Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-12-2024 14:53
General
-
Target
DCRatBuild.exe
-
Size
2.2MB
-
MD5
42bebbc9ea503be1c3c78ac680e660bd
-
SHA1
ba7e6e6bdd1ff3fdbd66a6c25a180eaca08cb774
-
SHA256
d3a100c67a0ab27b0628df13e53b36999059981ffec20422b61a2801fc1f020a
-
SHA512
acf711b01b8fa27e487d6009644a7640197b44ff5efe6161670b4109b03c629c466c9411e56a51280b100494fd228123738320199cfe9763737dd98fadd13a4c
-
SSDEEP
49152:IBJo0KE3fGUa/34OEOnhHLe7kSb+e39EP9Xee:yC0KIGUaPh5ySP9Xee
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperreviewWincommon\0APkIItdJuTMwiSED3qMQuncpJddgwxYvhrJ.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\HyperreviewWincommon\G389UpYDqsyTn8FeSKOfwJ022GejG1.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\HyperreviewWincommon\portreviewCommon.exe"C:\HyperreviewWincommon/portreviewCommon.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4Jy7rL30l.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\HyperreviewWincommon\portreviewCommon.exe"C:\HyperreviewWincommon\portreviewCommon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229B
MD57c1d3d422cc4568c9a4325d2409a748b
SHA1a8079bf0f981b9f9936a2547a8807bdb27f9c9fe
SHA2561cc02cd69855ad9f85fbf3c7b47d33687c0565ba65b845653bb449693a179b8e
SHA51282adf7ecb692bc6a5a58eac8b0233a637b819c7623eebb1654336304b3f90cf28ab667b70e9d21b54663a521e2cd5fc4dd2d93234df40fe19bd3356d4be8d553
-
Filesize
109B
MD5e7cad9e2e20d4e5ecf20c2001a0efa17
SHA1b334bb6e63edfaf0641a13c4af036ee3da98306d
SHA256cb179ab0ce771d571669600c2007065f4ee6921467294c02a213a9177efc4c44
SHA51283329d1641230cb2fd2f056dc721b226869ab9c4ac305efb5dd3ff2e462b9be1a85d855593478405e7da36d141b312f4ebd35e2f741e2eb4e6bbb9e07932e88d
-
Filesize
1.9MB
MD5e28077697ca723b6f179b20f3827d0b8
SHA19d4aa3c95498559b9f56eacdf75312e9c1202c9f
SHA256f266a8f40e42999a2c3d502b27af5d2872e672258e36d97da643730667794d55
SHA512b085d8c27c11f89213b4b9b337705c2d2020e2885f3d466bcc666fb3ebd24e8d34c9bd323c398178423eecea3a9f7de2cc030b0b79989a8660d7b2a0e5b3ee44
-
Filesize
1KB
MD5b9d0eb17ffb07da0a237d58c5f1c3933
SHA1f2250d0f7deecb8d3e3a4a6bb5635aaeaa4d51d5
SHA256e3601554efac51beb23c75dd8de6ed30cb3ddfcb1de508070dd7984f06d5ca05
SHA51281b1d0aa1a269497943e79eabfc26b1165c2768a3b40f62e5e90f7d69fa4b7baa907e39ab18d8230222cd8e1248590918502b510ed94a89cb766d2d1cd25283a
-
Filesize
220B
MD50d1aa10fb904bef5ff80b1165dd15b58
SHA1e1eeb17b023c25a14f16c3a5591e3e889bd9d65d
SHA2567b5c3ec3ea1f0442121a0f0c9bbfc741f7b1cea23c59ecca1904f55211c94737
SHA512ec2c2cdc024744496df6dccf10c94551b27dfe2551e4832f9e98af23504d0cb53c30671091a02e124e73e6a7f2bf0eb5627533075a1a6b8206f2c7c9b6116458
-
Filesize
1.9MB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
676KB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
676KB
-
Filesize
360KB