Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 07:38

General

  • Target

    adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe

  • Size

    1.9MB

  • MD5

    f93786885d2a064e5bfaa873d5adce3a

  • SHA1

    2f5607b932aca74701dd9aa0a581d7e6971df23f

  • SHA256

    adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca

  • SHA512

    61d28dc832fd3ec100841323e1cdb3da166c0673bfbb20ab2ccff25d0e90b407b05fe8f59eb0ce93c0fdf130aa2b12e0cc7ce2158b4b2a22f51d7701550782c9

  • SSDEEP

    49152:HN54VMGOhLmPkO4koPyVu5eAEfgPwNqsrui:v0vEf8u5eAmFZ

Malware Config

Signatures

  • DcRat 16 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 12 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe
    "C:\Users\Admin\AppData\Local\Temp\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe"
    1⤵
    • DcRat
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkdtXEKxnY.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Windows\SysWOW64\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:3056
        • C:\Users\Admin\AppData\Local\Temp\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe
          "C:\Users\Admin\AppData\Local\Temp\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3636
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Iai6fTbo2h.bat"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3396
            • C:\Windows\SysWOW64\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:5012
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:4544
              • C:\ProgramData\Application Data\RuntimeBroker.exe
                "C:\ProgramData\Application Data\RuntimeBroker.exe"
                5⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3128
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\mfc110deu\sihost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\runas\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Templates\Idle.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\es-ES\Licenses\Volume\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1612
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007091358_000_dotnet_runtime_8.0.2_win_x64.msi\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\DeviceDisplayStatusManager\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1780

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\Templates\Idle.exe

        Filesize

        1.9MB

        MD5

        f93786885d2a064e5bfaa873d5adce3a

        SHA1

        2f5607b932aca74701dd9aa0a581d7e6971df23f

        SHA256

        adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca

        SHA512

        61d28dc832fd3ec100841323e1cdb3da166c0673bfbb20ab2ccff25d0e90b407b05fe8f59eb0ce93c0fdf130aa2b12e0cc7ce2158b4b2a22f51d7701550782c9

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe.log

        Filesize

        1KB

        MD5

        f5e93a467b0f78f860ff2ba798c5fd2c

        SHA1

        462b6677af76647b0c08fe91d019cb29d364f616

        SHA256

        fa2d2b185ce7cfa214b0c9a8b26c9d30ac325c924434f957c2f3e0bb74a749cf

        SHA512

        b50b1a0aeff65a77574897654ace4a3b518e5f9192c74e516c84ff6796e52ad811c23caa1ac7d52449601a1004c9cc3a734c3a10a94d67750eb771ca0a7f2e25

      • C:\Users\Admin\AppData\Local\Temp\Iai6fTbo2h.bat

        Filesize

        213B

        MD5

        6b8dd83abd170ff7a71ba11538c0d175

        SHA1

        42ff5f597050f1e50f9aca6702572529c315726c

        SHA256

        b94e3fb331e9331648eb68b5f17480e6266dc975aa37a1d02fa9f8460e2663f0

        SHA512

        b05091b6a6e9dd4d9912f52f54cb9b9ab02fa43585881c355c683f6f53bc433b246c8e77f7a707b00b76d391f7f47e90ebfce31e62f76b4f70418c3ac07e1298

      • C:\Users\Admin\AppData\Local\Temp\XkdtXEKxnY.bat

        Filesize

        266B

        MD5

        3491b7b0108b8b19156ea3a5fec05d54

        SHA1

        737e44393d66f5a13ad24808c91afbdfd41fae9f

        SHA256

        97500084920302b17f04dd0dafd53c771f4feb5239b17a3848c70475ea4a968d

        SHA512

        4b8886b371460bfd3dfb9748f5395b1c2b17f318595767acfbeb7178e97a66c1a4980dc4b3131e1c910b183f9822daf843c2287d0335b370fd1799105d6f9fbe

      • memory/2324-61-0x0000000000120000-0x000000000061A000-memory.dmp

        Filesize

        5.0MB

      • memory/2324-58-0x0000000005760000-0x0000000005768000-memory.dmp

        Filesize

        32KB

      • memory/2324-57-0x0000000005790000-0x000000000579A000-memory.dmp

        Filesize

        40KB

      • memory/2324-56-0x0000000005680000-0x000000000568E000-memory.dmp

        Filesize

        56KB

      • memory/2324-55-0x0000000005620000-0x000000000562C000-memory.dmp

        Filesize

        48KB

      • memory/2324-54-0x0000000000120000-0x000000000061A000-memory.dmp

        Filesize

        5.0MB

      • memory/2324-53-0x0000000000120000-0x000000000061A000-memory.dmp

        Filesize

        5.0MB

      • memory/2324-52-0x0000000000120000-0x000000000061A000-memory.dmp

        Filesize

        5.0MB

      • memory/3636-22-0x0000000000C30000-0x000000000112A000-memory.dmp

        Filesize

        5.0MB

      • memory/3636-47-0x0000000000C30000-0x000000000112A000-memory.dmp

        Filesize

        5.0MB

      • memory/3636-23-0x0000000000C30000-0x000000000112A000-memory.dmp

        Filesize

        5.0MB

      • memory/3636-20-0x0000000000C30000-0x000000000112A000-memory.dmp

        Filesize

        5.0MB

      • memory/4088-0-0x0000000000C30000-0x000000000112A000-memory.dmp

        Filesize

        5.0MB

      • memory/4088-19-0x0000000000C30000-0x000000000112A000-memory.dmp

        Filesize

        5.0MB

      • memory/4088-7-0x0000000005CA0000-0x0000000005D06000-memory.dmp

        Filesize

        408KB

      • memory/4088-4-0x0000000005B40000-0x0000000005BDC000-memory.dmp

        Filesize

        624KB

      • memory/4088-3-0x00000000061E0000-0x0000000006784000-memory.dmp

        Filesize

        5.6MB

      • memory/4088-2-0x0000000000C30000-0x000000000112A000-memory.dmp

        Filesize

        5.0MB

      • memory/4088-1-0x0000000000C30000-0x000000000112A000-memory.dmp

        Filesize

        5.0MB