Analysis

  • max time kernel
    41s
  • max time network
    43s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    13-11-2024 13:28

General

  • Target

    Crack Cheat.exe

  • Size

    3.3MB

  • MD5

    188bfbff71841426601213f21a79857f

  • SHA1

    aae3deda1b9b4ff703b7fa311ee10117b3a7b546

  • SHA256

    7007ad2f99a1da6616401648bcd0bdb00161c20d5dc2c27390214b028d9ddf84

  • SHA512

    f3495dfb14068d659824506a3278810a1dde60523218add2e530768e65473c2573263ce28c3560c5723158054051223c94ded5c00cf6389711ed02a47bb753b3

  • SSDEEP

    49152:ubA3jB65wSIehCuRt1MJh9JsZCG6eRCbKjHUMGb7JzA6LI0HM6HqyYu/K:ubr/jk9JlGr4Kj0MOm6kgkui

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Crack Cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\Crack Cheat.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hostperfmonitornetCommon\sVfMeP.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\hostperfmonitornetCommon\EoILAIW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\hostperfmonitornetCommon\browserHost.exe
          "C:\hostperfmonitornetCommon\browserHost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4768
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1432
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hostperfmonitornetCommon\file.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\hostperfmonitornetCommon\EoILAIW.bat

    Filesize

    157B

    MD5

    d436eca1a75d336316136483b7fd4cc8

    SHA1

    efca2f7efac382bb438b66cad807cb01f65afbfe

    SHA256

    20d4b15f59b1d9a528d1f7987ecee9763843f4492a27c79aaf8039ee703eecc2

    SHA512

    cb5039e9ea28a3f4009160b582997c976f91d021941d7b32f61ef750d5f301d230611e6a7adddaeced01e54cae65d906938ae20d670f3e20c07fbf5f8f9c8475

  • C:\hostperfmonitornetCommon\browserHost.exe

    Filesize

    3.0MB

    MD5

    bdabb232abcfd496e2db81b4d28f0da2

    SHA1

    64173661bb3c959858583da283628bb3352e5f03

    SHA256

    8750b610638b8de125dadfb8f45512a41c44f9a960cfab3e06d5cf56fbbb1972

    SHA512

    d68bc6e52ebbb7feae060612a4b07b53910105e122ec21deb7f8375de67e93f6a9ecded6bc1783611b7e576b1ba4b320bb78a21e06b6947e1b693a2142fcb0f1

  • C:\hostperfmonitornetCommon\file.vbs

    Filesize

    34B

    MD5

    677cc4360477c72cb0ce00406a949c61

    SHA1

    b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

    SHA256

    f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

    SHA512

    7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

  • C:\hostperfmonitornetCommon\sVfMeP.vbe

    Filesize

    205B

    MD5

    be0e14acc0f8b2e43e11fd0801e489a3

    SHA1

    afdb9e4157050fa1dac114ffde701667f987d5db

    SHA256

    8c6d6f195cf1488151028a9a63ebc0890ddff4c363567a26b7e8fcc76f8e7553

    SHA512

    0d00fc006602e1386a8a3888f841f9fd78d96906002d16c9f85dc1920efffd53f537b8e13893466793b13f6d05f8f9966716e185392326831d1977e13307a3fe

  • memory/4768-23-0x0000000000400000-0x0000000000714000-memory.dmp

    Filesize

    3.1MB

  • memory/4768-24-0x0000000002A30000-0x0000000002A3E000-memory.dmp

    Filesize

    56KB

  • memory/4768-25-0x0000000002A40000-0x0000000002A4E000-memory.dmp

    Filesize

    56KB