Analysis
-
max time kernel
61s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-11-2024 23:59
General
-
Target
Exlipse (infected).zip
-
Size
100.9MB
-
MD5
5286f8c034c1db39ae9467d8e6350d42
-
SHA1
15ced3f188a84b8d3f7f4b6f48935463f872b071
-
SHA256
a8f259ca65b6f98a38509bd2ec4a3085a7456b56e48aa94a41a6a614e288cb31
-
SHA512
0e895b23ea0a50b05b9a473313ad4edef12666574e30a8394ddd3d86eebb77c5b702a15be52a87578697378a43562b97cb0ff694414c54fff15be6df707f8e25
-
SSDEEP
3145728:leY0gVWyNixl7m5Omfs9fdn0MFRSGrlOWNMoadPo:lesKxla0rn0MFRSGU0MM
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Exlipse (infected).zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Exlipse\Exlipse.exe"C:\Users\Admin\Desktop\Exlipse\Exlipse.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortcontainerComponentintocommon\rAgSrthFK1bzVyr8MsWARh3gGBDcIa1FaYE910QgYcUkARMOVZtGfo.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortcontainerComponentintocommon\c3fnfQP4Z5ZFwNWCty7LvXrxtk2RjqwJSKAzDHs0qzSm82qhZ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\PortcontainerComponentintocommon\webfontSessioncrt.exe"C:\PortcontainerComponentintocommon/webfontSessioncrt.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VfIFb5S6sU.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\PortcontainerComponentintocommon\webfontSessioncrt.exe"C:\PortcontainerComponentintocommon\webfontSessioncrt.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD51456ea39f35248bc73ef1b711f866ace
SHA1023d50296ae27a26a212f29138251acc21c2abaa
SHA2564bae91c377b093301aa32c084b11ab904e550b4407c765731f3897f50b5df229
SHA51286052d32a288813df6b28323a0690cf729baab866a6f673559a8da71b8a37bcf0d4236f6db334ebd3be3c9c3ce8869370ed24382ece6f60c0680aeebc2761a6a
-
Filesize
260B
MD5b3423f6b3027d31d08a1a9281ffef925
SHA17d7cae3c1a4e84c5de122d371832e664bcb0b2ed
SHA25695e336907ea4a8de5a847b0ca0724b19ece45861c5360f4abd4ed41349c2d670
SHA512cd14d1497bf9caa07a42d9aaa3b50b44f4a82ed8dd9d0ccc0dd2994ca17a1fd03106a92a3d2592fdcbfe60b42a58f3d8e29f0d95a256cccfbf3cb2a1a2b08c08
-
Filesize
3.6MB
MD5bfd6f6b35b3969f50156db5084899522
SHA1d8009b49763454812e85cf883e10d7ebb70a2fa3
SHA256ff3202d13b0df24b189b9409bbb0bad1ee8111837a508cc5aa5b471a43d62ed5
SHA5126e585bb51e057b9e204c638913648ad7e2377861dccf20906fa24b5f56ba117645136a09ca7add4d817adc7f1d730a39d797d672bea05d7c38c79574914f3afd
-
Filesize
1KB
MD598d93f7a2239452aef29ed995c71b759
SHA1d1fc6bff08e49cb16a1e5d0b0348232282cf5677
SHA256399712789c6f2c7bd1b7afdf835eb2ac525632424daf08e751186195ebdbba52
SHA5121073e74c9f065aa02be1bfb172308c555c0ad0c5ff35315d76de23d2c6daf1d3fe0b32042a428431847d09b679f14cb129c058af3277e9ed16787d37ae276d96
-
Filesize
185B
MD528181cefdaa72bddb8a9f9bebf5c418c
SHA1068f3467a95678b0388970a52b0da2e481e60a42
SHA256a1dba79a98bd774792b6ce84946e7c8b95e53c592d808ddf7e022e37400b96df
SHA51207bfad048e5c461bd0d762f83bd0a7df484c7df8ac26f60372ec457bc016a205daee3d9f7bbd8c8d234f8084bc335976b02668e31037f620e9f1bf8ebc60dc82
-
Filesize
3.9MB
MD58d32b3c4e1084ea32613767567e71b95
SHA1b34d4c137e57dfe6fd6c91a50da7fa05c47e092a
SHA256464c3256c2c36203ca578115bc1876f0cb735bb3de156a3205f23a7f0d3cb34e
SHA51251f609e9eff025ec0cf56220708aa65627a26f2df620a2f29c3b91dadc5d013e13d1553a9cd61a87b9d3d8734fb3358a36a5cd14c1c58474c5306895a559bb2c
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
5.2MB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
312KB
-
Filesize
152KB
-
Filesize
3.6MB