Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:17

General

  • Target

    d7508b07903325957294ebdcb89bd5b3.exe

  • Size

    1.1MB

  • MD5

    d7508b07903325957294ebdcb89bd5b3

  • SHA1

    b6280b6c5e4b601ba3182520eca834aecd1ae1fc

  • SHA256

    4fe2546f5efe48febc2db59093ceef7b1c3db73e3b11ba026bfd8c4444b2af8e

  • SHA512

    e79cd38b556481bd3da6fcde5e924c2c0161a7e26ba635d02f393a424cf675b63e61948c7162abc06c487ae661ff431062236327be9b68be90e6ace7bfd23808

  • SSDEEP

    12288:p49I/nL8TnKZPVHR3E/bS2vkRNJLXseJQdErvNKj6SKm+eAIhu181d6rsPH:pngTKZ5RU/xG7zsEyEve6SZ+dIe8usv

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7508b07903325957294ebdcb89bd5b3.exe
    "C:\Users\Admin\AppData\Local\Temp\d7508b07903325957294ebdcb89bd5b3.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d7508b07903325957294ebdcb89bd5b3.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\icfupgd\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Templates\taskhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\DeviceSync\services.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\lsm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\ProgramData\Microsoft\DeviceSync\services.exe
      "C:\ProgramData\Microsoft\DeviceSync\services.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2176
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\icfupgd\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2228
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\ProgramData\Templates\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\DeviceSync\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2972
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2832
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe

    Filesize

    1.1MB

    MD5

    d7508b07903325957294ebdcb89bd5b3

    SHA1

    b6280b6c5e4b601ba3182520eca834aecd1ae1fc

    SHA256

    4fe2546f5efe48febc2db59093ceef7b1c3db73e3b11ba026bfd8c4444b2af8e

    SHA512

    e79cd38b556481bd3da6fcde5e924c2c0161a7e26ba635d02f393a424cf675b63e61948c7162abc06c487ae661ff431062236327be9b68be90e6ace7bfd23808

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe

    Filesize

    1.1MB

    MD5

    58cf048ea2f8f11099c04b6ae0ead575

    SHA1

    2df7582dfdcd7577079de0ec3748ecae9cb2a385

    SHA256

    b6462235943cce694ed9d3f8387b6a979a42ed9edaebd20e8398f09cc0df0592

    SHA512

    037d05363e231ed78a950e07b2ea262894ea17260b6d45b3d8d207451cabb885d93bfd9739f5e1017427d997de15ba6c00e541801608e218a7a87db757c9dfee

  • C:\ProgramData\Microsoft\Windows\Templates\taskhost.exe

    Filesize

    1.1MB

    MD5

    d2c96ccd8454e9a85889d5b1633d5781

    SHA1

    c7ec45aab3400bff3db0265f4ea364587cee2be5

    SHA256

    b179d4a8c09a4598644d6807b1aa46311a95170c7ae1d2fdaeaf9e723c603e1e

    SHA512

    7a904715aa5556d329468781f1b3b1d0f6ffc51ac35924811727fb76f38b9a708c1d8bbe8b47f0ceb5362b7fa9be4fefb70369e5045e360c0aed311a870cdd86

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    02f59a122c26a53ab4625ffb55243e06

    SHA1

    44dd73d92f9e362539884dad3c74c84afd3fecb9

    SHA256

    a9c03705ee04e37b6c251dfccb016dc6b3852ee6a5b390d3c0301fdd2c84dcdb

    SHA512

    82965aeb451fdf24ba82d50b73bdba3c2734a7ef1def0f1bc4778a5317bf3242525c10c7cfcd39e413c7f1bafce36b47a7654ec4086402cf8bb8c98306365cc4

  • C:\Users\lsm.exe

    Filesize

    1.1MB

    MD5

    7d6965b47fdd39857fcf84eb11e5a613

    SHA1

    51abf89a4d7b926c4817bed84447c07c56b319ef

    SHA256

    454a8564528805d1d261f20f1a5b12d52bb72073c8f47dfeaa89eb8308ca74fa

    SHA512

    ff985766b66a7203fc2202516427fbc6d75782f9219a09b0fb6640009fcee0b6cd5a86cfaf79b05255d352764dbdef321d0dd1bc839c9b925052bc9b48549b78

  • memory/1364-118-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

  • memory/1364-119-0x0000000001E10000-0x0000000001E18000-memory.dmp

    Filesize

    32KB

  • memory/2176-125-0x00000000002F0000-0x0000000000406000-memory.dmp

    Filesize

    1.1MB

  • memory/2596-7-0x0000000000410000-0x000000000041A000-memory.dmp

    Filesize

    40KB

  • memory/2596-2-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

    Filesize

    9.9MB

  • memory/2596-1-0x0000000000850000-0x0000000000966000-memory.dmp

    Filesize

    1.1MB

  • memory/2596-3-0x00000000003D0000-0x00000000003E0000-memory.dmp

    Filesize

    64KB

  • memory/2596-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

    Filesize

    4KB

  • memory/2596-4-0x00000000003E0000-0x00000000003EA000-memory.dmp

    Filesize

    40KB

  • memory/2596-6-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2596-137-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

    Filesize

    9.9MB

  • memory/2596-5-0x00000000003F0000-0x00000000003FC000-memory.dmp

    Filesize

    48KB