Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
07-02-2025 04:28
General
-
Target
2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2.exe
-
Size
1.6MB
-
MD5
b330a516dc2ed01776ad58b0dc970216
-
SHA1
78db141d31b8131aabd9ba1c9144a33c8cd6842b
-
SHA256
2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2
-
SHA512
f25f66055176b4060b94ff3c765d54d6d7ee0186b70001205c2e65696180a57b32de897df1664bad8611f81da0f3267b6daf9eea46a0c68c4746c54a56999209
-
SSDEEP
24576:GlZi59u2GRCRXXdoOH0dMPg/riXqsLS29ryVYNN+GCiRtnATOD:GPfsDHwsg/riE29rC2+GJRVA
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2.exe"C:\Users\Admin\AppData\Local\Temp\2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5zesslmb\5zesslmb.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AC0.tmp" "c:\Windows\System32\CSC4ADB88D0BEDF46699CB652F295D73CA4.TMP"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3v93bNNHKx.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files (x86)\Windows Sidebar\winlogon.exe"C:\Program Files (x86)\Windows Sidebar\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Skins\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Skins\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee22" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee22" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\2b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179B
MD57aa096f711f7f3692a585bcbd7cc86a2
SHA1816dbda0f8981a866d8724291786fd8214662cdf
SHA256656823bf735562f5a622c8db44562b0a8b244b615d410abf70429d9e2576c4c7
SHA51289feda4fda3192969d8e2e12a6ea4cfdef37f15996f0da1deb13ece29ae9999f9e7a1680149995766632a6c8a56bc24eec40885d457476af19c27fe9eb0653c4
-
Filesize
1KB
MD507bd60766389f11d66b3dacf539f8020
SHA178085732b8c671a6d6c38fe7b872b5096898dc08
SHA25683615824bd6eeede4b292576a591003cbaf9ae70619616b5bb8f5cd01ab6d47b
SHA512ad4719e2e011e2fc8d8b0a9d5487c5829ff0ef855ed69bb46eeb8814c8fbf454a3070c698da0020067956a5221792924c20cc879c3e4c505cf45f6aa3256d950
-
Filesize
1.6MB
MD5b330a516dc2ed01776ad58b0dc970216
SHA178db141d31b8131aabd9ba1c9144a33c8cd6842b
SHA2562b513177e1ebb418f3e4d2cd3947c0b248bdd064188538d00518118dd916aee2
SHA512f25f66055176b4060b94ff3c765d54d6d7ee0186b70001205c2e65696180a57b32de897df1664bad8611f81da0f3267b6daf9eea46a0c68c4746c54a56999209
-
Filesize
396B
MD5cd894f87ff2d164bcb12ab007c5ad6dd
SHA18971167adfd3df2612bc897a34b1fec74fb1aed5
SHA25637b46cd3a479a7710f28e6eb007d07c5ddd892ac71735ca2f0e47918ed85d15a
SHA5128e109d18bc12cebcb5c744efbb199c86bf25f03d4c0f31fe33493b80dccf64d7133c69ca5ccc19f47a2c72344af2500c9ab99e4c857a23fb327dc5f08c7b97d4
-
Filesize
235B
MD5568e55a3c04587bd9205540ea660ca6d
SHA1a85da714f97e3d5ae75dbcf8bd0027ff1462735f
SHA256a2f52e8fcb0bf48b6f928e53c4f5d90185c5804c2fc1c5ad299e34edf8c78cca
SHA512b0a06e644d8354d0ef0a836dd0a63e71f5c410822cde969f32df0b293e7bc96998977f98ed496b6231d0a34e2449deb978a182fcdeec452070a99795e8ff964c
-
Filesize
1KB
MD58d1ed1c8f2cbc3e62adae4e1344d01ac
SHA176a58b523ba6de952174cea4ef64b94f399ce726
SHA2569a083c7646ac0a5488172479ce5ffca6dc9bb5cb645334000e2e9c8befc4eab2
SHA512f69f4034486c2606b5a92bac3bf0e26f8bf927eded38fc402ad2299d5891c2336f59f11bc2c2ecaf93339cc460b67eb0a4ef9f5c95952e8765b00536a638c0d1
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.7MB
-
Filesize
10.8MB