Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-11-2024 18:12
General
-
Target
cb9d8ee783ab69f0ddb033187681264686982a82d82a09794fea1b6de7fea3a0N.exe
-
Size
1.6MB
-
MD5
a9ccc8eefd0a09f70dc9e929fd7d3f20
-
SHA1
594a474233d4462cbaeabe4fca98e6869e9efff2
-
SHA256
cb9d8ee783ab69f0ddb033187681264686982a82d82a09794fea1b6de7fea3a0
-
SHA512
91781525d2c54f101d8ba898af7f4f95c3d412bc0fd3793675b2fac4c598219234b6d0acee3d4f27016a424884615c410be644b1e563db1d102b99a8f92b9f27
-
SSDEEP
24576:Wr3+VTI7YmAX6LGRwQHly8XIrDExXGLwiDZ1G/MdeZ75+mHxeipjsRn6Nil:WUS9ZDExWNtM/MdeZ77ej6c
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 15 IoCs
-
Runs ping.exe 1 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb9d8ee783ab69f0ddb033187681264686982a82d82a09794fea1b6de7fea3a0N.exe"C:\Users\Admin\AppData\Local\Temp\cb9d8ee783ab69f0ddb033187681264686982a82d82a09794fea1b6de7fea3a0N.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zn4IUa01sU.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MJezb5uUW4.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ZZGHVO0om.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XX22crJjk3.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L4pr7KvdK9.bat"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TAB96jcSpT.bat"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\72DWG1NhBc.bat"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bFWQ59IHKo.bat"16⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zq8KtNWkLV.bat"18⤵
-
C:\Windows\system32\chcp.comchcp 6500119⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9VsmEYMPZS.bat"20⤵
-
C:\Windows\system32\chcp.comchcp 6500121⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VdpP4GbADJ.bat"22⤵
-
C:\Windows\system32\chcp.comchcp 6500123⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat"24⤵
-
C:\Windows\system32\chcp.comchcp 6500125⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BP5Pm95y6C.bat"26⤵
-
C:\Windows\system32\chcp.comchcp 6500127⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CeuXGu4pI7.bat"28⤵
-
C:\Windows\system32\chcp.comchcp 6500129⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BP5Pm95y6C.bat"30⤵
-
C:\Windows\system32\chcp.comchcp 6500131⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5a9ccc8eefd0a09f70dc9e929fd7d3f20
SHA1594a474233d4462cbaeabe4fca98e6869e9efff2
SHA256cb9d8ee783ab69f0ddb033187681264686982a82d82a09794fea1b6de7fea3a0
SHA51291781525d2c54f101d8ba898af7f4f95c3d412bc0fd3793675b2fac4c598219234b6d0acee3d4f27016a424884615c410be644b1e563db1d102b99a8f92b9f27
-
Filesize
1KB
MD511aa02596ceccef38b448c52a899f470
SHA16da94dc9579e969d39d5e65c066af3a5251e39b4
SHA256e778ec777a79a1a9c9a3b605ab9681558395d2f3ef46f6c34dca1e00dcd771fd
SHA5125de4fd51ae76cce8de25c5257ee873a71668acdf407bc3351410f9f840a9b074099d4c018657d2cc8f33273e6fd03e4365165e4834ba12c052d735212bf5d0d3
-
Filesize
159B
MD561c843738edf04534e6ab3fb4a13e9ca
SHA1cf9d84cf74db5b729ded210937a722d3e34da638
SHA256c23c436dd6a6cce54c158bffe769215824b745135cdd90d6a02c56308e022f63
SHA512725808a5129bf27e996bfe94f6f6af08f5d2bd658ada249d1e1ad7014a3e6c800006fa1659ed4f7f01248a412ec6874000cb80e0a62ab868383753e4c9d5f365
-
Filesize
159B
MD55488ddbc83e39d43ff0b59c6ccd05d23
SHA120d5a8a02dc157dae98fd3bcc8be4989667fbb44
SHA2565b85efefa2f11b8e084b57e6b5908d64e872139e60c1b9a98c2be2fb7e3ebcac
SHA5122864bfe1bae4bffc2c1a711f8fbc3b4b3baa11952d80ae6c9ef3bb6be53e7ad97cbdb055d5df04d5e1c259b1725a463c8eb5ed2433565b7670a4bca3762ce5a5
-
Filesize
159B
MD5a25d3225245f5511db2e12d379cd3e38
SHA15f528d32a4025d6e5ea7264c7b1447c2cde69ab1
SHA256ab120112ac50a9f6d854c41d678f745fc23966759b9a6b97fc0fe9d78c17e19d
SHA5127f0f848202d79c75cbb2ced4770a7091f0631202f654ec2b7cdf73f37b183d7f56a3b4faca7a7327722ff6a1e52f48d1e19e0a453694539a1352b0bc5eece7b8
-
Filesize
207B
MD5cc319feca8e4ce4491c66639be6a103f
SHA1f9388f80322b0c289eb04a55f2cb73edf818cdf5
SHA2568b9912d08db3e1e42be41253fdd358f82595393d9f4c4485c03079c8c1278347
SHA512cad934bab35369ca39ab3d6574aa42ede13e32aee893b4a13649ce2299259293a0d432c17f44544211e805517b6d23f991265d659218c369e9c9c7db547b8ebf
-
Filesize
207B
MD596005507ffcfc1d8e8d2500378e619a6
SHA15e4a89061fd93aa13511423356e846374dc9b44b
SHA256c7e718f678c89ab0ba96de5eae50a0c5b1282bf3b52f119d73a5da5d1c4abb3a
SHA51215b3b34f2c9ef87dd238b022636dde58f81cd779d1ec65f8ca37504bf320ddb158c093db98418f71ea37a1854678c7e379ed409ed1664fd10af2ae5565ef3462
-
Filesize
159B
MD5efcab39e995c88ef7fb33cdb08df644c
SHA1ee966ec8ef619c77a435dac8b9d45b152f161d96
SHA2569ef4c9a0781dfa99727d1508c62abea19d2fbff138581a7e9a3cb20c3e6599f5
SHA512fbb1730d479223d53110f924c9aeb34d2106954ca69ba3e323ab848a012a7e774d5ad8e69819fd691102f3bef7fe4c025dd04e508416ad63bbfa8d75cb13469e
-
Filesize
207B
MD590612bc0856f86f495274ed9ae3891df
SHA1b82162fce132c453cedb12ad0ad19014812ffabf
SHA256a9ee426b4b8198709d2bb324ddcf235695139de27e22572dfbf9eb3083763afa
SHA5128e78c4ef2424d1bbfc033e278671acc1ea58d3ea8793a6a7cc573a3960d8b6b2462b44380eae73c231d752da3a8c70230fcdf9389af16101877fa2785217323c
-
Filesize
159B
MD586bce5f8b687b70e8efbb5ee9a56b9bc
SHA14257b8250163a08591ecc0a3e0f227f221b8f374
SHA256a8087c2d1c78cd027d22cdf6289221645de9df563fbe356bb4eb94960d3d8ea0
SHA512996147148a625f2d2f201ce71062b423f2d67c10f40ab31cf923acf797c4e8933edc193b71ea6804e3c082f4f76c4172c8cbf230e4e9f06ff5839e723c7b4422
-
Filesize
207B
MD51c9b0d9e95639aeeb2542b80985b594b
SHA1de92cef39eb22f3af32291112f68b85848821587
SHA2567fb14e3cff1933d1922b251860785dd4610839760a52a2d7d29fad4730cc015b
SHA512671ae9ca8bee388badba7a005e1abf943e9031b833ed7488d287b73f7a953f12a2d20f1adfac399499e68df8a928fa894bc6c429b3c7f5446e94293c9a8cd3fd
-
Filesize
159B
MD54740e7b40068cb01a9570e08b71fc850
SHA12f50ab7c0a19b2d4dab07106f9e9b4ece0fd49c4
SHA256dd54c77f807d38cc496c4aa5146866852c6a6e0ea9b0612ba45c632d18fd7ad1
SHA5125901351b6ee12b818ff061d70c9b00a06d5fad47a9f502cbdabd4802ce75a712c4093c51d37f02aa221b11c04d655b6788c4e8f6a6bef7a7b6ec5f89a93b231e
-
Filesize
159B
MD5667cf2a40fcd74ebd1d7100c730c34be
SHA1ed054d785c2eb772ffaf2e4daa866c6cd5d74ab0
SHA256f2ab88bab2e13a003a09c66923daeea1200dfd8bc4345dd4f29b2e9d8ba04ef0
SHA5128179e7b37961757b45a260e0a9c79869a1a21c08b4ee6731487d49213cc8bf5804b0621adcef22f523f0eb44413e55220baea2298ebef773c7146d45266a216d
-
Filesize
159B
MD5078ede23f8c6dd4504925ec6d8f53c3f
SHA1b6c797893fe94a8843db30830c93c2f9c2750d70
SHA256236b226b3f11605219b038e400872611ff729f6ae4c6b26a5713ec6f73d24e90
SHA51268172bc17bba881f2794ca04c31c9fbaf503f6a1d14a29521fc82d43ff7b493347ae939faea8199f9ce00a1ec4d2b5003582db57c0f3f5b741da737387815e4c
-
Filesize
207B
MD56d53f56c15652ce46a2aa7213820478e
SHA1807d4b08f82d1dd8ebe1e8636324f397a23b556e
SHA256f2acf4831ae0afe23e6b98dcb1e9fb45302787635f8f080e2a655867d50c47dd
SHA5120862b4224c61ec903b2e35a51b66c5f23ab130a4bcfa9b79bf9a0bb7d963539b4166aa320bc35f6d52a188c79c695f053258b416ab0fa10b5d97e9aeb34633e5
-
Filesize
207B
MD5fcce54b0aded4b9f66f2088361570bdd
SHA1e8282adddaeb562d5dbf9e1300a020514adecf7a
SHA256ccf8fb795a442832ea027d7e8644e235c729c7151bec3ccc022f9aba7c7b6751
SHA5128707613cc8e4c831549c9807d61da243f4cfb2f733d6c2b414d52c6d77cb73dbd95a7041d0a15f6612fbbfa50bf5ad99472ff419f961a33d6d02bf07922b74df
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.6MB