Analysis
-
max time kernel
198s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
30-01-2025 12:55
General
-
Target
AIMWARE CRACK 1.3.2.exe
-
Size
2.5MB
-
MD5
f72fe0fbd65b2cc0376fc1d08813a512
-
SHA1
da68c3a1f66bde61c2b7bac27c1418261b0b9e1d
-
SHA256
09f319c554e4e5468ddae84384983edc21aff8717fc103a0cee62e132c70a6d3
-
SHA512
17f0ef497ab31ee122bd4377dcf6d4319b3937e08b818cb67890b62eb0caa0dff8810318b49b16fff470a99f17acc17eba3c1ea013acb4bd0d36d402e06d698d
-
SSDEEP
49152:S3KYg14K5F/STt1piw5bpMK31jZSDW0Pg3nM0n4oyy0cz8F0yqAoThNSi:S67n5pw1pdbKwjZSDW0Pg31X0q8FTqA2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload 7 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AIMWARE CRACK 1.3.2.exe"C:\Users\Admin\AppData\Local\Temp\AIMWARE CRACK 1.3.2.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AIMWARE CRACK 1.3.2.exe"C:\Users\Admin\AppData\Local\Temp\AIMWARE CRACK 1.3.2.exe"2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0cJoPw6Di3.bat"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\AIMWARE CRACK 1.3.2.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\AIMWARE CRACK 1.3.2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\AIMWARE CRACK 1.3.2.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\AIMWARE CRACK 1.3.2.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 5445⤵
- Loads dropped DLL
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 5362⤵
- Program crash
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5f72fe0fbd65b2cc0376fc1d08813a512
SHA1da68c3a1f66bde61c2b7bac27c1418261b0b9e1d
SHA25609f319c554e4e5468ddae84384983edc21aff8717fc103a0cee62e132c70a6d3
SHA51217f0ef497ab31ee122bd4377dcf6d4319b3937e08b818cb67890b62eb0caa0dff8810318b49b16fff470a99f17acc17eba3c1ea013acb4bd0d36d402e06d698d
-
Filesize
267B
MD5e577bc5a013e03f1c02d797ef26ae4b5
SHA1fc8fb621dfcb3ce1b5fb6f30c9a0423aca7dd202
SHA256f2cb41a83adf7033d270138643ff00ce0be9640bd263f7eb134303993ba6ca80
SHA512e50a93f6827c64e37bac7da840b171e9db239d19aeeb77fc8ab93b06f2576949f740848a7e798b4e2d21511fdb610a92387b9b9d99003eac00b35f9d812af80a
-
Filesize
6.9MB
-
Filesize
2.5MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
2.5MB
-
Filesize
152KB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
2.5MB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
312KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
6.9MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
72KB
-
Filesize
88KB