Overview

overview

10

Static

static

10

niha-main/OmNom.exe

windows10-ltsc_2021-x64

10

niha-main/alfa.exe

windows10-ltsc_2021-x64

8

niha-main/derq.exe

windows10-ltsc_2021-x64

10

niha-main/...af.exe

windows10-ltsc_2021-x64

7

niha-main/...dr.exe

windows10-ltsc_2021-x64

7

niha-main/...ra.exe

windows10-ltsc_2021-x64

10

niha-main/kiprea2.exe

windows10-ltsc_2021-x64

10

niha-main/kkk.exe

windows10-ltsc_2021-x64

10

niha-main/...as.exe

windows10-ltsc_2021-x64

10

niha-main/...wr.exe

windows10-ltsc_2021-x64

10

niha-main/...ij.exe

windows10-ltsc_2021-x64

10

niha-main/...12.exe

windows10-ltsc_2021-x64

10

niha-main/...sr.exe

windows10-ltsc_2021-x64

10

niha-main/...as.exe

windows10-ltsc_2021-x64

10

niha-main/opiww1.exe

windows10-ltsc_2021-x64

10

niha-main/...na.exe

windows10-ltsc_2021-x64

10

niha-main/...t1.exe

windows10-ltsc_2021-x64

10

niha-main/...ad.exe

windows10-ltsc_2021-x64

niha-main/...ed.exe

windows10-ltsc_2021-x64

8

niha-main/pypdwat.exe

windows10-ltsc_2021-x64

7

niha-main/...12.exe

windows10-ltsc_2021-x64

10

niha-main/robobob.exe

windows10-ltsc_2021-x64

10

niha-main/swi.exe

windows10-ltsc_2021-x64

10

niha-main/thiakdc.exe

windows10-ltsc_2021-x64

10

niha-main/...ka.exe

windows10-ltsc_2021-x64

8

niha-main/time.exe

windows10-ltsc_2021-x64

10

niha-main/vosemOO.exe

windows10-ltsc_2021-x64

10

niha-main/wint1.exe

windows10-ltsc_2021-x64

10

niha-main/wint2.exe

windows10-ltsc_2021-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250410-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    16/04/2025, 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    niha-main/kiprea2.exe

  • Size

    2.3MB

  • MD5

    bc9c39299d0b237235882f9b4f99d57a

  • SHA1

    145f608cf981af51a3dc3b289c673e25f8abd360

  • SHA256

    234835e030956fb4fc80261c06c58050f17c69a1e0120de96b585cc046a468d5

  • SHA512

    192ba62f1f2d50a384028e6c8a6c415380f7eb5b1eeedcf38e99e65e36f2237395681d62052edeec17ca451497f364088fcb95b6cef91135f24c709c9db367d1

  • SSDEEP

    24576:u7TxN+ab32/5pCw7sULd3yRsjcAYZkDLll289Gt/beglSdwwQaUEUM6t:YxNZ2/F0Rs4A+Wl2ZBVwy

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\niha-main\kiprea2.exe
    "C:\Users\Admin\AppData\Local\Temp\niha-main\kiprea2.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5156
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UjV0vSrmD8.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5336
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:5572
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3060
        • C:\Users\Admin\AppData\Local\staticfile.exe
          "C:\Users\Admin\AppData\Local\staticfile.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5820

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\UjV0vSrmD8.bat
      Filesize

      171B

      MD5

      c0bb580621d1ec1997e7c8cb07076320

      SHA1

      2cbd008fbb08a485b42c07bc0224767f2b726c3a

      SHA256

      b337ccbdff533be7cb9517cea58a73ffc346da95a098a4335eca30ad8f1799fd

      SHA512

      29b4aae83f7d09f6f166dddb33fe8e527ad4a3d7c90ad91108d348a32e5739818ef1afa6edf2b75847ede2015f883103c1463fa00dfdb26653af116947d15a9d

      Download Submit

    • C:\Users\Admin\AppData\Local\staticfile.exe
      Filesize

      2.3MB

      MD5

      bc9c39299d0b237235882f9b4f99d57a

      SHA1

      145f608cf981af51a3dc3b289c673e25f8abd360

      SHA256

      234835e030956fb4fc80261c06c58050f17c69a1e0120de96b585cc046a468d5

      SHA512

      192ba62f1f2d50a384028e6c8a6c415380f7eb5b1eeedcf38e99e65e36f2237395681d62052edeec17ca451497f364088fcb95b6cef91135f24c709c9db367d1

      Download Submit

    • memory/5156-28-0x00007FF8A4510000-0x00007FF8A4FD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5156-29-0x00007FF8A4510000-0x00007FF8A4FD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5156-6-0x0000000001140000-0x000000000114E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5156-8-0x0000000002A60000-0x0000000002A7C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/5156-10-0x00007FF8A4510000-0x00007FF8A4FD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5156-11-0x000000001B570000-0x000000001B5C0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/5156-9-0x0000000002A00000-0x0000000002A1C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/5156-13-0x0000000002A90000-0x0000000002AA8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/5156-15-0x0000000002A20000-0x0000000002A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5156-17-0x0000000002A60000-0x0000000002A70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5156-30-0x00007FF8A4510000-0x00007FF8A4FD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5156-20-0x00007FF8A4510000-0x00007FF8A4FD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5156-22-0x000000001B5E0000-0x000000001B5F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5156-23-0x00007FF8A4510000-0x00007FF8A4FD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5156-25-0x000000001B600000-0x000000001B616000-memory.dmp

      Filesize

      88KB

      Download

    • memory/5156-27-0x000000001B620000-0x000000001B632000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5156-4-0x0000000002A30000-0x0000000002A56000-memory.dmp

      Filesize

      152KB

      Download

    • memory/5156-0-0x00007FF8A4513000-0x00007FF8A4515000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5156-19-0x0000000002A70000-0x0000000002A7E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5156-31-0x000000001BB70000-0x000000001C098000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/5156-33-0x0000000002AB0000-0x0000000002ABE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5156-35-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5156-37-0x000000001B5C0000-0x000000001B5D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5156-39-0x000000001B6A0000-0x000000001B6FA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/5156-41-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5156-43-0x000000001B640000-0x000000001B64E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5156-45-0x000000001B670000-0x000000001B688000-memory.dmp

      Filesize

      96KB

      Download

    • memory/5156-47-0x000000001B750000-0x000000001B79E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/5156-2-0x00007FF8A4510000-0x00007FF8A4FD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5156-57-0x000000001B8A0000-0x000000001B949000-memory.dmp

      Filesize

      676KB

      Download

    • memory/5156-58-0x00007FF8A4510000-0x00007FF8A4FD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5156-1-0x0000000000650000-0x000000000089C000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/5820-79-0x000000001BBA0000-0x000000001BC49000-memory.dmp

      Filesize

      676KB

      Download

    • memory/5820-80-0x000000001B800000-0x000000001B808000-memory.dmp

      Filesize

      32KB

      Download