Analysis
-
max time kernel
106s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-02-2025 13:32
Behavioral task
behavioral1
Sample
OsintAkulaDox(Release 2.0).exe
Resource
win11-20241007-en
General
-
Target
OsintAkulaDox(Release 2.0).exe
-
Size
1.6MB
-
MD5
17e5d1ccf6f2250f75bb5fa68f971767
-
SHA1
7d935074dbb166b4e481261c0aa855dd1e775d17
-
SHA256
9410a8eee0f8556bfa0f4231577706b437a14a79af1f2bfff6dc9288e54af828
-
SHA512
a7fd59c415e51fd57545a88c993d7ce8abbc4809e92e7dfc533778002f9492612880d4fab30e5d53358aedb9c3e1ee780bb3fe99313083d9232a3cbe6c5e47cc
-
SSDEEP
24576:U2G/nvxW3Ww0t2IwCzsb0EIYKBInv4BFooOQSK7WmmpC84H366W1e:UbA30twh0rTbF3/7mLz6P
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
resource yara_rule behavioral1/files/0x001d00000002aad5-18.dat dcrat behavioral1/memory/464-20-0x0000000000C60000-0x0000000000DAC000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 464 dhcpcommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OsintAkulaDox(Release 2.0).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings OsintAkulaDox(Release 2.0).exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 464 dhcpcommon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1988 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4156 wrote to memory of 4520 4156 OsintAkulaDox(Release 2.0).exe 77 PID 4156 wrote to memory of 4520 4156 OsintAkulaDox(Release 2.0).exe 77 PID 4156 wrote to memory of 4520 4156 OsintAkulaDox(Release 2.0).exe 77 PID 4520 wrote to memory of 2344 4520 WScript.exe 80 PID 4520 wrote to memory of 2344 4520 WScript.exe 80 PID 4520 wrote to memory of 2344 4520 WScript.exe 80 PID 2344 wrote to memory of 464 2344 cmd.exe 82 PID 2344 wrote to memory of 464 2344 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\OsintAkulaDox(Release 2.0).exe"C:\Users\Admin\AppData\Local\Temp\OsintAkulaDox(Release 2.0).exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComProviderservercrt\G1PwR19qmP3OREjedg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComProviderservercrt\3KEVYoQlVUbDaT.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\ComProviderservercrt\dhcpcommon.exe"C:\ComProviderservercrt\dhcpcommon.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD59aaeb85b68b2c641d6ea8bbc3e7efb1f
SHA1caa2ce69f5eea67e08aa40c844a38c669ef86db5
SHA256d1de03f54cb15974c2e26d79af82446ca304413ae2634faf981dc1327325713e
SHA512b486c4ae73c61b6996f1f902ca8533601361f72fbac93a2ef480f4729afc75b8615c562cfc579a6bce40555d356754839be60ec5cfb86036fd7274c8afa3c06c
-
Filesize
211B
MD5e061686d28660bb9114d963a2ff01c1d
SHA1f4e81a4553722503c473eb7c7f77396aa3323c19
SHA256c14ec59bae7b314a9cb5c9cc01053f93a89547ae882193a57a36d6c31b887e1d
SHA5125fa0180dda99faf18849f9fd248e4de68c3220bd965d176f3c9a081d5c69f9ed100c80dc1cdf3f0a9b7c67c3a832bde565797756cc047d8f10662cb0ef683b9c
-
Filesize
1.3MB
MD5493cf952e6aa65181c8458d312ee1421
SHA16065a925782b18b0e3e018750c5a760ebfaadf4f
SHA256c3e0e8356bd4a52e07679935019f4474715f4b7ae291cfbda9d35bf0bc3e2460
SHA5123db22d2dd54be931f8e55133a2eec56713d7199d803a290de7741c6b3afda50d98fd0c6c3feda7e835361319398bb2d11108a1cba9f8a2cd7fe2c43c7a36efb8
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD577a8b2c86dd26c214bc11c989789b62d
SHA18b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499
SHA256e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8
SHA512c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5b66799d715b113faf28da5aaba5528ef
SHA11b20576808d17c24f7abf2c49a7facfbc1480da4
SHA256bb7ed85e7a1833e5a31d62882937ee6b094f2421b9d1c8d9b6e64b9845b29868
SHA51293d4708a2f4bb3ca7b5bcb0f3dc13eb5e93bfa5e485845822d67770e4c0217797f330ab9395598b1d7452cc8191e4d3848a1b268a6cd1b7a5001266ce53794d6