Analysis
-
max time kernel
127s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-02-2025 15:55
General
-
Target
3dce7fce69c35c15988ad7bc647d4681.exe
-
Size
2.7MB
-
MD5
3dce7fce69c35c15988ad7bc647d4681
-
SHA1
bf0b951d922c6e92e40cec56f641a0c48da49b57
-
SHA256
534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb
-
SHA512
99e11b00a61b901a0954dbdd6c1b533c2898662584ea296fd1a92b790ffe10690cf2acba4b595e9d517fc3088ec03450c1d1ee1ce9ae8cfe1a15f24ae14ad33e
-
SSDEEP
49152:Ano0OKQIQaPECv3la9Bc0JpOkFl5B9LzYSbqtR6v:hMvlyG0JpOG50SbOg
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dce7fce69c35c15988ad7bc647d4681.exe"C:\Users\Admin\AppData\Local\Temp\3dce7fce69c35c15988ad7bc647d4681.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3dce7fce69c35c15988ad7bc647d46813" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\3dce7fce69c35c15988ad7bc647d4681.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3dce7fce69c35c15988ad7bc647d4681" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\3dce7fce69c35c15988ad7bc647d4681.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3dce7fce69c35c15988ad7bc647d46813" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\3dce7fce69c35c15988ad7bc647d4681.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Searches\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\Windows\Templates\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows\Templates\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Windows\Templates\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5ab9736d2e5478e7ae44e317dbb1cf146
SHA1bcdb75daf9367f59fa1cfe0e3ee50e4b4b5f19bc
SHA256d9ab159718c03acca74a13dc51ab4448c47f562788f10687ef2c90d91d71c20a
SHA5125e3f356028e61cddf341a94b39ced014a87c17339cdadb18154314a62b37d5acc55dc296e538440004645a541ee190e5167194d01356bb78cb60d0fd3dfc3ddb
-
Filesize
2.7MB
MD53dce7fce69c35c15988ad7bc647d4681
SHA1bf0b951d922c6e92e40cec56f641a0c48da49b57
SHA256534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb
SHA51299e11b00a61b901a0954dbdd6c1b533c2898662584ea296fd1a92b790ffe10690cf2acba4b595e9d517fc3088ec03450c1d1ee1ce9ae8cfe1a15f24ae14ad33e
-
Filesize
2.7MB
MD5b0a948255d162106567790df934007a3
SHA1aab461750998d9603e4ab462a19205bf6b040460
SHA25620131996149fac9a1130b96918041486a1f72c3fde2be902ef76e7b698087388
SHA512aafce1ea8f5205e74362bd201f7d977119651da2fbbbdad3e987082339c125902a7c9813c10bd6bad2a7fd061f508e34595f442a306267e1259e0224ca794b9d
-
Filesize
2.7MB
MD5bd9644caf7670252980b2871e0a88f3e
SHA1e941b896e61850c1a6e95b995129863eb8442b8d
SHA256df65dd359f0e58d4e8cd8070050c3575692390fe6dea0a9770306d4d06b85210
SHA512fdefb11e238d96e963ff6ae34b767642c3abf7994b60c1e1b80ad2ecee092db1d0e05e74e8d01595d2d76de1c35eaefdeefa44fd2428078b92c9abbb3f4bab1b
-
Filesize
2.7MB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
2.7MB
-
Filesize
9.9MB