Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 12:21
Behavioral task
behavioral1
Sample
loader.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
loader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
loader.exe
Resource
win11-20241007-en
General
-
Target
loader.exe
-
Size
1.9MB
-
MD5
f462fd11ceda48487db07c5b70410dac
-
SHA1
48010b409ab20a6a51e562d347b87abcb15dd9fe
-
SHA256
4139522809118bba10441242323550ef8f00264e862a5403dab48c1c5c8ad654
-
SHA512
7ba4a2fae1b0558b4a2d1a081a9f63cc0b4184a395fe58a31083bf1e6b4e597938d0ecda8d0e45d03e26a848c1ad30c75941ade6e49f4237bb70139127c72204
-
SSDEEP
24576:h2G/nvxW3WCG0xfX0iy3dwFTQ40aI2GP1NE4utdShDpIBUx9PWRW/+YK8bnCAtF:hbA3rnxf0iyoTQi1a1wtStlx9sYX
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
resource yara_rule behavioral2/files/0x0007000000023c9b-10.dat dcrat behavioral2/memory/1952-13-0x00000000009A0000-0x0000000000B14000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 1952 containercomponentSaves.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings loader.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4976 reg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1952 containercomponentSaves.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2420 2836 loader.exe 85 PID 2836 wrote to memory of 2420 2836 loader.exe 85 PID 2836 wrote to memory of 2420 2836 loader.exe 85 PID 2420 wrote to memory of 4752 2420 WScript.exe 94 PID 2420 wrote to memory of 4752 2420 WScript.exe 94 PID 2420 wrote to memory of 4752 2420 WScript.exe 94 PID 4752 wrote to memory of 1952 4752 cmd.exe 96 PID 4752 wrote to memory of 1952 4752 cmd.exe 96 PID 4752 wrote to memory of 4976 4752 cmd.exe 99 PID 4752 wrote to memory of 4976 4752 cmd.exe 99 PID 4752 wrote to memory of 4976 4752 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\blockcomwinsavescrt\containercomponentSaves.exe"C:\blockcomwinsavescrt\containercomponentSaves.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4976
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD52b8d55bd0911a0d0a9b459bb97eaeee2
SHA1636ae852b62d51447ac137871267120b8af73d37
SHA256200afbf994d31cd86c1808c0387ed77d9b7d0e7759387f58d8dc849a7d30498c
SHA51265bf05909eb291a66a8839ec52a386a82ff013a89a93bb0005ba29afe71c4b74a03c75fdfa3282d3a0edcc54598cefdf58538d2b070bdde44d31b61ea4b22c91
-
Filesize
1.4MB
MD559e330f176ae037dcc65efc5f7d7859a
SHA1f0fbb795992bbebf15cedec2f473718891ec2334
SHA2568cfa942fef671bc7a15c59e2b8a0b7aeb2139d3e2bd233b1a45de15513560d72
SHA512f844da447afaba1620b4f883f2d14d00011428e762357479417ec8e8f60f3f0c901d06c6acb96ce061d53eedfe3a9f2edb8906a2cf449a00266fc62fe0381653
-
Filesize
164B
MD5460c31975a0ea04ad5a7c3730a15e570
SHA1e71df06911bb1d755fa6ec7df0b5b3c001a35554
SHA2568092fb842b95a8ab9198a257585d2b8fed740b49dc013d1eb472737dabe03680
SHA5123b78b82a126589ddc93a9e12777237814bed36bc135ff894b022571254f2fd3a9faaab0ccb30d752b11f42d537e81e92722c10fb88ed77a133aa8ffc75d4e9b1