Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 01:28
Behavioral task
behavioral1
Sample
45eac1c5ac04d5ba311c04776b5bebc0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
45eac1c5ac04d5ba311c04776b5bebc0N.exe
Resource
win10v2004-20240709-en
General
-
Target
45eac1c5ac04d5ba311c04776b5bebc0N.exe
-
Size
1.6MB
-
MD5
45eac1c5ac04d5ba311c04776b5bebc0
-
SHA1
15a8e23f04af0b5e38a2fe086cd7c7e18c390304
-
SHA256
674890622d7bb92cedd72f8761121f9b8eccfe4a45f2967babb7d06538342d88
-
SHA512
f2d4b84515a305daea3700f4548af478c9218ff87842cf2a4bc2e6505bb26286bb754695a0290d516854d44ab47f29c0ed20e2a74e5faf60ecc59373ea8f123a
-
SSDEEP
24576:U2G/nvxW3Ww0tSjbEshCbueLblBg5IbMemSGsUb8fR9BONbpW0N1Hax:UbA30SjYsaB1Xx/RZ9BONt6x
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe dcrat behavioral1/memory/920-13-0x00000000013D0000-0x0000000001520000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
ChainSaves.exepid process 920 ChainSaves.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2108 cmd.exe 2108 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ChainSaves.exedescription pid process Token: SeDebugPrivilege 920 ChainSaves.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
45eac1c5ac04d5ba311c04776b5bebc0N.exeWScript.execmd.exedescription pid process target process PID 3044 wrote to memory of 2096 3044 45eac1c5ac04d5ba311c04776b5bebc0N.exe WScript.exe PID 3044 wrote to memory of 2096 3044 45eac1c5ac04d5ba311c04776b5bebc0N.exe WScript.exe PID 3044 wrote to memory of 2096 3044 45eac1c5ac04d5ba311c04776b5bebc0N.exe WScript.exe PID 3044 wrote to memory of 2096 3044 45eac1c5ac04d5ba311c04776b5bebc0N.exe WScript.exe PID 2096 wrote to memory of 2108 2096 WScript.exe cmd.exe PID 2096 wrote to memory of 2108 2096 WScript.exe cmd.exe PID 2096 wrote to memory of 2108 2096 WScript.exe cmd.exe PID 2096 wrote to memory of 2108 2096 WScript.exe cmd.exe PID 2108 wrote to memory of 920 2108 cmd.exe ChainSaves.exe PID 2108 wrote to memory of 920 2108 cmd.exe ChainSaves.exe PID 2108 wrote to memory of 920 2108 cmd.exe ChainSaves.exe PID 2108 wrote to memory of 920 2108 cmd.exe ChainSaves.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe"C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\MhPwnfHbKz5.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\XtSXWV19jrk1A2PG.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe"C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f8385279d93481e8ede6ec2312460ce4
SHA12c0b4e141fe7495653b427426dc246876fa27af9
SHA2561bdd11bfd1776b34adb78baebcd5a894fbe1f2bd1c8e0dbd2123eaf443ea7bdc
SHA512bc3ce19a5ee1a906427f15e7de22495c76a25dca04e17fc48db7629d2be51b5fb16c024c064bcf58d2a924b0df4d6a9b0d28846c06b9239acfea83fc6eb11705
-
Filesize
210B
MD50e20d4e8786aa76909466fc802d1ec9b
SHA1fd4e43eb82dd2228b1c220ccf21a2d6b735d67b6
SHA256af286e412106b4fed822ea0cbb52e7dcdf06238329e5625dce175588998fc0fb
SHA512ee73e7c1cc08c32704901e9db362d81464976f37c63a6a3e72f620a7d6bd745e21a229aa04766e1b595b4406bb7da9ce0e5867472f380c3c75c612b119b914ce
-
Filesize
40B
MD5841307750510e536ecc5f7bcc2dc04c5
SHA123f78f1f5e21f8a9222245587ff1a0e7f49c1905
SHA2563b76b5aa6ef4298fcaea871bb9b88ed5f5ecd0cda2ada2b3090a80093f1cbec3
SHA5127fed4e9330a13730941c396ebdda4190c92cda5709c4c525f9528490ba1d76a5fa34898effa7b160ecb8d954a168e2a31ced2f534510621eea4b65386968af6b