Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 08:19
Behavioral task
behavioral1
Sample
766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe
Resource
win10v2004-20241007-en
General
-
Target
766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe
-
Size
987KB
-
MD5
8f81ac89b9f6dbccf07a86af59faa6ba
-
SHA1
0d97a27bacaae103f2f15637f623d3d13a568d91
-
SHA256
766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a
-
SHA512
452c04ec647dd84123ffb84f1ff37aef81057edf0c1a069113d0b1d89f2462c373301aa84355d0fafd8bb6c4b3d4b6bf580952f29189157edaea376711be16ea
-
SSDEEP
24576:2TbBv5rUyXVUxJMVI3SyKnUh9E1bm67+f:IBJcJMrEh9mbc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload 4 IoCs
resource yara_rule behavioral1/files/0x0009000000019234-9.dat family_dcrat_v2 behavioral1/memory/2704-13-0x0000000000F20000-0x0000000000FCE000-memory.dmp family_dcrat_v2 behavioral1/memory/2840-35-0x0000000001360000-0x000000000140E000-memory.dmp family_dcrat_v2 behavioral1/memory/2988-68-0x0000000000340000-0x00000000003EE000-memory.dmp family_dcrat_v2 -
Executes dropped EXE 6 IoCs
pid Process 2704 hyperBlockCrtCommon.exe 2840 lsass.exe 1080 lsass.exe 2336 lsass.exe 928 lsass.exe 2988 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2564 cmd.exe 2564 cmd.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe hyperBlockCrtCommon.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a1fd5f707cd16 hyperBlockCrtCommon.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\dllhost.exe hyperBlockCrtCommon.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\5940a34987c991 hyperBlockCrtCommon.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\it-IT\lsass.exe hyperBlockCrtCommon.exe File created C:\Windows\it-IT\6203df4a6bafc7 hyperBlockCrtCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1984 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1984 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2704 hyperBlockCrtCommon.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 2840 lsass.exe 1080 lsass.exe 1080 lsass.exe 1080 lsass.exe 1080 lsass.exe 1080 lsass.exe 1080 lsass.exe 1080 lsass.exe 1080 lsass.exe 1080 lsass.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2704 hyperBlockCrtCommon.exe Token: SeDebugPrivilege 2840 lsass.exe Token: SeDebugPrivilege 1080 lsass.exe Token: SeDebugPrivilege 2336 lsass.exe Token: SeDebugPrivilege 928 lsass.exe Token: SeDebugPrivilege 2988 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2532 2548 766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe 30 PID 2548 wrote to memory of 2532 2548 766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe 30 PID 2548 wrote to memory of 2532 2548 766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe 30 PID 2548 wrote to memory of 2532 2548 766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe 30 PID 2532 wrote to memory of 2564 2532 WScript.exe 31 PID 2532 wrote to memory of 2564 2532 WScript.exe 31 PID 2532 wrote to memory of 2564 2532 WScript.exe 31 PID 2532 wrote to memory of 2564 2532 WScript.exe 31 PID 2564 wrote to memory of 2704 2564 cmd.exe 33 PID 2564 wrote to memory of 2704 2564 cmd.exe 33 PID 2564 wrote to memory of 2704 2564 cmd.exe 33 PID 2564 wrote to memory of 2704 2564 cmd.exe 33 PID 2704 wrote to memory of 2580 2704 hyperBlockCrtCommon.exe 34 PID 2704 wrote to memory of 2580 2704 hyperBlockCrtCommon.exe 34 PID 2704 wrote to memory of 2580 2704 hyperBlockCrtCommon.exe 34 PID 2580 wrote to memory of 2772 2580 cmd.exe 36 PID 2580 wrote to memory of 2772 2580 cmd.exe 36 PID 2580 wrote to memory of 2772 2580 cmd.exe 36 PID 2580 wrote to memory of 1224 2580 cmd.exe 37 PID 2580 wrote to memory of 1224 2580 cmd.exe 37 PID 2580 wrote to memory of 1224 2580 cmd.exe 37 PID 2580 wrote to memory of 2840 2580 cmd.exe 39 PID 2580 wrote to memory of 2840 2580 cmd.exe 39 PID 2580 wrote to memory of 2840 2580 cmd.exe 39 PID 2840 wrote to memory of 1464 2840 lsass.exe 40 PID 2840 wrote to memory of 1464 2840 lsass.exe 40 PID 2840 wrote to memory of 1464 2840 lsass.exe 40 PID 1464 wrote to memory of 2952 1464 cmd.exe 42 PID 1464 wrote to memory of 2952 1464 cmd.exe 42 PID 1464 wrote to memory of 2952 1464 cmd.exe 42 PID 1464 wrote to memory of 2908 1464 cmd.exe 43 PID 1464 wrote to memory of 2908 1464 cmd.exe 43 PID 1464 wrote to memory of 2908 1464 cmd.exe 43 PID 1464 wrote to memory of 1080 1464 cmd.exe 44 PID 1464 wrote to memory of 1080 1464 cmd.exe 44 PID 1464 wrote to memory of 1080 1464 cmd.exe 44 PID 1080 wrote to memory of 1420 1080 lsass.exe 45 PID 1080 wrote to memory of 1420 1080 lsass.exe 45 PID 1080 wrote to memory of 1420 1080 lsass.exe 45 PID 1420 wrote to memory of 1904 1420 cmd.exe 47 PID 1420 wrote to memory of 1904 1420 cmd.exe 47 PID 1420 wrote to memory of 1904 1420 cmd.exe 47 PID 1420 wrote to memory of 1620 1420 cmd.exe 48 PID 1420 wrote to memory of 1620 1420 cmd.exe 48 PID 1420 wrote to memory of 1620 1420 cmd.exe 48 PID 1420 wrote to memory of 2336 1420 cmd.exe 49 PID 1420 wrote to memory of 2336 1420 cmd.exe 49 PID 1420 wrote to memory of 2336 1420 cmd.exe 49 PID 2336 wrote to memory of 3008 2336 lsass.exe 50 PID 2336 wrote to memory of 3008 2336 lsass.exe 50 PID 2336 wrote to memory of 3008 2336 lsass.exe 50 PID 3008 wrote to memory of 1956 3008 cmd.exe 52 PID 3008 wrote to memory of 1956 3008 cmd.exe 52 PID 3008 wrote to memory of 1956 3008 cmd.exe 52 PID 3008 wrote to memory of 948 3008 cmd.exe 53 PID 3008 wrote to memory of 948 3008 cmd.exe 53 PID 3008 wrote to memory of 948 3008 cmd.exe 53 PID 3008 wrote to memory of 928 3008 cmd.exe 54 PID 3008 wrote to memory of 928 3008 cmd.exe 54 PID 3008 wrote to memory of 928 3008 cmd.exe 54 PID 928 wrote to memory of 2216 928 lsass.exe 55 PID 928 wrote to memory of 2216 928 lsass.exe 55 PID 928 wrote to memory of 2216 928 lsass.exe 55 PID 2216 wrote to memory of 3036 2216 cmd.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe"C:\Users\Admin\AppData\Local\Temp\766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Intorefnet\hyperBlockCrtCommon.exe"C:\Intorefnet/hyperBlockCrtCommon.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TbU66uzUwI.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2772
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1224
-
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oR202sdZsO.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2952
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2908
-
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1904
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1620
-
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1956
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:948
-
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ghJDzcD21F.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1984
-
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD57fef6d8e0a11e2dec6af7a0e3b952b06
SHA1b95534abb31712b49087005da4cdd4c92fe35edd
SHA2566bb327123f7ec740bb03b3405c5cd790199ba132091d1ceae4f098a29c0e9592
SHA5122c19d8ac297e3e0d790f844aedac3be3934a274ba834b66f36994ccdfd8e8c49b836d7a0df1e28de999cec7e1b5984a90199f4e08bc30d8113c4852fb9a27703
-
Filesize
206B
MD5926c428eaa357b6ff5474252ee2821fe
SHA1623205127383f9cc804a3af035448cc396e704e3
SHA25680675c3ae85f284b0e291b368560cc5727d416f1f52577e6505db41b0add9bc1
SHA512cdb460848edbc5b8053b0b5211fce7d5f5eb92b347526b3e1d98becbfe1d4f8fb277ac3c58eab64b532f57c4c3b6f5642a9fad04c22f2910eecb0633079fb4ac
-
Filesize
202B
MD5dba20628abb0b2e6b95b9bdfea474d95
SHA14b93d475dbc5815ed90c29c3fb830ddb1863c767
SHA2561ce39b84b5d6c54dac15a6dd8b047e80f46a7b2eec0f7d229ac13d1285dd62a3
SHA51224cff8150ec7c9ab9ecf09c3a8c7d8625a88841465066754aa60629c22160400475aa5041e188d85ef3e9addf1654e7448a02b3f72002955d63a68d79c5ce10b
-
Filesize
202B
MD5fb416c9e6af2d4e03e547fd2df8f9348
SHA194edd75dfde5f87c37b5d046b8317b85fc4a9ecc
SHA25658c23c39081ac5df29b472ee1ca676be6e6e89901ed80e55ce6f3975834a063b
SHA512daa311eba0f5a5583a37120e8ac79e060070d3316dcd59c6783526e7b78543834715c96487bc498b8fc2594bad21ddfcdfea8b37ea866a707704c90bca6cf372
-
Filesize
154B
MD549ae16ab5e6ff0edfe47d24728a03b6d
SHA1f3c0e7b9ce3e57578a011b8ee9a35b9f0f6327a6
SHA2562ca4e44d9ce6835a990dab5db070aa82916aa66adf4e300822d08eb4220145d1
SHA51251ea1ff04162092ed17c2f6a769202afe15e8de3adb12dd834af6004768cdcf1391f4062a3d399621da52edbf55b79b259a3b17eb9baf65857688ad260dca782
-
Filesize
202B
MD578c622e0e90c622969b9c100d372cd6d
SHA1b9d8103e2f7cfc27ebc8ec99b6d287bd62b3faff
SHA256a2d64c26f0d20fb6c9056468403a9467083e81cdd2a7e43ecf33614f32bc73b0
SHA512cfdbb3e0639c9969eaf7cd0f828692ae0d1cb2fcdfadfbd22f90d570e3ac46c16d44c69672674289b341485b903a434930080c456b9a6d8cc0d5c89892767800
-
Filesize
673KB
MD588475ffcf70bafda27644064bd214f2a
SHA1650deb8eee1f3614ff924c2ac5dad5a2f230dce1
SHA256f2bd4f56c501098299b88cefecfd79e763d95d801016eaaf4e2707c5ffc7c767
SHA512c3e7c4d38d43571fd81926aecf3f0bd75f728f1e7056af02955eed96bea67efd30f295089300df809841c0565a9ea4aa793e2f5c6b93e3eb86132cccc267376f