Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
22/03/2025, 06:25
General
-
Target
3d81f411b0ec1ac7d861358e145db4ba.exe
-
Size
999KB
-
MD5
3d81f411b0ec1ac7d861358e145db4ba
-
SHA1
4b945e693bc455840912fc5b5f155c36501d235e
-
SHA256
72b49e4d9aa54af40111e35d0d4bcb4a7a313c4f2f5c5f33c3b7a093b7f4fc0e
-
SHA512
216c654e895ec5065b7d724f5421184e2a3445f4b801f0ebcc3ce34676e2d89240f22af079fd7a7d074af3567ee483ebe2f6b40bfea224956ff00f5d326894fe
-
SSDEEP
12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Process spawned unexpected child process 16 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d81f411b0ec1ac7d861358e145db4ba.exe"C:\Users\Admin\AppData\Local\Temp\3d81f411b0ec1ac7d861358e145db4ba.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONSTART /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
999KB
MD58f05c0b74d4df510fcd0b906d4ca6cc2
SHA1f007161911b3d34324b84e84ac57cbfc95fb2b95
SHA256b1b77aeb607edae38e49c887ff8f877c09fd5696082d28710649b034ac8fc8ec
SHA512f120c7c55194b07b3683cbe15b5fe816bdf054a869c7d8bddaf6da5717d8aede91c511b6bde6dd99fa0480276395e04694734704cdd6f9a4435719e2f622ec83
-
Filesize
999KB
MD5da56cff4516b76687da17d9a3b1b5d08
SHA1751e83c090fc145d34effdaaa980bf30cde4f6f4
SHA256e63ca9ad331af5913746ac924aeeb9de1c2f7fb6d4c44abb7f6004104da3d4c3
SHA51266836ec711669e665021f6e774c660a8d8a30df8e0002f9eb4c9465571ebe1d15f7e514eb8bb2688aa25860ae230a88aa9bb2cd0cbffebdc3be48c98b77f3690
-
Filesize
999KB
MD58bb16937b89fdcf47ea46aa0331d7ea0
SHA1b847173ac819c84029031aea144c0cbe82a3302c
SHA2564584905755fcf7a04d9345476e22985a21a6e2cce26eec791ca08dbf7d312eaa
SHA512df599847656b9a53e5542f6f8359bad7a8843fe6e1e18f6cb42be54d2a5a2d5fa9bd2601a07c95f73d47f6ef6f01565fcc17a03bd766d4a45f2e9b97a2b0d994
-
Filesize
999KB
MD549e795eb383bc04e7886add25b9866a9
SHA1aa239b5c2119ad8db13efca9d13f67308db05c37
SHA256c12779e43073f292b9607563b0fc007087c6c4c93d8f90fd52a8f66930b846b3
SHA51201752ec991448f30d66f34591d5ca6e556f6df01bda8567532fb7f79ea184bb3d92273b69fbef1a15f451691f3603530c0a95256f3e97b00e6a9fae5689a4143
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
1024KB
-
Filesize
9.9MB