Overview
overview
10Static
static
10e64b687735...eb.exe
windows7-x64
8e64b687735...eb.exe
windows10-2004-x64
8e65dc6f84e...10.exe
windows7-x64
10e65dc6f84e...10.exe
windows10-2004-x64
10e67e28bf49...ac.exe
windows7-x64
10e67e28bf49...ac.exe
windows10-2004-x64
10e699919d5d...ad.exe
windows7-x64
3e699919d5d...ad.exe
windows10-2004-x64
3e70b65e1d8...21.exe
windows7-x64
10e70b65e1d8...21.exe
windows10-2004-x64
10e7193d3473...84.exe
windows7-x64
10e7193d3473...84.exe
windows10-2004-x64
10e740e379c5...b9.exe
windows7-x64
10e740e379c5...b9.exe
windows10-2004-x64
10e751c36e12...39.exe
windows7-x64
1e751c36e12...39.exe
windows10-2004-x64
1e7573bcf85...a1.exe
windows7-x64
7e7573bcf85...a1.exe
windows10-2004-x64
7e787228874...9b.exe
windows7-x64
10e787228874...9b.exe
windows10-2004-x64
10e80000db8c...4b.exe
windows7-x64
10e80000db8c...4b.exe
windows10-2004-x64
10e82aaf456a...e7.exe
windows7-x64
10e82aaf456a...e7.exe
windows10-2004-x64
10e864953c3a...53.exe
windows7-x64
10e864953c3a...53.exe
windows10-2004-x64
10e8686658e2...12.exe
windows7-x64
3e8686658e2...12.exe
windows10-2004-x64
3e8add32344...f4.exe
windows7-x64
10e8add32344...f4.exe
windows10-2004-x64
10e8cdbe10bd...14.exe
windows7-x64
10e8cdbe10bd...14.exe
windows10-2004-x64
10Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:18
Behavioral task
behavioral1
Sample
e64b687735f08d83a710e6e493346feb.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
e64b687735f08d83a710e6e493346feb.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
e65dc6f84e8571ee0c8d0df1c15ab10c168f9e8951c0e9d61bae78ca53bb1e10.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
e65dc6f84e8571ee0c8d0df1c15ab10c168f9e8951c0e9d61bae78ca53bb1e10.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
e67e28bf496e7f9625bf94a126253aac.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
e67e28bf496e7f9625bf94a126253aac.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
e699919d5d4dee2a70455861a6aeddad.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
e699919d5d4dee2a70455861a6aeddad.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral9
Sample
e70b65e1d80063b1fdfc5b439f8ec121.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
e70b65e1d80063b1fdfc5b439f8ec121.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
e7193d347375dbb471134f1772410284.exe
Resource
win7-20250207-en
Behavioral task
behavioral12
Sample
e7193d347375dbb471134f1772410284.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
e740e379c5b6d33ab42fea238735745f5965d78dfbca807496686cd94cfa57b9.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
e740e379c5b6d33ab42fea238735745f5965d78dfbca807496686cd94cfa57b9.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
e751c36e12f90580dfa17b05b50269a413ae64807c60a7a0f1e58bcd38f6fb39.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
e751c36e12f90580dfa17b05b50269a413ae64807c60a7a0f1e58bcd38f6fb39.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
e7573bcf859fd192353ba79f43e0cca1.exe
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
e7573bcf859fd192353ba79f43e0cca1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
e787228874f75520e2a95df7768ba99b.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
e787228874f75520e2a95df7768ba99b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
e864953c3a95b063ace86177e1914753.exe
Resource
win7-20250207-en
Behavioral task
behavioral26
Sample
e864953c3a95b063ace86177e1914753.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
e8686658e2163a23de75fe75807e0d12.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
e8686658e2163a23de75fe75807e0d12.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
e8add323447be730ffb34507864ea6c71e16df32e6668ce7eb03839e3f0e49f4.exe
Resource
win7-20241023-en
Behavioral task
behavioral30
Sample
e8add323447be730ffb34507864ea6c71e16df32e6668ce7eb03839e3f0e49f4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
e8cdbe10bd3316f1f52cfd57c431f914.exe
Resource
win7-20241010-en
General
-
Target
e787228874f75520e2a95df7768ba99b.exe
-
Size
984KB
-
MD5
e787228874f75520e2a95df7768ba99b
-
SHA1
03c4f765750cf2f42f3421f80353376a665ab9a5
-
SHA256
4acafc42154659f6098bf63fa5671b7ab8b72d27785ad7737112ec2dbbc32bf4
-
SHA512
48ea43fe8cfd0a7f5f9609ec30546ab3e9a356d0bb03327e9edf2899daf1251059ba8397061e560090c1eb33f9887ae7c23756fed263266311701f1f36c33fcf
-
SSDEEP
12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2656 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2656 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2656 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2656 schtasks.exe 30 -
Executes dropped EXE 1 IoCs
pid Process 1104 lsm.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\msiprov\\WmiPrvSE.exe\"" e787228874f75520e2a95df7768ba99b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\MsPbdaCoInst\\taskhost.exe\"" e787228874f75520e2a95df7768ba99b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\sppcommdlg\\lsm.exe\"" e787228874f75520e2a95df7768ba99b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\IME\\fr-FR\\System.exe\"" e787228874f75520e2a95df7768ba99b.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\wbem\msiprov\RCX3A27.tmp e787228874f75520e2a95df7768ba99b.exe File opened for modification C:\Windows\System32\wbem\msiprov\WmiPrvSE.exe e787228874f75520e2a95df7768ba99b.exe File created C:\Windows\System32\MsPbdaCoInst\b75386f1303e64 e787228874f75520e2a95df7768ba99b.exe File opened for modification C:\Windows\System32\MsPbdaCoInst\RCX341C.tmp e787228874f75520e2a95df7768ba99b.exe File opened for modification C:\Windows\System32\sppcommdlg\RCX3620.tmp e787228874f75520e2a95df7768ba99b.exe File opened for modification C:\Windows\System32\sppcommdlg\lsm.exe e787228874f75520e2a95df7768ba99b.exe File created C:\Windows\System32\MsPbdaCoInst\taskhost.exe e787228874f75520e2a95df7768ba99b.exe File opened for modification C:\Windows\System32\MsPbdaCoInst\taskhost.exe e787228874f75520e2a95df7768ba99b.exe File created C:\Windows\System32\sppcommdlg\lsm.exe e787228874f75520e2a95df7768ba99b.exe File created C:\Windows\System32\sppcommdlg\101b941d020240 e787228874f75520e2a95df7768ba99b.exe File created C:\Windows\System32\wbem\msiprov\WmiPrvSE.exe e787228874f75520e2a95df7768ba99b.exe File created C:\Windows\System32\wbem\msiprov\24dbde2999530e e787228874f75520e2a95df7768ba99b.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\IME\fr-FR\System.exe e787228874f75520e2a95df7768ba99b.exe File created C:\Windows\IME\fr-FR\27d1bcfc3c54e0 e787228874f75520e2a95df7768ba99b.exe File opened for modification C:\Windows\IME\fr-FR\RCX3823.tmp e787228874f75520e2a95df7768ba99b.exe File opened for modification C:\Windows\IME\fr-FR\System.exe e787228874f75520e2a95df7768ba99b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2676 schtasks.exe 2832 schtasks.exe 2756 schtasks.exe 2584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3064 e787228874f75520e2a95df7768ba99b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3064 e787228874f75520e2a95df7768ba99b.exe Token: SeDebugPrivilege 1104 lsm.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3064 wrote to memory of 1104 3064 e787228874f75520e2a95df7768ba99b.exe 35 PID 3064 wrote to memory of 1104 3064 e787228874f75520e2a95df7768ba99b.exe 35 PID 3064 wrote to memory of 1104 3064 e787228874f75520e2a95df7768ba99b.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e787228874f75520e2a95df7768ba99b.exe"C:\Users\Admin\AppData\Local\Temp\e787228874f75520e2a95df7768ba99b.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\System32\sppcommdlg\lsm.exe"C:\Windows\System32\sppcommdlg\lsm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\MsPbdaCoInst\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\sppcommdlg\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\IME\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\msiprov\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
984KB
MD5e787228874f75520e2a95df7768ba99b
SHA103c4f765750cf2f42f3421f80353376a665ab9a5
SHA2564acafc42154659f6098bf63fa5671b7ab8b72d27785ad7737112ec2dbbc32bf4
SHA51248ea43fe8cfd0a7f5f9609ec30546ab3e9a356d0bb03327e9edf2899daf1251059ba8397061e560090c1eb33f9887ae7c23756fed263266311701f1f36c33fcf