Analysis
-
max time kernel
92s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:17
General
-
Target
df04d21f8f4edc307cb444b18e8f201c.exe
-
Size
999KB
-
MD5
df04d21f8f4edc307cb444b18e8f201c
-
SHA1
9008920285ae41fe099cbfd11baa15e3909d140f
-
SHA256
51ef466bd86c5e96bff1611da1f13ec2691923618e9db5c490f6104cb95cd6d1
-
SHA512
a8e76e398d3de32aef34e3d424d52dd33a073a261958ddc8b6dff62941288aaf359e1d3604de025f021789f2eb70b932cb69f09e4b6aa79e5ff3528d4315c52c
-
SSDEEP
12288:P9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:P9pP5WS3lrMNyC9TJPCXBi
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\df04d21f8f4edc307cb444b18e8f201c.exe"C:\Users\Admin\AppData\Local\Temp\df04d21f8f4edc307cb444b18e8f201c.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlnKig63Gd.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc MINUTE /mo 8 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\ProgramData\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\ProgramData\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\addins\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONSTART /tr "'C:\Windows\addins\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Adobe\Setup\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Setup\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONSTART /tr "'C:\ProgramData\Adobe\Setup\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Adobe\Setup\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
999KB
MD5d5bf1771334a06acd9de1400c445610e
SHA1ff9c5c2f338ed17474a72a4fa52300d7cb22a2ac
SHA256722450e834f17bcef317660027a9cbc9d493218278c17a795a0d90dc8b5e69f5
SHA512bdb058d5119cb5fa5d66ff6b0a3dd3086365cbab0fde2ad4200ce7afa3e13aff35b3a7b25bbf4e0c9fdfea557ef64dd13936f055fa6d4b718729a71e990309f0
-
Filesize
999KB
MD5df04d21f8f4edc307cb444b18e8f201c
SHA19008920285ae41fe099cbfd11baa15e3909d140f
SHA25651ef466bd86c5e96bff1611da1f13ec2691923618e9db5c490f6104cb95cd6d1
SHA512a8e76e398d3de32aef34e3d424d52dd33a073a261958ddc8b6dff62941288aaf359e1d3604de025f021789f2eb70b932cb69f09e4b6aa79e5ff3528d4315c52c
-
Filesize
999KB
MD5ba63e66f08cf35f7694afcf680637db0
SHA108110284cb5fc216182d2404f35aa2dc6f9dd5ba
SHA256987a5878d10a55ec6bcd30159cdcdce833371fdcda589879b7383a3575a6d346
SHA51244b33b3d3a5953b9675c92f4749ceb0a71969a6fc8b84ed3ab103222ed2ab870bfcdeec3e598f226fc828e608d0b59eb08d17bce796602e6f9f02fb3da9a4a11
-
Filesize
198B
MD5a86c55747fb186ada1b5759a2db79440
SHA1fec77140dae8c4d30b00a4a66ade529793e81ab0
SHA2565d235b5fc4276e48f14897b65a086f2e6d4b654833de583c3da1e84f82658eb2
SHA512caee691b786564f613a26b3e5e32a8040c9c08b38c79ed31b2ab18750644e4dd083e4e898be4fea4f76f0800202d2a6c9bb58442bab6b3e45cb68351b033b113
-
Filesize
999KB
MD5b35862be2a9a0e1c499708dd1741a043
SHA1189ea29e9c1541978b6519c70cc0ce18adc48c85
SHA256de4dd8f5f37727da922b73929fc2c0b290644a3aeb58dc26918248b55d439898
SHA5120001aa47460b5fb3155e4c35b1ef52f7686266f9c9363574a0da996c7322e4e10251484d5679b52147155fe1648bcc76e09ec599e77b60f54247d8c5bb8e1f74
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
1024KB
-
Filesize
10.8MB