Analysis
-
max time kernel
893s -
max time network
714s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
22-02-2025 04:34
General
-
Target
CFlowBeta (1).exe
-
Size
3.5MB
-
MD5
7f3cc1233ea7a9a2fee1b51620e2b647
-
SHA1
3c40f2a0c0dc6e5f9379352751d87ba452221664
-
SHA256
ed57b772d3d924dbab826fe02d792324982f5d92e88d09afc1a734173b88599d
-
SHA512
095f97337db0a650757ea4b1df3f45ef711baf5f7892aec89c824e83ccf64f9f749a4ca6b5c38cbb5ff3e1c093d4f6735a25399b5b394c0932e8c3cf403979ce
-
SSDEEP
98304:IbUi+JjIHeo5n3YMM5N+RjvagClBA1eVTzF:IeEHe9Mux18QVT5
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\CFlowBeta (1).exe"C:\Users\Admin\AppData\Local\Temp\CFlowBeta (1).exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BridgeDriversavesIntoref\MDZuiXGHF6DSL.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BridgeDriversavesIntoref\cjJU4QO.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\BridgeDriversavesIntoref\HyperDllcommon.exe"C:\BridgeDriversavesIntoref\HyperDllcommon.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5e787fdcbf81593297b23533eb887bb0d
SHA10534ffe024b83acefe4c71bdd3e6476e72b82564
SHA256adba7079c2f8527c8677c189f80a241754c64869b9f52adb60c737938a129e99
SHA5128fd1877bb58ce9ea09bd8d3eadc984f341086e15f59f4e22bb834430a4c6732238638fe435cce6153f965f5e9ee879739fbe0f9e424125b1f8c8b28cd2d4276c
-
Filesize
208B
MD573ab70ceaa0f998f770a136d914e641e
SHA163f81a7fd2106432458f132870e4ee36eeaca7ac
SHA25609f11c16faf296001faeb6cfc2ea6a34bcfd40108fd54ff3948d039eedd6c68f
SHA512f0e8786319f42582515a0acbd9c758f122e576383c7b2b79d25a050c9d93b6e60d814b07409a9ede0997dfadac6760217a043ee6fb16d9be1faeddeb9cf3aa5d
-
Filesize
160B
MD5ac20d72dcc5e68fbd6e73f5d3a2b4a01
SHA1c931e8bbcfdc4299b70859e666c577c1e5b7c1cf
SHA2568b60f1936f10b03b4cbc9ee0a4916e813e6d7ff63ef55326c61cb31b57b1f18c
SHA5129b5d7f1bd7932d0ecaf69bbd1a58b466e802bddba9585ec0380033ae6565693850e7d8ce6367ab346aebeea4d66822199254f646376fdb9a5076a2d0efb887cc
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
56KB