Analysis
-
max time kernel
41s -
max time network
43s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
13-11-2024 13:28
Behavioral task
behavioral1
Sample
Crack Cheat.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
Crack Cheat.exe
Resource
win11-20241023-en
General
-
Target
Crack Cheat.exe
-
Size
3.3MB
-
MD5
188bfbff71841426601213f21a79857f
-
SHA1
aae3deda1b9b4ff703b7fa311ee10117b3a7b546
-
SHA256
7007ad2f99a1da6616401648bcd0bdb00161c20d5dc2c27390214b028d9ddf84
-
SHA512
f3495dfb14068d659824506a3278810a1dde60523218add2e530768e65473c2573263ce28c3560c5723158054051223c94ded5c00cf6389711ed02a47bb753b3
-
SSDEEP
49152:ubA3jB65wSIehCuRt1MJh9JsZCG6eRCbKjHUMGb7JzA6LI0HM6HqyYu/K:ubr/jk9JlGr4Kj0MOm6kgkui
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
resource yara_rule behavioral1/files/0x0028000000045054-21.dat dcrat behavioral1/memory/4768-23-0x0000000000400000-0x0000000000714000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Crack Cheat.exe -
Executes dropped EXE 1 IoCs
pid Process 4768 browserHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crack Cheat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings Crack Cheat.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1432 reg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4768 browserHost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1080 wrote to memory of 3696 1080 Crack Cheat.exe 81 PID 1080 wrote to memory of 3696 1080 Crack Cheat.exe 81 PID 1080 wrote to memory of 3696 1080 Crack Cheat.exe 81 PID 1080 wrote to memory of 232 1080 Crack Cheat.exe 82 PID 1080 wrote to memory of 232 1080 Crack Cheat.exe 82 PID 1080 wrote to memory of 232 1080 Crack Cheat.exe 82 PID 3696 wrote to memory of 4896 3696 WScript.exe 83 PID 3696 wrote to memory of 4896 3696 WScript.exe 83 PID 3696 wrote to memory of 4896 3696 WScript.exe 83 PID 4896 wrote to memory of 4768 4896 cmd.exe 85 PID 4896 wrote to memory of 4768 4896 cmd.exe 85 PID 4896 wrote to memory of 1432 4896 cmd.exe 88 PID 4896 wrote to memory of 1432 4896 cmd.exe 88 PID 4896 wrote to memory of 1432 4896 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crack Cheat.exe"C:\Users\Admin\AppData\Local\Temp\Crack Cheat.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostperfmonitornetCommon\sVfMeP.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostperfmonitornetCommon\EoILAIW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\hostperfmonitornetCommon\browserHost.exe"C:\hostperfmonitornetCommon\browserHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1432
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostperfmonitornetCommon\file.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157B
MD5d436eca1a75d336316136483b7fd4cc8
SHA1efca2f7efac382bb438b66cad807cb01f65afbfe
SHA25620d4b15f59b1d9a528d1f7987ecee9763843f4492a27c79aaf8039ee703eecc2
SHA512cb5039e9ea28a3f4009160b582997c976f91d021941d7b32f61ef750d5f301d230611e6a7adddaeced01e54cae65d906938ae20d670f3e20c07fbf5f8f9c8475
-
Filesize
3.0MB
MD5bdabb232abcfd496e2db81b4d28f0da2
SHA164173661bb3c959858583da283628bb3352e5f03
SHA2568750b610638b8de125dadfb8f45512a41c44f9a960cfab3e06d5cf56fbbb1972
SHA512d68bc6e52ebbb7feae060612a4b07b53910105e122ec21deb7f8375de67e93f6a9ecded6bc1783611b7e576b1ba4b320bb78a21e06b6947e1b693a2142fcb0f1
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
205B
MD5be0e14acc0f8b2e43e11fd0801e489a3
SHA1afdb9e4157050fa1dac114ffde701667f987d5db
SHA2568c6d6f195cf1488151028a9a63ebc0890ddff4c363567a26b7e8fcc76f8e7553
SHA5120d00fc006602e1386a8a3888f841f9fd78d96906002d16c9f85dc1920efffd53f537b8e13893466793b13f6d05f8f9966716e185392326831d1977e13307a3fe