Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 01:28
Behavioral task
behavioral1
Sample
45eac1c5ac04d5ba311c04776b5bebc0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
45eac1c5ac04d5ba311c04776b5bebc0N.exe
Resource
win10v2004-20240709-en
General
-
Target
45eac1c5ac04d5ba311c04776b5bebc0N.exe
-
Size
1.6MB
-
MD5
45eac1c5ac04d5ba311c04776b5bebc0
-
SHA1
15a8e23f04af0b5e38a2fe086cd7c7e18c390304
-
SHA256
674890622d7bb92cedd72f8761121f9b8eccfe4a45f2967babb7d06538342d88
-
SHA512
f2d4b84515a305daea3700f4548af478c9218ff87842cf2a4bc2e6505bb26286bb754695a0290d516854d44ab47f29c0ed20e2a74e5faf60ecc59373ea8f123a
-
SSDEEP
24576:U2G/nvxW3Ww0tSjbEshCbueLblBg5IbMemSGsUb8fR9BONbpW0N1Hax:UbA30SjYsaB1Xx/RZ9BONt6x
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe dcrat behavioral2/memory/740-13-0x0000000000380000-0x00000000004D0000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
45eac1c5ac04d5ba311c04776b5bebc0N.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 45eac1c5ac04d5ba311c04776b5bebc0N.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
ChainSaves.exepid process 740 ChainSaves.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
45eac1c5ac04d5ba311c04776b5bebc0N.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings 45eac1c5ac04d5ba311c04776b5bebc0N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ChainSaves.exedescription pid process Token: SeDebugPrivilege 740 ChainSaves.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
45eac1c5ac04d5ba311c04776b5bebc0N.exeWScript.execmd.exedescription pid process target process PID 3028 wrote to memory of 60 3028 45eac1c5ac04d5ba311c04776b5bebc0N.exe WScript.exe PID 3028 wrote to memory of 60 3028 45eac1c5ac04d5ba311c04776b5bebc0N.exe WScript.exe PID 3028 wrote to memory of 60 3028 45eac1c5ac04d5ba311c04776b5bebc0N.exe WScript.exe PID 60 wrote to memory of 3428 60 WScript.exe cmd.exe PID 60 wrote to memory of 3428 60 WScript.exe cmd.exe PID 60 wrote to memory of 3428 60 WScript.exe cmd.exe PID 3428 wrote to memory of 740 3428 cmd.exe ChainSaves.exe PID 3428 wrote to memory of 740 3428 cmd.exe ChainSaves.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe"C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\MhPwnfHbKz5.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\XtSXWV19jrk1A2PG.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe"C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f8385279d93481e8ede6ec2312460ce4
SHA12c0b4e141fe7495653b427426dc246876fa27af9
SHA2561bdd11bfd1776b34adb78baebcd5a894fbe1f2bd1c8e0dbd2123eaf443ea7bdc
SHA512bc3ce19a5ee1a906427f15e7de22495c76a25dca04e17fc48db7629d2be51b5fb16c024c064bcf58d2a924b0df4d6a9b0d28846c06b9239acfea83fc6eb11705
-
Filesize
210B
MD50e20d4e8786aa76909466fc802d1ec9b
SHA1fd4e43eb82dd2228b1c220ccf21a2d6b735d67b6
SHA256af286e412106b4fed822ea0cbb52e7dcdf06238329e5625dce175588998fc0fb
SHA512ee73e7c1cc08c32704901e9db362d81464976f37c63a6a3e72f620a7d6bd745e21a229aa04766e1b595b4406bb7da9ce0e5867472f380c3c75c612b119b914ce
-
Filesize
40B
MD5841307750510e536ecc5f7bcc2dc04c5
SHA123f78f1f5e21f8a9222245587ff1a0e7f49c1905
SHA2563b76b5aa6ef4298fcaea871bb9b88ed5f5ecd0cda2ada2b3090a80093f1cbec3
SHA5127fed4e9330a13730941c396ebdda4190c92cda5709c4c525f9528490ba1d76a5fa34898effa7b160ecb8d954a168e2a31ced2f534510621eea4b65386968af6b