Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2024 01:28

General

  • Target

    45eac1c5ac04d5ba311c04776b5bebc0N.exe

  • Size

    1.6MB

  • MD5

    45eac1c5ac04d5ba311c04776b5bebc0

  • SHA1

    15a8e23f04af0b5e38a2fe086cd7c7e18c390304

  • SHA256

    674890622d7bb92cedd72f8761121f9b8eccfe4a45f2967babb7d06538342d88

  • SHA512

    f2d4b84515a305daea3700f4548af478c9218ff87842cf2a4bc2e6505bb26286bb754695a0290d516854d44ab47f29c0ed20e2a74e5faf60ecc59373ea8f123a

  • SSDEEP

    24576:U2G/nvxW3Ww0tSjbEshCbueLblBg5IbMemSGsUb8fR9BONbpW0N1Hax:UbA30SjYsaB1Xx/RZ9BONt6x

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\MhPwnfHbKz5.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\XtSXWV19jrk1A2PG.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3428
        • C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe
          "C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe

    Filesize

    1.3MB

    MD5

    f8385279d93481e8ede6ec2312460ce4

    SHA1

    2c0b4e141fe7495653b427426dc246876fa27af9

    SHA256

    1bdd11bfd1776b34adb78baebcd5a894fbe1f2bd1c8e0dbd2123eaf443ea7bdc

    SHA512

    bc3ce19a5ee1a906427f15e7de22495c76a25dca04e17fc48db7629d2be51b5fb16c024c064bcf58d2a924b0df4d6a9b0d28846c06b9239acfea83fc6eb11705

  • C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\MhPwnfHbKz5.vbe

    Filesize

    210B

    MD5

    0e20d4e8786aa76909466fc802d1ec9b

    SHA1

    fd4e43eb82dd2228b1c220ccf21a2d6b735d67b6

    SHA256

    af286e412106b4fed822ea0cbb52e7dcdf06238329e5625dce175588998fc0fb

    SHA512

    ee73e7c1cc08c32704901e9db362d81464976f37c63a6a3e72f620a7d6bd745e21a229aa04766e1b595b4406bb7da9ce0e5867472f380c3c75c612b119b914ce

  • C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\XtSXWV19jrk1A2PG.bat

    Filesize

    40B

    MD5

    841307750510e536ecc5f7bcc2dc04c5

    SHA1

    23f78f1f5e21f8a9222245587ff1a0e7f49c1905

    SHA256

    3b76b5aa6ef4298fcaea871bb9b88ed5f5ecd0cda2ada2b3090a80093f1cbec3

    SHA512

    7fed4e9330a13730941c396ebdda4190c92cda5709c4c525f9528490ba1d76a5fa34898effa7b160ecb8d954a168e2a31ced2f534510621eea4b65386968af6b

  • memory/740-12-0x00007FFB2CBD3000-0x00007FFB2CBD5000-memory.dmp

    Filesize

    8KB

  • memory/740-13-0x0000000000380000-0x00000000004D0000-memory.dmp

    Filesize

    1.3MB

  • memory/740-14-0x00000000026F0000-0x00000000026FE000-memory.dmp

    Filesize

    56KB