Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 02:01
Static task
static1
Behavioral task
behavioral1
Sample
04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe
Resource
win7-20241010-en
General
-
Target
04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe
-
Size
25.5MB
-
MD5
b9c8dee5e0470b21d27b1a70afe25495
-
SHA1
955aebc905591be2c45fb95ac689374552455b58
-
SHA256
04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d
-
SHA512
995ea49bdcba082927264e6dca3ac5d45ad8e152a3c9d71b9f63881e10537f866b5f45e1634af5bc1c44fb36fb0ec48b1a0ece866e1f58d14c2dcc46a0c88cf7
-
SSDEEP
98304:vS4Lhcl+62txet6kccrV00zSO76bgkVB:vS4yA62txY1cc0XOubtVB
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe -
Executes dropped EXE 1 IoCs
pid Process 3508 Registry.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\upfc.exe 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\upfc.exe 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ea1d8f6d871115 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\LanguageOverlayCache\backgroundTaskHost.exe 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2584 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2584 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3508 Registry.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe Token: SeDebugPrivilege 3508 Registry.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3456 wrote to memory of 2960 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 83 PID 3456 wrote to memory of 2960 3456 04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe 83 PID 2960 wrote to memory of 1460 2960 cmd.exe 85 PID 2960 wrote to memory of 1460 2960 cmd.exe 85 PID 2960 wrote to memory of 2584 2960 cmd.exe 86 PID 2960 wrote to memory of 2584 2960 cmd.exe 86 PID 2960 wrote to memory of 3508 2960 cmd.exe 88 PID 2960 wrote to memory of 3508 2960 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe"C:\Users\Admin\AppData\Local\Temp\04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hX99Ylzo3q.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1460
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2584
-
-
C:\Users\Public\Registry.exe"C:\Users\Public\Registry.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25.5MB
MD5b9c8dee5e0470b21d27b1a70afe25495
SHA1955aebc905591be2c45fb95ac689374552455b58
SHA25604069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d
SHA512995ea49bdcba082927264e6dca3ac5d45ad8e152a3c9d71b9f63881e10537f866b5f45e1634af5bc1c44fb36fb0ec48b1a0ece866e1f58d14c2dcc46a0c88cf7
-
Filesize
156B
MD54157dce14887482025ca615c50f5e3f2
SHA1eb88d1cefaca60a43c95d509b7ae9f8ff4815073
SHA256554421febfade6abc7f60dcfc5b921758fca8cf2ca882f4d6c98cfe8840200a0
SHA51222b309fa7a348dd257973c9b1d24eec92f3a8bcc05144da8313be5cb72e4b7cc1d609ba6d53ad52760ff71a3c9de59198aa627b06074e0b693d7cb8f8100db76