0zsSFhiVuyt57TfUIw.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Users\Admin\AppData\Roaming\PortcrtNet\Crtdll.exe
          "C:\Users\Admin\AppData\Roaming\PortcrtNet\Crtdll.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2680
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:4992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\PortcrtNet\0zsSFhiVuyt57TfUIw.bat
    Filesize

    145B

    MD5

    3e5d70a529a6b9f3b21d4bb37da2f3a8

    SHA1

    8f5a085af2469fec75a8cc6477cb9dbbeb499362

    SHA256

    7ffb1337193c9f62799624f1662714eff09af1713febf3f4fdd573c4ed1f8098

    SHA512

    6b100689cf9114cb071a791c488a84446f89eceea9faaf1e0a14fa7692310ca89c5662a30e3b80535217e21c6edd282a4ea4f4a2e8a19689c3968830ff669671

  • C:\Users\Admin\AppData\Roaming\PortcrtNet\Crtdll.exe
    Filesize

    3.1MB

    MD5

    84bd967d8484329937559675eae06444

    SHA1

    0d631cdd75d15000278dcf2edcd5befd20d114f2

    SHA256

    22c28d34d8b911554af1f1c0b8801f4212012f732ce306be489ebc439e490607

    SHA512

    6a3746ed177ae55162d3706fb105c3da8712d34253524d62135fb7dc2dd8f29599190d31cb0ca0b1221ddeeb21ca6cf8b5d4ee9b5e34a6d26d0ccb2629ea962d

  • C:\Users\Admin\AppData\Roaming\PortcrtNet\qxDH4No15f3EsjB09ngd.vbe
    Filesize

    212B

    MD5

    92dd38b0aa7eb75f379921f0ce168d84

    SHA1

    244553e896f3cf11b2afd05875b7b568ea670c1e

    SHA256

    9c88e1d45269af8c0e1dc3ed3c6314a74c539071534627413100b86e6b46780e

    SHA512

    5451dc7cf1d2ee45624aed72c62669b539c41e17c21a34205c8ef9bf629d38753fa2e1299e8b4c76da2bf4a47430b358a2a69e7aa04faa5a369883c5bdbb9b72

  • memory/2680-12-0x00007FFE589B3000-0x00007FFE589B5000-memory.dmp
    Filesize

    8KB

  • memory/2680-13-0x00000000002D0000-0x00000000005EE000-memory.dmp
    Filesize

    3.1MB

  • memory/2680-14-0x000000001B0E0000-0x000000001B0EE000-memory.dmp
    Filesize

    56KB