Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 11:12
Behavioral task
behavioral1
Sample
ioqjwd.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ioqjwd.exe
Resource
win10v2004-20241007-en
General
-
Target
ioqjwd.exe
-
Size
1.8MB
-
MD5
67d57fb4c4b81fe4c7acab9aeae02956
-
SHA1
da16779ad85db8289b6ec67f6c5a5e9aa1dd418a
-
SHA256
a3640a10bd29bfb75eb0ee385cb7233ae19c34e0eebae32da2ae168529c2d9fc
-
SHA512
b0bb6569e918de32963d58e87ca8f4effdefa72645a4cb64fe621866dfb4ccbc95a89155c1c304f52557530f419bb20daa1e6d1195670e15d538a69865006678
-
SSDEEP
49152:ubA3j3+MhlRGll+heg+Hx9IWZTw40/SyD:ubwR5eZ9Igw40qw
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
resource yara_rule behavioral1/files/0x0007000000019345-12.dat dcrat behavioral1/memory/1408-13-0x0000000001370000-0x00000000014FA000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 1408 MsHyperPort.exe -
Loads dropped DLL 2 IoCs
pid Process 2132 cmd.exe 2132 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ioqjwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1408 MsHyperPort.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2172 1724 ioqjwd.exe 30 PID 1724 wrote to memory of 2172 1724 ioqjwd.exe 30 PID 1724 wrote to memory of 2172 1724 ioqjwd.exe 30 PID 1724 wrote to memory of 2172 1724 ioqjwd.exe 30 PID 2172 wrote to memory of 2132 2172 WScript.exe 31 PID 2172 wrote to memory of 2132 2172 WScript.exe 31 PID 2172 wrote to memory of 2132 2172 WScript.exe 31 PID 2172 wrote to memory of 2132 2172 WScript.exe 31 PID 2132 wrote to memory of 1408 2132 cmd.exe 33 PID 2132 wrote to memory of 1408 2132 cmd.exe 33 PID 2132 wrote to memory of 1408 2132 cmd.exe 33 PID 2132 wrote to memory of 1408 2132 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ioqjwd.exe"C:\Users\Admin\AppData\Local\Temp\ioqjwd.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\agentComponentFontNet\P9abK9svJKxMlccRQgtUz9QFmwEp.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\agentComponentFontNet\vVXjGKobGoN.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\agentComponentFontNet\MsHyperPort.exe"C:\agentComponentFontNet\MsHyperPort.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD51e2a1dca947c48a39d7c8fb0ca11d243
SHA177f89d59f01e476eb4243a2fb2b947dc1d7e3343
SHA256a45ca5a10e19033bf290c94e7ef718d72b1ee1769b196aa0019625e55f95c68d
SHA51252fcbc03a3d1bb5cb92d050cace14f3a7dfe0a741e5af0b1c1a63706e90e3962ba6082a57d5e2e94f14433c693cf0a157c4f7f5425dd02fb028c11c210e1d55b
-
Filesize
209B
MD54b8b3a8fd20e592022cea9ef533a9fe0
SHA1140428922aa364ee3c9c2afbad20ba80ed988c82
SHA256084873620a127341a58d0e90fe42ccf353708b1e4d08d01c7b89a2883edb049b
SHA5128b71bdafb5be808b33458b152c35ff53add3d95c2e40446d262404f15954a9a209da8e1729b46998926268cc0e46e4c76a49f9c995402cde4f6e00c9db255ee2
-
Filesize
42B
MD55a9179103d9e89ebfa2bdd7b5fb715d2
SHA177403d72b6fddab80628ff70553ad635cf9c8b57
SHA2568664578b5e83e09c41088d98c245c02669153f29e0356352b10a00a3b4e14249
SHA51292a2b944c949493cc5f2c5d5eecc8e1151ff19c34f74441ef2bf309bbe529b03319492913372c0564747e08f6e97a9907a7dba3e83f19c3f7cff7574467962c0