Analysis
-
max time kernel
91s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 19:57
Behavioral task
behavioral1
Sample
Modrinth.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Modrinth.exe
Resource
win10v2004-20240704-en
General
-
Target
Modrinth.exe
-
Size
6.8MB
-
MD5
21cad48edbc93da2d1e1ab6f6632461a
-
SHA1
667a584eae5a57937d66d64249c26c8b1b2abf8f
-
SHA256
32619382ab72416dff258bff30a8b505d6e69e818345612892a121c28f3b23b0
-
SHA512
9125263a9b31336d350e19f9c79460038f7a6c48db109001e93fd8d7e8aba30c3bf44a362c4f3ee87294d3cf9052cbc8d7da518d34356212cb6f914a9990a21d
-
SSDEEP
196608:UQKQUc/HMlS2JxmYcmcg7XGqb6Msq51GPo:XKwslSDVoXGe1GQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule behavioral2/memory/3880-5-0x0000000000400000-0x0000000000AD7000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Modrinth.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation Modrinth.exe -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 8 556 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Modrinth.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings Modrinth.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 556 msiexec.exe Token: SeIncreaseQuotaPrivilege 556 msiexec.exe Token: SeSecurityPrivilege 3324 msiexec.exe Token: SeCreateTokenPrivilege 556 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 556 msiexec.exe Token: SeLockMemoryPrivilege 556 msiexec.exe Token: SeIncreaseQuotaPrivilege 556 msiexec.exe Token: SeMachineAccountPrivilege 556 msiexec.exe Token: SeTcbPrivilege 556 msiexec.exe Token: SeSecurityPrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeLoadDriverPrivilege 556 msiexec.exe Token: SeSystemProfilePrivilege 556 msiexec.exe Token: SeSystemtimePrivilege 556 msiexec.exe Token: SeProfSingleProcessPrivilege 556 msiexec.exe Token: SeIncBasePriorityPrivilege 556 msiexec.exe Token: SeCreatePagefilePrivilege 556 msiexec.exe Token: SeCreatePermanentPrivilege 556 msiexec.exe Token: SeBackupPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeShutdownPrivilege 556 msiexec.exe Token: SeDebugPrivilege 556 msiexec.exe Token: SeAuditPrivilege 556 msiexec.exe Token: SeSystemEnvironmentPrivilege 556 msiexec.exe Token: SeChangeNotifyPrivilege 556 msiexec.exe Token: SeRemoteShutdownPrivilege 556 msiexec.exe Token: SeUndockPrivilege 556 msiexec.exe Token: SeSyncAgentPrivilege 556 msiexec.exe Token: SeEnableDelegationPrivilege 556 msiexec.exe Token: SeManageVolumePrivilege 556 msiexec.exe Token: SeImpersonatePrivilege 556 msiexec.exe Token: SeCreateGlobalPrivilege 556 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 556 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Modrinth.exedescription pid process target process PID 3880 wrote to memory of 556 3880 Modrinth.exe msiexec.exe PID 3880 wrote to memory of 556 3880 Modrinth.exe msiexec.exe PID 3880 wrote to memory of 556 3880 Modrinth.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Modrinth.exe"C:\Users\Admin\AppData\Local\Temp\Modrinth.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msiFilesize
5.0MB
MD55003486a784143bc96c3577172bbb44a
SHA19a960998807126041fae5b4fe9488d7ff3c5ca42
SHA256b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59
SHA5123fd871414cffe35ae649dbb02935eddcad75ee094f2d61f2cef48827dfb852ff3b8e4211f913bf65e4619b2a4989a2807d876a920a105735ac3e59362802ee19
-
memory/3880-5-0x0000000000400000-0x0000000000AD7000-memory.dmpFilesize
6.8MB