Analysis

  • max time kernel
    84s
  • max time network
    86s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2025 12:04

General

  • Target

    saysoy.exe

  • Size

    1.1MB

  • MD5

    14c9cc784c40dcf4a3292c0a76df1ea3

  • SHA1

    14b0046527957ac8efd6a2ec6f1095b24d2260c5

  • SHA256

    a5a25930819bbbec78be692ac22ac53c2c4844e1d031a9bfa5f538d48a13114e

  • SHA512

    bcdb1796566603193d481a5c6e1e2ea87d867f49f85d998e1605e196754661ac8096af81446064743fa84f9f731080bca413cc8b1440cf96490d15918efdb79b

  • SSDEEP

    24576:U2G/nvxW3Ww0t3GKOZiHjKZIOBkNz7goRALs5fkbX1rCf:UbA303WZioIOBgOs5sbl+

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\saysoy.exe
    "C:\Users\Admin\AppData\Local\Temp\saysoy.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\MsHyperbrowserSaves\mM4JhqLjw.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3384
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\MsHyperbrowserSaves\BypONjLpCsy1Y5OALh8T5VUbl8waya.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Users\Admin\AppData\Roaming\MsHyperbrowserSaves\PortWin.exe
          "C:\Users\Admin\AppData\Roaming\MsHyperbrowserSaves\PortWin.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4656
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x108,0x128,0x7ffc704746f8,0x7ffc70474708,0x7ffc70474718
      2⤵
        PID:5000
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
        2⤵
          PID:4084
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4168
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
          2⤵
            PID:1616
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
            2⤵
              PID:1412
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
              2⤵
                PID:4516
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
                2⤵
                  PID:4140
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
                  2⤵
                    PID:4736
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
                    2⤵
                      PID:2168
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4012
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
                      2⤵
                        PID:4888
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
                        2⤵
                          PID:3832
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
                          2⤵
                            PID:3644
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
                            2⤵
                              PID:912
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
                              2⤵
                                PID:692
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
                                2⤵
                                  PID:2316
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
                                  2⤵
                                    PID:1408
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
                                    2⤵
                                      PID:3832
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14241937170852581972,2628489448848238180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
                                      2⤵
                                        PID:2040
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:2864
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:1460

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          ba6ef346187b40694d493da98d5da979

                                          SHA1

                                          643c15bec043f8673943885199bb06cd1652ee37

                                          SHA256

                                          d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                          SHA512

                                          2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          b8880802fc2bb880a7a869faa01315b0

                                          SHA1

                                          51d1a3fa2c272f094515675d82150bfce08ee8d3

                                          SHA256

                                          467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                          SHA512

                                          e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          5KB

                                          MD5

                                          7f5fb51a6c214db261aaf52affac4ebc

                                          SHA1

                                          65e983117856044ad9f9ea2525bb1a5671e0bad8

                                          SHA256

                                          db79486885689e4379ebb7eab506ba0b8eec83aedf7c43f3881080c9daba8545

                                          SHA512

                                          e00274f5763910044591e31e5d4ed5778ca5cb52aa41383c086a6a28dae93ddeaeb9c0cef0c8648d9ecd55d6227de44f88ffc25d2da5940e73cc86ce631af147

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          7KB

                                          MD5

                                          4a96713b1338faca2fea48782e45e430

                                          SHA1

                                          19fd51077ffbac13930d6969b57830f905b0f650

                                          SHA256

                                          a2f6b399d89a57b72e64b8464e87dc6fdd7f4788de8725d130c9396c258c3624

                                          SHA512

                                          1d36e9e1832dc30b99e2955957c8afda659627b0ae1a6d4541237bd4248ed4eeefdc05cc7b05d8565229ae3592146efbfa1a59ed734e85446bd61ec9cd1f5549

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d85e4432-e98c-4407-b906-334edcfa7e15.tmp

                                          Filesize

                                          6KB

                                          MD5

                                          5a96ee47a1c4421198d9310b360d92c4

                                          SHA1

                                          a0fc3592ee40c96ce15e7627b18e3ae5e07539ee

                                          SHA256

                                          d6a606a52a3f003c60fb28795d50c0c7afe34134209f257eec97bf1baa5ce97f

                                          SHA512

                                          ca38b5abf715a829612fa2313959ba5dded43766fb6a4144b345e514fbf4b254cd941ac07695cc58e3c04e9f15eb6bbfd21417b8400e38ae5d62e6fbc2e55363

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                          Filesize

                                          16B

                                          MD5

                                          46295cac801e5d4857d09837238a6394

                                          SHA1

                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                          SHA256

                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                          SHA512

                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                          Filesize

                                          16B

                                          MD5

                                          206702161f94c5cd39fadd03f4014d98

                                          SHA1

                                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                          SHA256

                                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                          SHA512

                                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          10KB

                                          MD5

                                          f4c629738ee35220aeb1ef4a247ce45d

                                          SHA1

                                          e4fd04d1d25db8a7ba25e4fef287d036ae9c62c2

                                          SHA256

                                          b36e91f1d8680237443354c054f21aae07df73a38f362b3d818ba2d6cf938d12

                                          SHA512

                                          d0601f298a2664e8a4259b6917121a5d52edac1c0a28e2aa1901eb0af09363ae8786a5a71858ae87cfc73b5f05c51c7b44c3878d1ef381b05aab85377077f1c4

                                        • C:\Users\Admin\AppData\Roaming\MsHyperbrowserSaves\BypONjLpCsy1Y5OALh8T5VUbl8waya.bat

                                          Filesize

                                          43B

                                          MD5

                                          f1f1dbc33fdb14b9fe7733a89d945bac

                                          SHA1

                                          55e5a36164301051918561c74c144e50111fc730

                                          SHA256

                                          2402d3c3c8c0a54063e8057de3a318e0f6f4a433f0dcd96ce2c9acdc9e96bc64

                                          SHA512

                                          142cbb34fc34f9db86102d612359920a83bb2eebd99e81f0e402548d7087e34921da75c284108ff7fbda6758206c0c30276ba52b288cd4288d548cc8d1103805

                                        • C:\Users\Admin\AppData\Roaming\MsHyperbrowserSaves\PortWin.exe

                                          Filesize

                                          828KB

                                          MD5

                                          04184648be069bdda4bb6a513d4ba90f

                                          SHA1

                                          55ebb09163941431cd787569ecee8c7e0be43067

                                          SHA256

                                          d10447811c369ed50467fb356e0a86d645ef1cc3e6900fe007eff32e3169866a

                                          SHA512

                                          ae057ac065d47e21789b8efb60119348d95a1deaf74e7104ba6cee3f0e5b25eb89c7f158febaf1bfc30ab682e8f34b8cb8120271486163f3f45a2e2f2594115c

                                        • C:\Users\Admin\AppData\Roaming\MsHyperbrowserSaves\mM4JhqLjw.vbe

                                          Filesize

                                          234B

                                          MD5

                                          f1c70b037e89afa799d3641e74fb77c4

                                          SHA1

                                          95cc4268438000d9ea3fcca309f8ec7b797fbb9f

                                          SHA256

                                          c31a863b46e85e7a7aa8308466431e2de8af199e9f99413987e5b7b4feb5cbc0

                                          SHA512

                                          6f235711158273b0d2a14507d37d923da6b640534975408ce1a9b5bc9afdfe4fbc96bfd641cbee4c1f4a211bbca57999d9baa643a6ea81208425d4030918c25d

                                        • memory/4656-12-0x00007FFC763C3000-0x00007FFC763C5000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/4656-13-0x0000000000DE0000-0x0000000000EB6000-memory.dmp

                                          Filesize

                                          856KB

                                        • memory/4656-14-0x00007FFC763C3000-0x00007FFC763C5000-memory.dmp

                                          Filesize

                                          8KB