Analysis
-
max time kernel
117s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
-
submitted
09-02-2025 04:55
General
-
Target
c0380ef3862562bca9ab4a8442fb19b5886e3688cdaef858feb9277ad893351f.exe
-
Size
783KB
-
MD5
39a2fdd9e735620442931db84dbc5d80
-
SHA1
5891b2f85b69d1da5818f71318190201a41b4441
-
SHA256
c0380ef3862562bca9ab4a8442fb19b5886e3688cdaef858feb9277ad893351f
-
SHA512
c96df05444a24876453208de6ff0601f96781a1862d582e7cbc2ddaad8355a856fd9fae30a3ac95c88beb5c6d1622bb0d0303ee1eabc7092ba684923c73d148b
-
SSDEEP
12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:G+OQbpbgsFdAyQvzSqaq8q
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Downloads MZ/PE file 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 18 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in System32 directory 25 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 17 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0380ef3862562bca9ab4a8442fb19b5886e3688cdaef858feb9277ad893351f.exe"C:\Users\Admin\AppData\Local\Temp\c0380ef3862562bca9ab4a8442fb19b5886e3688cdaef858feb9277ad893351f.exe"1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7SfpPwHVJc.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\c0380ef3862562bca9ab4a8442fb19b5886e3688cdaef858feb9277ad893351f.exe"C:\Users\Admin\AppData\Local\Temp\c0380ef3862562bca9ab4a8442fb19b5886e3688cdaef858feb9277ad893351f.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Downloaded Program Files\dllhost.exe"C:\Windows\Downloaded Program Files\dllhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\AarSvc\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\WofTasks\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Gaming.XboxLive.Storage\sihost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\comdlg32\taskhostw.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MicrosoftEdgeUpdate" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\WindowsUpdate\sysmon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\dimsjob\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Registration\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\BlbEvents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\rasdiag\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\hh\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTg2QTMxQjItRTQzNy00ODkwLUE5REMtN0ZENTQzMDYxRUI0fSIgdXNlcmlkPSJ7NkE4MTY1NTMtNzA4Qi00ODk3LUI4Q0UtNzdEMkUyNzY2N0EyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODM3RjM2NkYtOUJDQS00OTI1LUFFOUItNUVEQUExQzIxRUU0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTk3NTczMDEzIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7c0c43fc7804baaa7dc87152cdc9554
SHA11bab62bd56af745678d4e967d91e1ccfdeed4038
SHA25646386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457
SHA5129fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769
-
Filesize
266B
MD5575b9d466cc254a2cfeb4eaabd45950a
SHA11c5871df26fb1f7887380167d9fbb2d6edd54291
SHA256f1f09e8aacf783dc18e0634290854da6c74f6a271369be9ead534fdb909691ef
SHA51291b9d766809fd629c9e7610bb59b519d10a8e4567fa0db94ee5b14a0d017df87cf249613f9d05e5545d580df3cc525a8afe734d14f84e60a06f0ca4bfb852418
-
Filesize
783KB
MD5a1ae0144be5cf6650b500cd14cf667a6
SHA1aa504b1f87ada07d989968c09c070bf34eeebfa1
SHA256d37ae91d24eabd5edfa1bf41d1429e942e1c83a0711491496b0fdcd9d91bf27e
SHA5126150abd46e1767b0a473f3b7cbdedac4725e8b0181c2fe72770170694c31483bf5958e216b7f884bb72f00ce63b785cdba041c5457bff407f4b845347f6da059
-
Filesize
783KB
MD539a2fdd9e735620442931db84dbc5d80
SHA15891b2f85b69d1da5818f71318190201a41b4441
SHA256c0380ef3862562bca9ab4a8442fb19b5886e3688cdaef858feb9277ad893351f
SHA512c96df05444a24876453208de6ff0601f96781a1862d582e7cbc2ddaad8355a856fd9fae30a3ac95c88beb5c6d1622bb0d0303ee1eabc7092ba684923c73d148b
-
Filesize
783KB
MD5e03dc7f89cd468f3c2995c2866e6a949
SHA1607a2f13a926836cd9f8a87be3cd4dc55c135d70
SHA256fdd944d8664e7831af5edb8fd168b1c10bde8922a67379cb5bdbb42176acfc46
SHA512e2a7ec68e3e18f287c5afaf88a9fca62355c14853ced6271e5f37e3acd8a0bb819619fde3400e8a468c806ace7273109f49e41c5c6b51eb8942bdefe573d52d7
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
808KB