Analysis

  • max time kernel
    91s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 02:45

General

  • Target

    cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe

  • Size

    2.8MB

  • MD5

    2397e7230770a20dd685f8903b0e7759

  • SHA1

    bc280c16c4f89338df7c3745d0821432443d565c

  • SHA256

    cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67

  • SHA512

    97923122007bae611db6deb97e25a83f3636bec7c4d4d60aea2638edbeeaf85cef4c7c8755a442fd6525940154ec0d92258a65acdc065d75e1729b602510d7aa

  • SSDEEP

    49152:Or8U+ST8nT/r5mZxSuCspYhU7F6511YoWN/qiUt9ETxJ5WGAf2VR:vSi/rwZYuCspQUA5vNWNqGfAGAA

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe
    "C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3660
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ryfxXmZBx.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:216
        • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe
          "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:3672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PrintDialog\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:60
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:324
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67c" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67c" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4460
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3204
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4936

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe

            Filesize

            2.8MB

            MD5

            0c9d53abcd0b101509cbaac22edddbf4

            SHA1

            aca4f5ee718a56092414d88ec481688809128827

            SHA256

            51ec9e2169306feae98fae7613b7577f51d5e8aa3c7ea8fe2339005b9d580f79

            SHA512

            f6faf6656a3c6a46249cc41178981ee84896b6f3f3c0f9d5d18275b2593cf0542958e203a4c5162601afe53ab45302e4efd7c876d9ef573037a553367c73bb0c

          • C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe

            Filesize

            2.8MB

            MD5

            ca7f5fd10bd8e691232ef4247b74a1dc

            SHA1

            ac0c89b983f196fd87079122ee3e369014f06b2b

            SHA256

            1134ca885e92277be87acc2de25a6e5ec727f6f5b776639135576d3a8b3932f2

            SHA512

            da86c080a3ee5e0f9b43751f166278700cf4be017df8ea232cd4f8149192ac6c00cb4ac22e5dfb8ed13c074a93f47daae232d89b30b7d8be4bd7f848ca63f22d

          • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe

            Filesize

            2.8MB

            MD5

            55b44b2aa67aeb5c1978020fe0525ab0

            SHA1

            fd4586c4a198ad77659790bdbe7f5af6bf4631e1

            SHA256

            99d7df56a6722c0b7d43179542b6ab93ba49ceb7876b3ab638dc7810b160f405

            SHA512

            d616e1e297310fce9d8322b73d1834144ddcb82ed26efd5d964baa95e7aab7f964ccdec72cbec0a9c43362a5bcb138fd3c491da94111c1d0f4ffa708ac7c8fec

          • C:\Recovery\WindowsRE\fontdrvhost.exe

            Filesize

            2.8MB

            MD5

            3862b35134c9578137946e8c8f6f2558

            SHA1

            fa0a99694accf014b4bd241e07c915e0f8051bd6

            SHA256

            f781efcb9fb79269c8015fb1e0738d135c3f724b331c8a3eaee750171c1393c2

            SHA512

            5c1be4e42b4e8107f639d1089d1608738fb1123e07d2176f25db23a6d8f7ff811361c6df118e662bcd6344c52091d71a30b5ba1fa9a1b2484862dd04ae3d630d

          • C:\Recovery\WindowsRE\upfc.exe

            Filesize

            2.8MB

            MD5

            2397e7230770a20dd685f8903b0e7759

            SHA1

            bc280c16c4f89338df7c3745d0821432443d565c

            SHA256

            cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67

            SHA512

            97923122007bae611db6deb97e25a83f3636bec7c4d4d60aea2638edbeeaf85cef4c7c8755a442fd6525940154ec0d92258a65acdc065d75e1729b602510d7aa

          • C:\Recovery\WindowsRE\upfc.exe

            Filesize

            2.8MB

            MD5

            bd706a261eee6ace2d2aa0a35f1a3659

            SHA1

            7090bf7dd97c0ef87cf6da75f14764599a08a31e

            SHA256

            a2d56fe9e690c760fc7328bf380699a74230e55f53fb5bdd65119ff44a7c7fa7

            SHA512

            ed19653b2bf438bc3b630219281bf8afcb09ed49a359a20d79ddc3c2733093bc46dcf9c83d14cd35bdb93ed292084c042cce89a0341fd6f1166e00877b431a63

          • C:\Users\Admin\AppData\Local\Temp\2ryfxXmZBx.bat

            Filesize

            269B

            MD5

            748c7f6dbdc2dcdb68744c341b7c126d

            SHA1

            53b8e066babcec9224cc0adb46bfe4fdef9527dc

            SHA256

            03223c537c10b5ba3ac4487240494aa481346fc7c9d1fb55e1e8581938e28d9f

            SHA512

            750f424de3b29bcfc0cb0ed056fbff737ec1035456fedaa6f27ed8f31865cdae2013de50c20f4aeaedf09f67ee89e6c994da0b01536e3d79be39955c5ae0558f

          • memory/3660-6-0x0000000002BD0000-0x0000000002BD8000-memory.dmp

            Filesize

            32KB

          • memory/3660-18-0x000000001B850000-0x000000001B85C000-memory.dmp

            Filesize

            48KB

          • memory/3660-0-0x00007FF80F383000-0x00007FF80F385000-memory.dmp

            Filesize

            8KB

          • memory/3660-10-0x0000000002D50000-0x0000000002D5A000-memory.dmp

            Filesize

            40KB

          • memory/3660-11-0x000000001B7A0000-0x000000001B7F6000-memory.dmp

            Filesize

            344KB

          • memory/3660-12-0x0000000002DB0000-0x0000000002DB8000-memory.dmp

            Filesize

            32KB

          • memory/3660-13-0x000000001B800000-0x000000001B812000-memory.dmp

            Filesize

            72KB

          • memory/3660-14-0x000000001C3C0000-0x000000001C8E8000-memory.dmp

            Filesize

            5.2MB

          • memory/3660-16-0x000000001B840000-0x000000001B84C000-memory.dmp

            Filesize

            48KB

          • memory/3660-15-0x000000001B830000-0x000000001B838000-memory.dmp

            Filesize

            32KB

          • memory/3660-17-0x000000001C0D0000-0x000000001C0D8000-memory.dmp

            Filesize

            32KB

          • memory/3660-20-0x000000001B870000-0x000000001B87E000-memory.dmp

            Filesize

            56KB

          • memory/3660-23-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-22-0x000000001C0F0000-0x000000001C0FC000-memory.dmp

            Filesize

            48KB

          • memory/3660-21-0x000000001C0E0000-0x000000001C0EC000-memory.dmp

            Filesize

            48KB

          • memory/3660-7-0x0000000002D10000-0x0000000002D20000-memory.dmp

            Filesize

            64KB

          • memory/3660-19-0x000000001B860000-0x000000001B86E000-memory.dmp

            Filesize

            56KB

          • memory/3660-26-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-8-0x0000000002D20000-0x0000000002D36000-memory.dmp

            Filesize

            88KB

          • memory/3660-9-0x0000000002D40000-0x0000000002D48000-memory.dmp

            Filesize

            32KB

          • memory/3660-5-0x0000000002D60000-0x0000000002DB0000-memory.dmp

            Filesize

            320KB

          • memory/3660-4-0x0000000002CF0000-0x0000000002D0C000-memory.dmp

            Filesize

            112KB

          • memory/3660-3-0x0000000002BC0000-0x0000000002BCE000-memory.dmp

            Filesize

            56KB

          • memory/3660-2-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-152-0x00007FF80F383000-0x00007FF80F385000-memory.dmp

            Filesize

            8KB

          • memory/3660-170-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-172-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-1-0x00000000007F0000-0x0000000000ABA000-memory.dmp

            Filesize

            2.8MB

          • memory/3672-177-0x00000000001B0000-0x000000000047A000-memory.dmp

            Filesize

            2.8MB

          • memory/3672-178-0x000000001B7A0000-0x000000001B7F6000-memory.dmp

            Filesize

            344KB