Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 06:09
General
-
Target
279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
-
Size
1.6MB
-
MD5
f088c5388663eeeed395b7263d1f4993
-
SHA1
698d5eaabf3b5ce145f89f810311a0b42dade120
-
SHA256
279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819
-
SHA512
c9d946db7a10abed675d764436f3af3482b5259589fa976758b28bcd7c5b380bde9e338783611cbc5925cfdabbe0c9ba930bdb85aec7e6190d935b678b5dbba6
-
SSDEEP
24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 10 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 8 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe"C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\en-US\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\7-Zip\explorer.exe"C:\Program Files\7-Zip\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\599b3432-76c9-47d9-8063-748cfe5b48ce.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\explorer.exe"C:\Program Files\7-Zip\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4df1cd54-0528-4dd5-a01a-aaad951561e7.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\explorer.exe"C:\Program Files\7-Zip\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ce4b579-6e6c-491c-a5b1-f6482062a76b.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\explorer.exe"C:\Program Files\7-Zip\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18b32915-a749-46ba-ac30-8ed199de5b5c.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\explorer.exe"C:\Program Files\7-Zip\explorer.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7aaefba0-80f6-47ab-b64b-c31c7e9bf581.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\explorer.exe"C:\Program Files\7-Zip\explorer.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72b397a9-aef9-4a0f-b51b-da100115f22e.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\explorer.exe"C:\Program Files\7-Zip\explorer.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bda51ec-0c7b-44ed-84ee-029cb9e4cf74.vbs"15⤵
-
C:\Program Files\7-Zip\explorer.exe"C:\Program Files\7-Zip\explorer.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\472d0ff1-37fb-4a7d-8d39-d53e842006bb.vbs"17⤵
-
C:\Program Files\7-Zip\explorer.exe"C:\Program Files\7-Zip\explorer.exe"18⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec8d7ff0-b9e3-4236-9898-fb6ac4517014.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76127f83-8d66-41f2-99cf-20806e95555f.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f26983cc-5b99-4151-af4f-73ba621735a1.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab2baac7-1397-405b-b26f-183ef3f0c9e3.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00440eba-f14f-41b8-9de0-7a36ddc0a888.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59c2d90d-dd45-4c6e-9004-537190ce4eda.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8a10f86-aaf0-4710-abd9-4fb968e9005c.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5b48137-9ef2-4e80-b7c4-085a26f00605.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\en-US\Idle.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD55d552c4557dddbe9d0520a94f3c07c16
SHA19c043bf35c7c185130d561941dfe2fffed1371d3
SHA256f2471dc98bc93670da6e397014ddc105455eccb0e2bf196ba442f29187ce74b8
SHA512d5b9b6c97df268e5d4583af60043c24e0b5679dfaffb3eac1e0f55a8f2b47536cbe77bfe27f3be9af9cdb9871bf5539fe9c77554aaf432c1732cb53a3d6524a7
-
Filesize
711B
MD50bb952a63212be9e7886768e58af5a82
SHA13494b29fb8984380a951cafd1a34254016aa1caa
SHA2565b3fbd9481d20cbccc3c969a9fb60a1df9931d80c23cfec20fb032344a828620
SHA5127c50e3480ee93674bd346a9852808eb3bd07b0adf141e9fb9a569be17d4159e3f84bc532b59ccd6f4b1ec17e2a74c2c375cd20e07197619ef9e5f9d2b9d743c2
-
Filesize
711B
MD52507c96cde204fba4f2fff54b4bc86ee
SHA130143b180b228c6059ffb8ebaa2e133275655c95
SHA256f73c88ebf66e75f5e31c517cd76e00f276faa091e531a98858e0d53cd2d510aa
SHA5120a9b4928f89ca739ef740740968371cee736f8d1282ffdd70945f6c2884f7ba499e3d01d5e62dbf9fa9f835f7fec5450fe32ed7f3d24163722b636ebab48e410
-
Filesize
711B
MD5d7691e2c791067a3b6fece63025aecac
SHA12ca4e3ab1fc6233a3eda3a58b59c8cbef2fbf872
SHA256309687e3c9fa0344a645bb0e4dd08dc32dbd9b39f5cbe2e6f523a043960e0f1d
SHA5127af6201cab5801b8760409f5fe41f21effa449343d70754c39588948f8abc6c956875afa1df63d026f0347f4341122a7169d0a2925425fecc1c9432031f7f69a
-
Filesize
711B
MD5e7bc5ab70fae1c08a71e192f6bd75717
SHA16c4eb04e0a87c202e0eaa97995dd1b04a36ce313
SHA25624c5344fc66db92072ad0be7686c815ac5723b51e2e9abfcbae6e85bd2611d65
SHA51231e724f82ae65b334cade2c2816d5ad16fffbfd154d70a1a73981ebcdfc03c9bd1bade346e64b5d5e9bdc7228be3be290210f5fa245ad01cf242475bd0cd0751
-
Filesize
711B
MD5cde565e1b922a837cfd70d670c9585e9
SHA11f3845b99e0c1ba83925cbadb1cc5aee39f19361
SHA256ea2ef145ce56ce9eaa5594979ece42c2c6815cff4a98f7ee544bbd5759e04b6f
SHA5128ed9cb2a847488e617ebd0a32a2d30feac8f8c66ee5b12310271f27cf331145109e62930822e187d0c1dbdbe88d082e327e3d2cef25049f70bc395d313b67943
-
Filesize
710B
MD5ee2d024f52d834fe845ac0acad2b6eca
SHA1c742ebe49ff2c41c6887fe541c87dd4bd70458d0
SHA2568dbf29a33732164a30bfd81f6c0d2c9ef78fb2f08023260b96f77534af4b3fb0
SHA51211f6e3c7f8a94f88e08208639af15c7e8e208cce88d69cfc46da9d468e906c86aeafac6e9a2a723d9590c7ef0f4466660abc3f63d7fb01f8653f21d4eaeb0e28
-
Filesize
711B
MD5d765a689f5d4a087bedc6f81c73cae1b
SHA13bb6b80e968eda121c5cd4477b0cee7e315f42a6
SHA256d3ee503162fb29040620af508b687a29862388f64b5d8d3eb59d82674cd6f25a
SHA512541dbd725f40c650715ac8b1d1cb857f0fad07eb361940f698366ae67b153a57680e107d21319766c3206935de5e32c24378620f8534253e090e1f18a47846fa
-
Filesize
711B
MD5c16ca2abdb4f150d99d29bbaa28bb9ea
SHA12c5df4cc53d9923a79cfbd35bbde1ca7d407b781
SHA256ddfa8745dd002457cedd9caea3eab7c36a4a400424cda5123bf60ae4b28008a9
SHA5127e2b0f21cf5a298565084762ce4da6bc3f5842c3a70bdc9ef39e7145d149e1e239e7242550448db4242f1cb24f2bb21165062fb02b4e860cc27b86157afedd8a
-
Filesize
487B
MD55986db08fa2efd8662a9d308c811e682
SHA1ab081c4dbf629770588758ddf1f90bab0286bf60
SHA256bf949fad764d8f5885d87f11ccb121feab310720be2d76a452c3d9d6c06c4e01
SHA5129e6a7aa1851d32eba3fc41d9c0f4034bc1ee8f9b51b245e54635ccacd7eeb8d13c7303541fc83165d25939e1bd1264cf830ce76693a62c8e5dcd62b5481d3707
-
Filesize
7KB
MD52a4b43c91907e55afea34e49d633d621
SHA1b4b2cbb7c23095288dead76913c077fe4c013766
SHA2565db289fb31202adfa7a4c4ff8ca1504ea85721886f2ae2bc832b5c7c95ea13ad
SHA5128f33b4879df1189db84daf2da244f5f732641bd4578294552269dfbb32a20f2f93fc97f8df2ca1ef9344933b51c91ebce28cae2f91adfada675c3b5e4385e203
-
Filesize
1.6MB
MD5f088c5388663eeeed395b7263d1f4993
SHA1698d5eaabf3b5ce145f89f810311a0b42dade120
SHA256279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819
SHA512c9d946db7a10abed675d764436f3af3482b5259589fa976758b28bcd7c5b380bde9e338783611cbc5925cfdabbe0c9ba930bdb85aec7e6190d935b678b5dbba6
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
32KB