Overview
overview
10Static
static
10-pril-main...th.exe
windows10-2004-x64
10-pril-main...aw.exe
windows10-2004-x64
10-pril-main...wd.exe
windows10-2004-x64
7-pril-main...gh.exe
windows10-2004-x64
10-pril-main...se.exe
windows10-2004-x64
10-pril-main...ed.exe
windows10-2004-x64
10Installer/CapCut.exe
windows10-2004-x64
10start-main...on.exe
windows10-2004-x64
8start-main/Sushi.exe
windows10-2004-x64
10start-main...wd.exe
windows10-2004-x64
1start-main...sd.exe
windows10-2004-x64
10start-main...fd.exe
windows10-2004-x64
10start-main...we.exe
windows10-2004-x64
5start-main...wd.exe
windows10-2004-x64
10start-main...pu.exe
windows10-2004-x64
10start-main...th.exe
windows10-2004-x64
5start-main...ed.exe
windows10-2004-x64
10start-main...fk.exe
windows10-2004-x64
5start-main...ha.exe
windows10-2004-x64
10start-main...ha.exe
windows10-2004-x64
10start-main...ea.exe
windows10-2004-x64
10start-main...as.exe
windows10-2004-x64
7start-main...dw.exe
windows10-2004-x64
8start-main...ha.exe
windows10-2004-x64
1start-main...wt.exe
windows10-2004-x64
10start-main...wd.exe
windows10-2004-x64
10start-main...gh.exe
windows10-2004-x64
3start-main/pdf.exe
windows10-2004-x64
10start-main...dh.exe
windows10-2004-x64
10start-main...as.exe
windows10-2004-x64
7start-main...tj.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 08:01
Static task
static1
Behavioral task
behavioral1
Sample
-pril-main/dwthjadth.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
-pril-main/feuiyjjdaw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
-pril-main/kldrgawdtjawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
-pril-main/pothjadwtrgh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
-pril-main/ptjjsekfthse.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
-pril-main/thadkythjawed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Installer/CapCut.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
start-main/Session.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
start-main/Sushi.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
start-main/fgthawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
start-main/gawdrgasd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
start-main/hbfgjhhesfd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
start-main/hdawuithjawe.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
start-main/hnfsefawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
start-main/jerniuiopu.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
start-main/jthusjefth.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
start-main/jythjadthawed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
start-main/khseofk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
start-main/khtoawdltrha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
start-main/ksfawtyha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
start-main/ktyhpldea.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
start-main/lhoefskghas.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
start-main/ltpohpadw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
start-main/mhbiwejrtgha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
start-main/njrtdhadawt.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
start-main/odrsfgawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
start-main/opthjdkawrtgh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
start-main/pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
start-main/pthjadh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
start-main/ptihjawdthas.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
start-main/yjadyjasfdtj.exe
Resource
win10v2004-20241007-en
General
-
Target
start-main/jythjadthawed.exe
-
Size
855KB
-
MD5
fda06a638ce0756950f40dff83a675e8
-
SHA1
7d121e94b2c4885f8838a2a18ffaa4a25afd96d0
-
SHA256
6b986293d3057fb2ffb8759b53182756595f68aa95c584d73b9e1e9e3997826d
-
SHA512
26d033f6d3e490a1773622072674001c1c962214a19b38d9a0a63383cde9fbfadf6658359895f19c9a68890d5c8a21a047beb578134d35ecd18f733dd002d1e0
-
SSDEEP
12288:OWTns93nQb1f13TH3XmaZ4JJMA+zpW3Ari4VVyZC0+1cp9rcDNpTWDTQGFZ6:OWTnbb1f1bmaZKJMA+z3iE0nTr/6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
jythjadthawed.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\sysmon.exe\"" jythjadthawed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\sysmon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\jythjadthawed.exe\"" jythjadthawed.exe -
DCRat payload 2 IoCs
Processes:
resource yara_rule behavioral17/memory/2068-1-0x0000000000B10000-0x0000000000BEC000-memory.dmp family_dcrat_v2 behavioral17/files/0x0032000000023b5c-50.dat family_dcrat_v2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
jythjadthawed.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation jythjadthawed.exe -
Executes dropped EXE 1 IoCs
Processes:
sysmon.exepid Process 3204 sysmon.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
jythjadthawed.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Admin\\AppData\\Local\\sysmon.exe\"" jythjadthawed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Admin\\AppData\\Local\\sysmon.exe\"" jythjadthawed.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jythjadthawed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\jythjadthawed.exe\"" jythjadthawed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jythjadthawed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\jythjadthawed.exe\"" jythjadthawed.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ipinfo.io 11 ipinfo.io 51 ipinfo.io 52 ipinfo.io -
Drops file in System32 directory 2 IoCs
Processes:
csc.exedescription ioc Process File created \??\c:\Windows\System32\CSC30909912ADFE4CAFB1354AED8BDFFB5.TMP csc.exe File created \??\c:\Windows\System32\-63gkj.exe csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 1 IoCs
Processes:
jythjadthawed.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings jythjadthawed.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jythjadthawed.exepid Process 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe 2068 jythjadthawed.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sysmon.exepid Process 3204 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jythjadthawed.exesysmon.exedescription pid Process Token: SeDebugPrivilege 2068 jythjadthawed.exe Token: SeDebugPrivilege 3204 sysmon.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
jythjadthawed.execsc.execmd.exedescription pid Process procid_target PID 2068 wrote to memory of 2164 2068 jythjadthawed.exe 87 PID 2068 wrote to memory of 2164 2068 jythjadthawed.exe 87 PID 2164 wrote to memory of 1176 2164 csc.exe 89 PID 2164 wrote to memory of 1176 2164 csc.exe 89 PID 2068 wrote to memory of 1868 2068 jythjadthawed.exe 90 PID 2068 wrote to memory of 1868 2068 jythjadthawed.exe 90 PID 1868 wrote to memory of 2872 1868 cmd.exe 92 PID 1868 wrote to memory of 2872 1868 cmd.exe 92 PID 1868 wrote to memory of 4024 1868 cmd.exe 93 PID 1868 wrote to memory of 4024 1868 cmd.exe 93 PID 1868 wrote to memory of 3204 1868 cmd.exe 104 PID 1868 wrote to memory of 3204 1868 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\start-main\jythjadthawed.exe"C:\Users\Admin\AppData\Local\Temp\start-main\jythjadthawed.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fm53achw\fm53achw.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D5B.tmp" "c:\Windows\System32\CSC30909912ADFE4CAFB1354AED8BDFFB5.TMP"3⤵PID:1176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qcUpJGnph9.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2872
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4024
-
-
C:\Users\Admin\AppData\Local\sysmon.exe"C:\Users\Admin\AppData\Local\sysmon.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD593e6dd54f7f6d9a146da0725625f74b9
SHA13d7994c19edfc626170bb48ab350977a783330ff
SHA25670ee32505cbf4b99526fadc4f8cfa9ea4e30967068e3ec221758e14b806820dc
SHA51214f40daa5fa4d3c0c87009211fe27e333d53249e4db2841800367f787f4580831d42613fa242877a361206499881d2369ae2bf305ffa5b7e09457aeedf9ec669
-
Filesize
167B
MD5c4ba811cf1be0ffff45638283c14f5ea
SHA1a13d6e8a02cab6b231353fe718305fdc110d1665
SHA256bd37c079cfe931e1f81027f5418758a79213c8b1555affeead19f6dab8f8a6b1
SHA512099770241f9398d91858ec4a83067f2d4fc8f6f44878acf689e6cb4c2a049077c5bd7f5e46a305d1756d3b6022c33c9d39ac15c1c867ba3d2e6bbf909785f503
-
Filesize
855KB
MD5fda06a638ce0756950f40dff83a675e8
SHA17d121e94b2c4885f8838a2a18ffaa4a25afd96d0
SHA2566b986293d3057fb2ffb8759b53182756595f68aa95c584d73b9e1e9e3997826d
SHA51226d033f6d3e490a1773622072674001c1c962214a19b38d9a0a63383cde9fbfadf6658359895f19c9a68890d5c8a21a047beb578134d35ecd18f733dd002d1e0
-
Filesize
371B
MD56a34fcf8510c0ee86cf4fe9fb98afd33
SHA1837dbd74166a38fc6b33c62f805ab4eac1ab3d3d
SHA256721d75079e542d2f761bf916749a88512f24c09d009d1fe2dbbee913942b3c21
SHA512d261b727c742d8474464575e95bb8e2bd1027158e254378fe790fe812be75a74842a724496fba4159e84ebcd2db9ca4a163a63380e391064839ce25128e7b9b4
-
Filesize
235B
MD50c4d5ffc2356d86758980f4b168e6417
SHA1bbe347bffb1c04f44e36d43891281b1ec2d70d03
SHA25676e13a272bae08832850ad44de194022d104cde0ce9ce13a836974d4a538f716
SHA512c628c4241ef1833c02993d5e8d23f2d80136280a5d1dfdc1b8020e38a857dd45a283bfb0cbfe8f63cb764c7ea65e2acd6c54f8fda9995e447013c4d884a40a1e
-
Filesize
1KB
MD582a7b8ef3bc275711e3b27c6df93c7ff
SHA1bdac909f26475c94c74145576bcf22adb0f8203c
SHA256582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124
SHA512f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248