Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
11-01-2025 06:43
General
-
Target
rat.exe
-
Size
1.6MB
-
MD5
3d8e2b72bd850e6d45114d61462b9f33
-
SHA1
c78aa9851c20a26ee2dc8a91b90f8edcdb46dc77
-
SHA256
6c6d5ba17c53f8eb5c280fc6945f4c4254dee1cdb8600f3a70dfdc64d67f4ec5
-
SHA512
0b57f0522e37f44bbb0c54387a7622da5282be555799148de7d6a2f1ca29ec9b5477a00169d9a1e7a678fc2d22802fdaddae7e66a1b12ab8d807b0cd0d6bb484
-
SSDEEP
24576:U2G/nvxW3Ww0t0ioe8kK14eZeOBQE2iT5tH9DieCUHcOTz21ABA:UbA300irKJUbs9D3CeP6A2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rat.exe"C:\Users\Admin\AppData\Local\Temp\rat.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\serverBrowserInto\e7YzxotfSKS1PBhA1Cqs.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\serverBrowserInto\Rskh2iY941tkqLaIfZaT1Ha9Hc6.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\serverBrowserInto\chainFontbroker.exe"C:\serverBrowserInto\chainFontbroker.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\serverBrowserInto\chainFontbroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\chainFontbroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\conhost.exe"C:\Users\Admin\Downloads\conhost.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12839/6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\de-DE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainFontbrokerc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\chainFontbroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainFontbroker" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\chainFontbroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainFontbrokerc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\chainFontbroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD538d06bfdeec9ed31eb839cb9b058666b
SHA1dd6d08c50b0d7265d89282901cbe0612ab1dbd4b
SHA256e553d24293cfb81d1fd6e0fbe0a13dbd16e1e606927e28d92d7181f60b95f19c
SHA512d602cb59186277e13c882ce1e36296e00db56d95fa396e6ceb2bc8744df570bd7f51a96c2ed66a65833488af3705da7117c95a80ef697d0635ec256808dbe265
-
Filesize
342B
MD5ae6a1c5ccdbc97ed95f26785b9c473e5
SHA17ab51dd5add4586dc85b922aad3049df05bc7020
SHA2561caed59fb96c2ed639d9343a0a197880d3b3fb6a3f5c9f1bd5195b4e4ff8cda9
SHA512474251b9fa2737d49fc2cfb6afb692d3a13460387ac43256abd16e0ed521d893fda9a87e7116f7df1a534930443dbe56c342a31c7504d9f22781113e254cab14
-
Filesize
342B
MD5bccad0285074ba61a81c18528a0c7fb0
SHA1a5572f4e76afe1833cf5d59695668d28e45b8aac
SHA25699efa0d3eb6ea794e27d3ff7c2c7f2fcaabcec1881686fd6089eafdc11c26b88
SHA51240fabf848240044ff435d39f06d6c26ddc988d7f305b332f7111a33c32405b4da2edaa419d2bd1ffed9852f4c34380355ce6ea1c89c9cd9f8f55a7dfe4a17117
-
Filesize
342B
MD50641cc1bd23930d20e6d0b043125894e
SHA1da255bbfcaea33748db6ab3d01f7bca3a53e1726
SHA256c8998940e81239d8249a9aebe1b8bff90e207a481689bbd5601b847da48e82d1
SHA512bd34c08686b608b283ad4dc74f42ba7ccb0a2bf957239f964eb81fcea3a5a69854aaaceafb638831e5f02aa4420135f214af4603180539a92d1d28c207d5a631
-
Filesize
342B
MD5793e3884508689229fe8e2b704450882
SHA13479cbbcbf6e8847ddc49aa345114d83dfa1a0d8
SHA256ad8cc2819a2ff3c1c33196bc951f1a506c60be42a387381b3d2a04c747d2581a
SHA512614ef403276669199e7fdcd53b273ffc831c4b61a87f31f304661332b2378bd59b66d46c0506062e292cd307e2563b383286531d8b45e682422e2a9443ab7798
-
Filesize
342B
MD510cfcc8209ed3c364adafb6d2a4a86ec
SHA10e4ec3cd10968babd102167f2d9ba0cdaf60a5e3
SHA2564a54d956dca871866242428227b29a452ef2e7dfa872ceb827a601b1fc9f8058
SHA5120f94b11070f6c983ad2ab4e69e840a915821fc04107f91ca39b7dcc3707b8f0e079361471778c3aabe4d953f5cec1d60aabf66cbbc7808e8703bff3c66eed6d9
-
Filesize
342B
MD55026344b9a2187067cb95d69dc0a6899
SHA19aa3f3e5db9c5417449fa21d3bca6512bd8cff95
SHA256ff6039374a91d46bcf305677ccd0a7be60a0d799ea61f65672e8eff159d724bd
SHA51241a83d2a34237dec118383e4565c464e147bada1d9461f5d78814520e6a2e9e9f25ea852553c24bd1af23ff869e4f4dfbe279ae311f45e091fe3af58edbcd9b3
-
Filesize
342B
MD58a1d7e2433d3a70af1bc6b9f1e7c9bc0
SHA1488b45343c347556fb5d8f5b6faaa0fc3ea055b5
SHA2569078159b93c1fa43717524f3149f73cfd95b34c07cd8e1668848ee6f8f95c993
SHA5129b6c8af0dc04c2e90b67a6de7eb2a85ccc007e30976085a5bf578b4c14a31bb50d7859ab023706233afc2eb90531cc8855e259894b3651c9e086e94790e4ae06
-
Filesize
342B
MD5906a3b1df6c1b183c78a61108b5b6456
SHA199c69d68df81cf1186c594322ce4f66d7db27877
SHA25653d97031c2c0283cb7068359e5288310f1bb8097dc0d679e840a1039b7345797
SHA51291945a886751d1f74d05aa353a42a5a7b14463cd5907f86aae3b60ad4d878804d565f5ec16171fee579c946967e248e9c4445dd1e87dc770200359b584549bee
-
Filesize
342B
MD530e4be543a4d85d4761d501f19b8ff47
SHA1526e10edb4bc085ad6cbe061b7dd101046dd7901
SHA256e24e6a94f5eba70f91f6fc3a887724a2c6a8408900554649d2c0259a46ce919d
SHA512acbf9bbdec6fb3ca906e38515529e1387bfada76decda91c134bd0b011012eef7a210af803a2cf3470ec412efa6dfe1487a8aaf9d04a10cd036d23dfff42ed29
-
Filesize
342B
MD58ecd3a3aa6a047f16b6075817550fad9
SHA1e3b2ef6c5cb488138e1ecae252c1a5fd05212843
SHA256eac07750065685cc40c505e082cd87e397f5ccc57c71f845d7fffbb25d3f8561
SHA512d0d1a507d0bc82540ff47dbfd54db3b2458b6a6c4ea930d2ad7e3e838da57f7c531aa88c4f0cf2110c0a22df43d6984fd3f8b7f9e95d7be2860c43653d229a5e
-
Filesize
342B
MD56eeb133697fbfbb50ce55986360aee84
SHA136f09887336ad708b5de7e393c2ecf9adb3b5fa6
SHA256413055b6e2e588274202f07249b4823a45d027df8f2ea7e42784eab155bc6578
SHA51256a5b93f0844c79f315697291b9e97b320b9dbedee6b2fdb824102827d74b829e2ea57fe723ea4f6d15bd36923e82dd3e25ecb81bfa78920e447d20858c1e0d8
-
Filesize
342B
MD5ff4e08d0fc5ed37ba59a75f8cb7a7698
SHA128df3f55995e8532970c45c8fe51b12d7f0de8b7
SHA2569682b58f8328fad45e9f52ef824546e824ea3827ba3baca41339e722f5d24f7b
SHA512abd7eaa16ba0368b59a14e6078cb93e6d6a3e591206f560754a9beca1f75fd22d7af1ad65cf4f2fdb9980950bd7656bf646ae1643e195f460eb248d58e2fb23a
-
Filesize
342B
MD5a0aece30bd7d9541342507ec602ffe8a
SHA130028bc0fd1f39565273693764ec2a7a085b0470
SHA256a0013761eedd6b013eca3ba5615e194699672ffc179b709b98689f1613ebd323
SHA512303aa14e4c26196744259d5fab86c3332bf11f9be9f8b88212b0e9901cdbd6cdfc790848e5e2bfc9d5ca8c2fbd861e73c9183a3a4b2c50a139b772c92cb2a1bf
-
Filesize
342B
MD5de6060195d803832c1d5674ac27087a2
SHA1c8cb215afb80862cff184ab9e44b5c319362bd2e
SHA25664df9e7deab6b002deea2794bc0e7ca00ad6afc28115d0630fd1daff5bb471e5
SHA51261fe10adf1a050669386fba26329ea5de2276ddd8d40c5e9a06c46a57dc31b92e6ae2e54c5e3d9319649b49447e2d1fc83761060a2c130ea9fa448e3c4f2498d
-
Filesize
342B
MD5818a380a36375fe1d57610e67ea617d6
SHA13d3f2ac8b5b39efdd45d7958900f294ac039e361
SHA256d654c8e09c9c1884be16f9dedc3f3a07028c2edc95784bbf7778d838f8e5d2c4
SHA5124040a24b4b05a3d4261ba911ab89e8fb5a2449cc2b2fe9ed9e1f224fbc01c80d6ca728f5c4a60a278e0aafa541286f9ddc06922e2ac03ca7757896c785ea0a17
-
Filesize
342B
MD52031acaed11546143de1ebeb909ef0e4
SHA19a10d73d9a32ada7c4117ac5b536e63e2c23de30
SHA256af0f4e95bf794ab5fe0ef261b3750c7321f058c86483396ac452a0006ff7b394
SHA5125a328f56f249ad9067930eb204f1c39fc6f191e38c702f0054b3ff5fae35d0a1deae5e64078ec94b4e179df19608f835f52bb931fdff8a10f6d01a40d69be71d
-
Filesize
342B
MD554811852883bfac3f3e47f8a7a09ae3d
SHA17a9340c92da945db241f2e0eb41218425f0bff2f
SHA2565b5913a5943156073bd0ff9d00d325704ccff57f0ad8625e9294d0b0e95d6745
SHA5120f666578084f4becfcd4f8296c3bb243ea4846cc651d748b293a0d986b3c8e529a7a9584d5ddc5a00b9fdf32b485ab2583a14faf9adb5f8d43c0d3043c0bccfa
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
7KB
MD587af9091af99c644b42279f2a5a9f7c2
SHA1d08185a82216d92a11bb485465bf128298e47477
SHA2560afe46118625deb03167fd482f7539445ad7957b11328b1904bda7db93476bd7
SHA512295c876d45d68dc0ae4e167d1a759e87a4e87af36ef92c81451f50015f765f9213b755da2d7ccc71e2b6302f62c864b8ebe2a073cce0850c1a5ce048095b372f
-
Filesize
42B
MD57098df22ae7e28aae230fd3d32d0ae92
SHA1532360293037ea9542bef3bcee4260210647aafe
SHA25662712fb192cb815fc15bbb981dbc2f7ed1aa0aede7e0ee132775b5d5bfc2c5cb
SHA512acac3ac729680fdba30f8db7daa8cf8609a6540be558bb5c2a3a264e39bc79854e8fd4e2a4282c58445d79ded5c8e2df9999f5dc1e1adf599438a1d96cbecedf
-
Filesize
221B
MD57e02609e94304f654ba265c01531d1c2
SHA147041b8e578394a0a9e9150598e28a58d72f8aff
SHA256ea7526ec3517fd59b5d3dedb05e8888600ead35991184d750815d80b064ce00a
SHA5122fef0763c75415af6e538f1f05fa88c5147729db1e3babb9c8d494db4ba54c06b7f550e803e7dcc8af336f5a3266711ecac32e20f1ed1477276c24d1e74c1c4e
-
Filesize
1.3MB
MD5240fac6e181957232e4e09596d54714f
SHA129a9c6eff91f79612b38f2f0277a2bf9ad851133
SHA2566260051d6d855025e500947512e5903be100624032054219cbbd62c78af0b2e5
SHA5129e09dadec874db913116e82f60891f74ec2356d483a1c265405bb92dc05fdc7fc27775293d380f649e1b8140811a3987941cdec4b84fdae9eae3f3c1febc17f0
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
2.9MB