Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
12-01-2025 14:56
General
-
Target
dabf40b2ed8d96638f713f6373ef64cb.exe
-
Size
2.5MB
-
MD5
dabf40b2ed8d96638f713f6373ef64cb
-
SHA1
4c9479e54b394722bdaeff1b36d903502cd1b1fe
-
SHA256
0a0eebfca8553e921339c90b0060ceb6adcbc5f747696b1abecd376f50283911
-
SHA512
0a9abca78917efea2b77dcccf862761e99001a26bba3de871c233b07500c7e414e32ebd41f93e23b332696db1d56aaa9e8357e60ac32efbf06c13bf40abf1fd0
-
SSDEEP
49152:UbA30QsSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvifV:UbcLlK6d3/Nh/bV/Oq3Dxp2RUGV
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 12 IoCs
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
System policy modification 1 TTPs 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dabf40b2ed8d96638f713f6373ef64cb.exe"C:\Users\Admin\AppData\Local\Temp\dabf40b2ed8d96638f713f6373ef64cb.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Mssurrogatebrowserhostperf\8kPsHmvrEcJwjafU40gzsGMXV7Gtxc.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Mssurrogatebrowserhostperf\SmjPROQS4143k.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Mssurrogatebrowserhostperf\Serverbroker.exe"C:\Mssurrogatebrowserhostperf\Serverbroker.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D6CCB6DA-96A6-431E-8B63-86E4045EF441\winlogon.exe"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D6CCB6DA-96A6-431E-8B63-86E4045EF441\winlogon.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae722c66-e3c0-4082-af96-cdff0c6edf7a.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D6CCB6DA-96A6-431E-8B63-86E4045EF441\winlogon.exe"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D6CCB6DA-96A6-431E-8B63-86E4045EF441\winlogon.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b663ded-d058-4f3e-b7d8-e14f2094ce08.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D6CCB6DA-96A6-431E-8B63-86E4045EF441\winlogon.exe"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D6CCB6DA-96A6-431E-8B63-86E4045EF441\winlogon.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1774c9c6-1350-4ef7-aa81-9ab4e89244b3.vbs"10⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed8c3125-6863-4023-bb9b-01ff53e6113d.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cb23e15-0d3d-4c46-93ac-771ceab12554.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb9f760f-4958-438d-a96e-c75caf883a4b.vbs"6⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D6CCB6DA-96A6-431E-8B63-86E4045EF441\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D6CCB6DA-96A6-431E-8B63-86E4045EF441\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D6CCB6DA-96A6-431E-8B63-86E4045EF441\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ServerbrokerS" /sc MINUTE /mo 6 /tr "'C:\Windows\uk-UA\Serverbroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Serverbroker" /sc ONLOGON /tr "'C:\Windows\uk-UA\Serverbroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ServerbrokerS" /sc MINUTE /mo 13 /tr "'C:\Windows\uk-UA\Serverbroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5a7e0475eb8e2e26e457a4c752dc26444
SHA1060c460c794a47f44686b717eb8d15f1945edb58
SHA2568ece9e304ffb5cba5d51cb2187907d4910167fca5f67a59d316fd9d2ce47ae52
SHA5129d7cac7d9fd93e3b88c1ea7663af7687ae08e8ee39dcc1549c4fb25d7342f3a9774b7f8e7c1b50ab96b09629ab4c587548a5b1063c843132277c7baa2069cad6
-
Filesize
2.2MB
MD567f998093c11d8a104aef7a92a2d5b26
SHA1cea4392bfb620e2d5b303c7f39fe68a30080a771
SHA256f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1
SHA512e3572eaf810f95944206728a83c822244afd079f59cef2911e11dddd85216a09663edbd8041fe5281c0ca9a6182bc5b70d77cbcc403baccbfbdc1d9c6a137e92
-
Filesize
160B
MD5fa37ae621180833b315a091613c1540f
SHA188d6ec7192566b085231e6a6f05f813a8355514d
SHA256f3f37ca346054c66639f1320cccc5b8f618ce747c5f9086bd18376a9a42a3484
SHA512d77768e84e9e01e3e64e00914c5e8f1067796a369c71939641f052c9f9b7d17aef5c9b5e96449d610976f45e291b567c49fc374099a9284c8045ca51d51c9bd0
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
784B
MD58a77932c1db0dea5ddeddb7ef899e52c
SHA16750e53b57becb46878bf4c33e236812042288d5
SHA25611d2c3f051d02fc9c023ec8977b45e188f54b892acff20f08bdcd3b375ecf01f
SHA5124764f17b15d7516086f2c0e4848e2cb30f47e0e8ade0f2f5f51ac8902bce03c3a31c0b7b5901451f36fff6eef7ab1ca22fbe4b65d845724bf016a92fd1edc34d
-
Filesize
784B
MD5985c17c33c199ba0b6c801267612f8b7
SHA1fa5b4ac2dc3458004af8b0c9e383d721bcf8867b
SHA256563c4aeba058023aaba8850a9ea64c4eb97c58acc93ea268635ddf4ccd4fc0ba
SHA51229fc7570ba5352cbf02b8207432dcf3dbde832e21202aaec37488ef2dafc2cca2615ee71c6ce52633ac3c077d1f48cb2e3ded2b8e26fa77ba35273389d81f4c6
-
Filesize
784B
MD507cbe78754d181875e21939d11578423
SHA11c574e71bdd3c8229ff28b5b2c12eaa34029739a
SHA2568014e6d3daf3702306c1d9e249b43c67d232075fbba17d8fecfa59aae824ff59
SHA5122164546682e2b54d6ace152034b6a33a41058d70bcac1ad2113eac2d34fca484c08d768e42d1e8cb14170969f7116b8163ae778ba766e7a1814723b7327592e4
-
Filesize
560B
MD5d045b2e2915f70397edc9f78a9c6de1d
SHA1d6d59ab6d721604934a57240bdc9a47981f6ed2b
SHA256f457ae5307ecc267d6f5a4067dfb84004cea9ebe0597a40d0457f3132d079ec4
SHA5127b3cb2167348de5ea0e5b79853d1433d7d82f958bf959f539214e44e9d2e2df4a54f5c28471526cda100c28c90b65aef4237e984bbfbec7cbbb24e4599bf90c8
-
Filesize
2.2MB
MD570f35d04041d9c029d59586fc6aa3819
SHA1a9f37462584d22bad8909ffc1c047cdfee84f049
SHA256517ef97c6f4481e5d6eac2ebd79fbbfe34c9dbe59a0f775c0c2a3e3b942aaae6
SHA5121739c6ce05e4fbee9d2829a95b3ca910b28a0f853d2a6e11e779fae7b419c46b7fd22641f28c2b91b826dd3905e478a23fa1e55c31665adea3f6a042d7078f53
-
Filesize
2.2MB
MD58f7cc78342ce512f1cb58ab616e3010a
SHA1a8e089e630df31248c5fdbc637ab991d530e32fc
SHA256474431790aea65c97c1373cd6eb4af6dd9a3578d86cec3992c3967c6102f0e0d
SHA512bd358c203f821883131921fe34454ce89eb27f59b516501960dc477ade5b100fe992b1803f100c822cb812c1c6a06cd42ac53da355fab90c582ecff7251edbdb
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
2.2MB
-
Filesize
8KB