Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-12-2024 03:09
General
-
Target
aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
-
Size
391KB
-
MD5
43d30c776f593efdf5416ab4142442d6
-
SHA1
3f7f251511aa918a3c221cb4d039e406e9449132
-
SHA256
aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a
-
SHA512
8b1b195775c3de13cc281fe9d92580230fcdb48a9dab001eaa442328aa88e1ec27ced4cdaaa941bb42141a269e7f844f4dd945d8a9a6df06bb05393271987238
-
SSDEEP
6144:sSg0P0VgwhTfR4NATIVDHPfq1NRHR5/nQibDVDeFtJ9JDwzTE3GL0:+hLR4vq1N354iHQj1X3G
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload 2 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe"C:\Users\Admin\AppData\Local\Temp\aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tj1bsor1.wsg.exe"C:\Users\Admin\AppData\Local\Temp\tj1bsor1.wsg.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
882KB
MD502e08842c25f66b1ffe53ce0f50f1758
SHA1a5d1e71b9e6484a5ebc555dd41a5450909387cb2
SHA256eb3ff36d945d22d68d24690566115eac07c6666154ec18dd37527673375e41fa
SHA512807a3a8c5a223f843989ff1488198c7700a0e1ad779b7e055ce93ad44fef24c62a4025325621ee7b402cb771584ec847e9cb63177bee8672b31b3c7f6f5b5db3
-
Filesize
1.0MB
-
Filesize
320KB
-
Filesize
416KB
-
Filesize
10.8MB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
10.8MB
-
Filesize
912KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
10.8MB