Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
12-01-2025 07:46
General
-
Target
8c76e7dcc8ae18ed5107083568de5c15.exe
-
Size
2.2MB
-
MD5
8c76e7dcc8ae18ed5107083568de5c15
-
SHA1
b229653c55b499475dc90fd7f517dad0ddf83afa
-
SHA256
75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835
-
SHA512
bb1d47f24fe11a598c85ad3204bf272be66763d20b880996f68f06b0623aa7d823af44a60722977e539f8a80fab1bd9fd8866da0ffc72251d91aa38603ed12bb
-
SSDEEP
49152:a31tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:altZUE6NDyTo9lv2F+VvK6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 12 IoCs
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c76e7dcc8ae18ed5107083568de5c15.exe"C:\Users\Admin\AppData\Local\Temp\8c76e7dcc8ae18ed5107083568de5c15.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\461d9418-fc22-469b-b3bf-cf1d675ebcc5.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c99ffd89-025b-4601-ad53-8438dbaaf5cb.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14797c6d-3dcf-4c9b-922e-d349f5dccbe5.vbs"7⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\911f2729-4b9e-43a8-bcc6-569ebe1acd5c.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\331a95c9-6645-41a3-b9d7-37034e194c46.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38a2705c-3b88-4ed4-ad0a-4826633ce3e3.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Skins\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD58c76e7dcc8ae18ed5107083568de5c15
SHA1b229653c55b499475dc90fd7f517dad0ddf83afa
SHA25675e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835
SHA512bb1d47f24fe11a598c85ad3204bf272be66763d20b880996f68f06b0623aa7d823af44a60722977e539f8a80fab1bd9fd8866da0ffc72251d91aa38603ed12bb
-
Filesize
2.2MB
MD55d3af89d022a5254fb73160a9344c5cd
SHA129f80f28bc8a1f30f4377dbb9041605aff4fd484
SHA2566342eadbd0350c42bc903b36487794cfc554a0e94ea389633942c1de23af862e
SHA512740f213116b9fd1dac7193211bb370077cc0568fb944a3c80c050703ac0cf58064b7bc6acd1e5b34f9e5e27ee9b5a24403e000d76de2d89c1a2a6df88b7ebd80
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
713B
MD59c99f1e52de9e1aa519a736570246698
SHA1eeb6ec986c2faba2c29a2c5052ddebc955b7bdbe
SHA2569ac65f925aa7910c9019a94678e2619da8fb3edc18e7af6705d0c570f012631c
SHA512f5a0589908fb909cf280c39f1d659967dbca0f972084e61161bfc6d8f973939d538375b42ccae38a3be86e690d65717f2d8a8686b248d68e7bffe2ff3398d2b0
-
Filesize
2.2MB
MD57417c9c6e8452047bda137edbccf352c
SHA1d735aa0b76988b998c889a3c3d44274931677ca7
SHA256298abec084a8ac0e200108ceea946e456791c6d6fcbed642cb9c3a18227ba04f
SHA512f208e443bd53fbaec502465dcbe4feeaa4377434d980558868ec8fc1028d92889ca621bdc7d9261d70a5cbbfc87b76981419494c37dfef40d56e2c5b8f336db1
-
Filesize
489B
MD5ec61995df511003b2f75d6c30a853b09
SHA138c54c90a336723905a3ea7f7e61fe962fbca44d
SHA2565a1e553059ee49723f22e06fcb081aa2561cbd048e03915d81c129d2a67e8e48
SHA512465fa24bab6d4b50e76f9205f4238be171a0999388bed4f677146e99a5e97321a0424f2dd43734234b2a6bbaeb7a4a8711dcdb636f51c2bbd103a858082567f0
-
Filesize
713B
MD5a5b7bfe45e9345aa62aca46cff7f9edc
SHA1a1cbe563e5c42c5cf2a4eba24383dd6524313075
SHA2562d9937b18b5013b4c314c3e0d0d775c483cc90053ddca51e12449be04b1a8b87
SHA51264e64b93ce991831887350040356ee475d4af167f11986629cd469e19160f494f7f6549aabb2791adb081692f0ae6209b11ce58859e348fd7862635d431ee2d9
-
Filesize
713B
MD50ee69384c2351e29e75886675a268ae3
SHA1c1ec40cead237daea3e37d46417adddb6ddd295e
SHA25687cd430128e7d83c3bae3e5d04fe5bf79732f9f131c2f711c53a2a3c9f4b8b6a
SHA5122b4180b8d61f2693e4c48cdc838d03abaa2dbc03fee56e5baeaa85e2c4328a969a7bfb85a044b1302d71d4d999f29d2f3118932cd191a223fc5c01b86f61bc45
-
Filesize
2.2MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
2.2MB
-
Filesize
1.0MB