Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 00:52
Static task
static1
Behavioral task
behavioral1
Sample
malware.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
malware.exe
Resource
win10v2004-20240508-en
General
-
Target
malware.exe
-
Size
1.9MB
-
MD5
4825e7df93d8acb3dd236cc14c342a71
-
SHA1
5cc72cdde2d55a8c5e01ccd80cbb5743bc60ca1b
-
SHA256
c84bbfce14fdc65c6e738ce1196d40066c87e58f443e23266d3b9e542b8a583e
-
SHA512
a2e8aa90a719cdddb2f9a4fb21b43f6471cb06e0cb94bd041f26b6a4e11bd820a04c5ea832bb899a91db73d7114b046834afe788d6c03d71b1bf6697272de591
-
SSDEEP
24576:Ware5SMXhd8zlKNfn6LQrmq4Ku0a7ttoXJZ4pt+NfCgPc52L6cnPmJ9C7CnzpCrk:WvgTW0uNmJPCrjTpM5B3L/q0vlU426n
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral2/memory/3268-22-0x0000000000400000-0x0000000000456000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
malware.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation malware.exe -
Executes dropped EXE 1 IoCs
Processes:
DllHelper.exepid process 4260 DllHelper.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DllHelper.exedescription pid process target process PID 4260 set thread context of 3268 4260 DllHelper.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
malware.exeDllHelper.exeInstallUtil.exepid process 3016 malware.exe 3016 malware.exe 3016 malware.exe 3016 malware.exe 3016 malware.exe 3016 malware.exe 3016 malware.exe 3016 malware.exe 3016 malware.exe 3016 malware.exe 4260 DllHelper.exe 4260 DllHelper.exe 4260 DllHelper.exe 4260 DllHelper.exe 4260 DllHelper.exe 4260 DllHelper.exe 4260 DllHelper.exe 4260 DllHelper.exe 4260 DllHelper.exe 4260 DllHelper.exe 3268 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 3268 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
malware.execmd.exeDllHelper.exedescription pid process target process PID 3016 wrote to memory of 2596 3016 malware.exe schtasks.exe PID 3016 wrote to memory of 2596 3016 malware.exe schtasks.exe PID 3016 wrote to memory of 2596 3016 malware.exe schtasks.exe PID 3016 wrote to memory of 4260 3016 malware.exe DllHelper.exe PID 3016 wrote to memory of 4260 3016 malware.exe DllHelper.exe PID 3016 wrote to memory of 4260 3016 malware.exe DllHelper.exe PID 3016 wrote to memory of 3412 3016 malware.exe cmd.exe PID 3016 wrote to memory of 3412 3016 malware.exe cmd.exe PID 3016 wrote to memory of 3412 3016 malware.exe cmd.exe PID 3412 wrote to memory of 3964 3412 cmd.exe chcp.com PID 3412 wrote to memory of 3964 3412 cmd.exe chcp.com PID 3412 wrote to memory of 3964 3412 cmd.exe chcp.com PID 3412 wrote to memory of 4812 3412 cmd.exe PING.EXE PID 3412 wrote to memory of 4812 3412 cmd.exe PING.EXE PID 3412 wrote to memory of 4812 3412 cmd.exe PING.EXE PID 4260 wrote to memory of 3268 4260 DllHelper.exe InstallUtil.exe PID 4260 wrote to memory of 3268 4260 DllHelper.exe InstallUtil.exe PID 4260 wrote to memory of 3268 4260 DllHelper.exe InstallUtil.exe PID 4260 wrote to memory of 3268 4260 DllHelper.exe InstallUtil.exe PID 4260 wrote to memory of 3268 4260 DllHelper.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware.exe"C:\Users\Admin\AppData\Local\Temp\malware.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppVerif\DllHelper.exe"C:\Users\Admin\AppVerif\DllHelper.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\malware.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3016-1-0x00000000028E0000-0x0000000002A82000-memory.dmpFilesize
1.6MB
-
memory/3016-2-0x00000000028E0000-0x0000000002A82000-memory.dmpFilesize
1.6MB
-
memory/3268-20-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3268-22-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3268-23-0x00000000061A0000-0x0000000006744000-memory.dmpFilesize
5.6MB
-
memory/4260-16-0x0000000002350000-0x00000000024FC000-memory.dmpFilesize
1.7MB
-
memory/4260-17-0x0000000002350000-0x00000000024FC000-memory.dmpFilesize
1.7MB
-
memory/4260-18-0x0000000010FB0000-0x00000000112A6000-memory.dmpFilesize
3.0MB
-
memory/4260-19-0x0000000010FB0000-0x00000000112A6000-memory.dmpFilesize
3.0MB