Overview

overview

10

Static

static

3

AntiHacks.exe

windows7-x64

10

AntiHacks.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AntiHacks.exe

  • Size

    3.2MB

  • MD5

    51f3f8f434490126a3de0a6e798b7bc7

  • SHA1

    6cb3884386c2a9c59f26cf233346c63b99f29609

  • SHA256

    0f90a3fb2e4ac65e616b0fa6be1ebb35702004daca90715e5a49c90966e32b7f

  • SHA512

    961bc68028ac11d10ceef123b2eacee3f30b78846b0edd127e8c55375cc2ef3e6db4113b40f1aa59310a7e6e7980a826307e6b08279de616d32667e5ab448bd2

  • SSDEEP

    98304:Gb48Bs73qkzcQ9TRxouOJDBjcQI258AXn:GLs51oJ5ZcQIPAXn

Score
10/10
dcratdiscoveryevasioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AntiHacks.exe
    "C:\Users\Admin\AppData\Local\Temp\AntiHacks.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Users\Admin\AppData\Local\Temp\shellbag.exe
      "C:\Users\Admin\AppData\Local\Temp\shellbag.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:792
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\hZpCHdrrkYqoUKjGmjoCABdT0Mwga.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\kRWKyWxgyfXKFYDJbe5lkOMuBgOX.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:692
          • C:\SurrogatewinDrivernetsvc\portproviderperf.exe
            "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2368
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SurrogatewinDrivernetsvc\hZpCHdrrkYqoUKjGmjoCABdT0Mwga.vbe
    Filesize

    229B

    MD5

    70c4f7a48cc54536765cbe30c9e47c6e

    SHA1

    f63921139417cff273730cd18dc9176e667945b4

    SHA256

    ed2cfa0c8ae5bc530785c560182072e1b15e4fcae1c436bacf4d4e57f2b0bdae

    SHA512

    e011926a03a6d8b53a67047304af3f15a5f15fe1f2815c9d4072a78fe726516c56815b3c292848472176d4a45c5acb91134b19c8e2e9bd714ce912649f19985a

    Download Submit

  • C:\SurrogatewinDrivernetsvc\kRWKyWxgyfXKFYDJbe5lkOMuBgOX.bat
    Filesize

    162B

    MD5

    e01ef91219b266b14d1ae415d30256d5

    SHA1

    cad006a2efee48fcad1166e7ce3bc118ff139808

    SHA256

    db58b3dde8508ecbe59d938545246355b52d9cdec29f76657b66638c4d7aeeb2

    SHA512

    7826ca4bda02431bff87c7c72bd1ea53bc769b8574302a37445318360326e5a89e309c35dbc8f9981ec35c5067b4a459195b78d0289f5d93f6ec54be4c3f1e7b

    Download Submit

  • C:\SurrogatewinDrivernetsvc\portproviderperf.exe
    Filesize

    2.7MB

    MD5

    af8f3f95d9d2ef99d8df68cfead7aa05

    SHA1

    5096ae4648920f3378b83aae70990b0b4029e0b7

    SHA256

    3dc2710353e09dc4d910204932a19fe38787bf0a04d5de421816f0bdc6946d3c

    SHA512

    c4ef1523b373f9c7c8a30a9c7eb32c79928dbdb8744ef4c75d2ecb1dd27ee626f1a25ca30e82084928507f8abab0f9f02e127bb06c0ec195be9c74299cdb70c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    Filesize

    3.0MB

    MD5

    394e0a2c7324c2f5cf8e53858c767f15

    SHA1

    c3bcd6fb8519d59b997389acd25350e92b6d31b3

    SHA256

    b8debcd7180cabc4285659089162f4a776c11e11545aeaa4505dc93c38c24c2a

    SHA512

    64c1daaf37ae3f43fbc92fad10969106cce6acdecfb6319e089b7b3b9596efe7924d2bd3e30eb250ac3e36a01604522eb902e059985b9af50572395f79bfb212

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\shellbag.exe
    Filesize

    1.6MB

    MD5

    463058236a0d84f8f8982d946eed0e07

    SHA1

    800ab71ed3b3bf4fb67fc9e1628e59d0aab8b124

    SHA256

    c93a0f4c6b5f24ee31cddb92b0ea3337021b5fb91faae8a381d3bd2c9b6add54

    SHA512

    18bd9aea8489c5e873a679da92c83d2739de9532f5751bd23aea9eda226b9a95909f8fd525b0ce47859492997002aee32ecf37bb79e07f24b512287b8fd58a53

    Download Submit

  • memory/792-24-0x0000000000409000-0x000000000040A000-memory.dmp

    Filesize

    4KB

    Download

  • memory/792-22-0x0000000002430000-0x0000000002431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/792-26-0x0000000000400000-0x0000000000572000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/792-25-0x0000000000400000-0x0000000000572000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/792-43-0x0000000000400000-0x0000000000572000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/792-45-0x0000000002430000-0x0000000002431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-40-0x00000000002C0000-0x0000000000576000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2368-41-0x000000001B0E0000-0x000000001B0EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4540-0-0x00007FFF97A03000-0x00007FFF97A05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4540-23-0x00007FFF97A00000-0x00007FFF984C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4540-4-0x00007FFF97A00000-0x00007FFF984C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4540-1-0x0000000000BB0000-0x0000000000EE0000-memory.dmp

    Filesize

    3.2MB

    Download