Analysis
-
max time kernel
95s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2024 06:11
Behavioral task
behavioral1
Sample
4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe
Resource
win10v2004-20241007-en
General
-
Target
4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe
-
Size
1.5MB
-
MD5
fb027065b10cd311473a1a7e5aa24005
-
SHA1
91fec287f958e62ce18fc1342b7f33ebd35cf0be
-
SHA256
4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec
-
SHA512
e21f788281896c9363df1e0e34c6dc11b06aa9bd9c0d5d40bae5427b4f134bffe3a9cc546e0577159d0ba6f37ecba68c49d5bfde37eaf1b1beac36abc8cdaada
-
SSDEEP
24576:U2G/nvxW3Ww0t2ciMa06q2YpE2yA/DFPxuBWBZCAO:UbA3021eyAbNMBWBch
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
resource yara_rule behavioral2/files/0x0007000000023cb8-10.dat dcrat behavioral2/memory/632-13-0x00000000001F0000-0x000000000032A000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 632 svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 632 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3640 wrote to memory of 2488 3640 4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe 86 PID 3640 wrote to memory of 2488 3640 4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe 86 PID 3640 wrote to memory of 2488 3640 4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe 86 PID 2488 wrote to memory of 4452 2488 WScript.exe 92 PID 2488 wrote to memory of 4452 2488 WScript.exe 92 PID 2488 wrote to memory of 4452 2488 WScript.exe 92 PID 4452 wrote to memory of 632 4452 cmd.exe 94 PID 4452 wrote to memory of 632 4452 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe"C:\Users\Admin\AppData\Local\Temp\4151805091b50f779143ce5b0782bbcfcbd9e471c81f6ab644f4e45dd064e2ec.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\yandex\YS77TPyYPKM.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\yandex\q9B7I.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\yandex\svhost.exe"C:\yandex\svhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188B
MD5114771a66f069797e6bb4b5915cde7b1
SHA1a8cac5762a37fba89cf3f78e27abd3def8ede704
SHA2567b2f2f7bbd31dd6432160076f350c66d1057eda24db930c3d8003cc264054012
SHA512fa492f023c1a8241589e96a98e4bf2ef878970e0b8bd9351a22e1f5504d2cf32295bbee6e70a0866e63866c0599ba592dc3d5d6cde1ef07b95e823717cf36210
-
Filesize
22B
MD5153f0ac93fba91426eb6bdfcc169cd53
SHA1180794e0c53e11dae960dfe50b79fd71be867405
SHA2566f9e82303d6c4913c5663b9b40fa02d9f7adbd50ca36f4b552c70e5c955841e7
SHA5126763f247438ed76e7e4fbb8d08b9028f3d649d278cd16efa229791c299bd976e766bf912115d684d71291b5c1257f6878541bbb3d6c52e30229560166e999b48
-
Filesize
1.2MB
MD5754dceb944cf505a0957e70370a972ef
SHA1c16e4782f0f2f868deff74d4bc76b528162f1fcc
SHA2562a9851860e7d245eadc3004f986afc3cec8c7bf2fc967fdfbca1e0a96b864efa
SHA512ad1ace193fdc6ba8dba7c11dacc9afc5420efd7dc45a0994bec8d12952e806488b3156b8ec346e6f13b7f66e9b0890e65791eecb1ed574383ca73ed5ab2a4568