Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
22/03/2025, 06:12 UTC
General
-
Target
7286d086dc442793539e770e59762d9c65e219c1f748ec7ce09684971954e16f.exe
-
Size
3.3MB
-
MD5
eb76f554fb6b7b172e6042096d7a42c4
-
SHA1
54249e327afe53b67e76569f622100b532c3f794
-
SHA256
7286d086dc442793539e770e59762d9c65e219c1f748ec7ce09684971954e16f
-
SHA512
2a972d9b2237da9ac53140d5f32d18235a1a8e22a7c8c21f2b8472b5e9a00a2134f1db67231331f42b427925b760def2c9e54bf6d62bffaf06d509460154d063
-
SSDEEP
49152:7s51kZEsvhP4KUYTMb5C1JyWdLQqFxLCobXK45p4aE:7s5eaKhgKUFCo2LP15s
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
UAC bypass 3 TTPs 12 IoCs
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
System policy modification 1 TTPs 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7286d086dc442793539e770e59762d9c65e219c1f748ec7ce09684971954e16f.exe"C:\Users\Admin\AppData\Local\Temp\7286d086dc442793539e770e59762d9c65e219c1f748ec7ce09684971954e16f.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Default User\sppsvc.exe"C:\Users\Default User\sppsvc.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8290322d-ad52-4d71-964f-313a68d7dbf8.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Default User\sppsvc.exe"C:\Users\Default User\sppsvc.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\145cfce1-a923-4f27-9106-4123b2ee375f.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Default User\sppsvc.exe"C:\Users\Default User\sppsvc.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48580543-2b20-4dc6-8cd2-45f859885ef8.vbs"7⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86d713f4-844a-438e-b88d-0343eb0c2106.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1c6b469-0ffd-445b-b11b-7e8f77aad3f8.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa1b7e1c-b7cb-404e-938f-eff329d4b609.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
Network
-
DNSa1087172.xsph.ruRemote address:8.8.8.8:53Requesta1087172.xsph.ruIN AResponsea1087172.xsph.ruIN A141.8.197.42
-
141.8.197.42:80a1087172.xsph.ru -
141.8.197.42:80a1087172.xsph.ru
-
141.8.197.42:80a1087172.xsph.ru
-
141.8.197.42:80a1087172.xsph.ru
-
141.8.197.42:80a1087172.xsph.ru
-
141.8.197.42:80a1087172.xsph.ru
-
8.8.8.8:53a1087172.xsph.rudns
DNS Request
a1087172.xsph.ru
DNS Response
141.8.197.42
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD5c401cdee7921fecf11c7e5d830a7ee5b
SHA10ee402c74a73863627d82306e126d3474c6b1214
SHA256fb65fe1a80d7f9c89595c39dbcf69097fe777729b331daaa39dd669cd414125d
SHA5121678e0fb230ebcca08e94fb39b70ad274b89dfc4a08fc2a2f786dfdffa432421e7fbfb48224d1de747bc41ef7200eb570e77cf2129c594ad230b83ead6bd9532
-
Filesize
3.3MB
MD54fe7d8433f567d7f884734e2aaef7fd0
SHA180f77ae1f514871bd8f7ec8f95105ef06cf8d90a
SHA256da5c414cc182b010f11c837001915c1c1b583895ec26eb85b888147d09d83332
SHA5129992c49172848c7c45c67f2cd32bf8bafc1b3eae55d2e3532e726716ed2c268dc9e4fba1e4de254bc6ff9f82f2dbcae59ce32b083dfe6e6e891f000a5cc87074
-
Filesize
3.3MB
MD5eb76f554fb6b7b172e6042096d7a42c4
SHA154249e327afe53b67e76569f622100b532c3f794
SHA2567286d086dc442793539e770e59762d9c65e219c1f748ec7ce09684971954e16f
SHA5122a972d9b2237da9ac53140d5f32d18235a1a8e22a7c8c21f2b8472b5e9a00a2134f1db67231331f42b427925b760def2c9e54bf6d62bffaf06d509460154d063
-
Filesize
708B
MD5df60611e709901b0b727d6e2e90fefe5
SHA128e856b110a0d0bca5427bd89786d60f265526b2
SHA256fcbddf8ec28a50a6c3e06eb819c85b53fc8fb10eb2d798654f2692e3447d5ba1
SHA512b9eafba5874330522b40f97e2accbe8677c50c011bf72cf43e7831d8240ec7b4927ead5a0c33d64bae4f4613015328e1313caf0b1419b74be6eaa25990517314
-
Filesize
708B
MD5c14f6753e6a1049ccdba523c68bc8d26
SHA1c90155779527e83d1818a4c139d18d265e675af4
SHA256bbe8d03ad6028f8e4c6af85d2c36ce38bc08bab4da9d606119f1c116f44a1d04
SHA5122b9112b18d670576812a10ef24c5e265faad9d40aa8394a1354de617447c060d89ca5325dbb457bb178764c0572f2e3d8137dd0edfabbb7f4fc42dff7577160b
-
Filesize
708B
MD5df7d2e91b825e2d82f57beb4f07218d0
SHA1cab57be1f552ce413c3cd55ff9e7562c248f733b
SHA2565d3b75600bb160b023c4369e3d61c4efcd51afeda0fd12640905396badbae1df
SHA512fbfd3202b3d7402c02552899f769069141136d5d091c8f44f1ff6fbe4f49d2c563216f643248be8db3d089bff33ce0706c5f20bc3e518dedacd0f6178e6906df
-
Filesize
484B
MD5a3d676e2e179f9b869df799392f4c264
SHA16d857a007958c66b4a9bfb6aad3b533b0c996e49
SHA25615bef1083be8cd175f3b1d81315336328a1b363928a5505a6b2ed82b78645270
SHA512dbcb6554fd6ed583b1c4d94d148faa2c737588f82c31df52bd54bdf9007563754d5e9736865afd5d959b4337725aee1e593e3ba2c92f727e98ce9f4df876f471
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
3.3MB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
3.3MB
-
Filesize
3.3MB