Analysis

  • max time kernel
    106s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-02-2025 13:32

General

  • Target

    OsintAkulaDox(Release 2.0).exe

  • Size

    1.6MB

  • MD5

    17e5d1ccf6f2250f75bb5fa68f971767

  • SHA1

    7d935074dbb166b4e481261c0aa855dd1e775d17

  • SHA256

    9410a8eee0f8556bfa0f4231577706b437a14a79af1f2bfff6dc9288e54af828

  • SHA512

    a7fd59c415e51fd57545a88c993d7ce8abbc4809e92e7dfc533778002f9492612880d4fab30e5d53358aedb9c3e1ee780bb3fe99313083d9232a3cbe6c5e47cc

  • SSDEEP

    24576:U2G/nvxW3Ww0t2IwCzsb0EIYKBInv4BFooOQSK7WmmpC84H366W1e:UbA30twh0rTbF3/7mLz6P

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OsintAkulaDox(Release 2.0).exe
    "C:\Users\Admin\AppData\Local\Temp\OsintAkulaDox(Release 2.0).exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComProviderservercrt\G1PwR19qmP3OREjedg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ComProviderservercrt\3KEVYoQlVUbDaT.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\ComProviderservercrt\dhcpcommon.exe
          "C:\ComProviderservercrt\dhcpcommon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:464
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ComProviderservercrt\3KEVYoQlVUbDaT.bat

    Filesize

    40B

    MD5

    9aaeb85b68b2c641d6ea8bbc3e7efb1f

    SHA1

    caa2ce69f5eea67e08aa40c844a38c669ef86db5

    SHA256

    d1de03f54cb15974c2e26d79af82446ca304413ae2634faf981dc1327325713e

    SHA512

    b486c4ae73c61b6996f1f902ca8533601361f72fbac93a2ef480f4729afc75b8615c562cfc579a6bce40555d356754839be60ec5cfb86036fd7274c8afa3c06c

  • C:\ComProviderservercrt\G1PwR19qmP3OREjedg.vbe

    Filesize

    211B

    MD5

    e061686d28660bb9114d963a2ff01c1d

    SHA1

    f4e81a4553722503c473eb7c7f77396aa3323c19

    SHA256

    c14ec59bae7b314a9cb5c9cc01053f93a89547ae882193a57a36d6c31b887e1d

    SHA512

    5fa0180dda99faf18849f9fd248e4de68c3220bd965d176f3c9a081d5c69f9ed100c80dc1cdf3f0a9b7c67c3a832bde565797756cc047d8f10662cb0ef683b9c

  • C:\ComProviderservercrt\dhcpcommon.exe

    Filesize

    1.3MB

    MD5

    493cf952e6aa65181c8458d312ee1421

    SHA1

    6065a925782b18b0e3e018750c5a760ebfaadf4f

    SHA256

    c3e0e8356bd4a52e07679935019f4474715f4b7ae291cfbda9d35bf0bc3e2460

    SHA512

    3db22d2dd54be931f8e55133a2eec56713d7199d803a290de7741c6b3afda50d98fd0c6c3feda7e835361319398bb2d11108a1cba9f8a2cd7fe2c43c7a36efb8

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

    Filesize

    10KB

    MD5

    77a8b2c86dd26c214bc11c989789b62d

    SHA1

    8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499

    SHA256

    e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8

    SHA512

    c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

    Filesize

    10KB

    MD5

    b66799d715b113faf28da5aaba5528ef

    SHA1

    1b20576808d17c24f7abf2c49a7facfbc1480da4

    SHA256

    bb7ed85e7a1833e5a31d62882937ee6b094f2421b9d1c8d9b6e64b9845b29868

    SHA512

    93d4708a2f4bb3ca7b5bcb0f3dc13eb5e93bfa5e485845822d67770e4c0217797f330ab9395598b1d7452cc8191e4d3848a1b268a6cd1b7a5001266ce53794d6

  • memory/464-20-0x0000000000C60000-0x0000000000DAC000-memory.dmp

    Filesize

    1.3MB

  • memory/464-21-0x000000001BA20000-0x000000001BA2E000-memory.dmp

    Filesize

    56KB