Analysis
-
max time kernel
58s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 19:00
General
-
Target
1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
-
Size
1.6MB
-
MD5
2c4dbe075f37719580a096bf67bf048e
-
SHA1
71673f7af94683985e875f3db73cbf1a5509228e
-
SHA256
1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567
-
SHA512
6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70
-
SSDEEP
24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe"C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\taskhostw.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Saved Games\taskhostw.exe"C:\Users\Admin\Saved Games\taskhostw.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d10e5b27-3575-4b8f-9a3c-8ab68fcc5784.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Saved Games\taskhostw.exe"C:\Users\Admin\Saved Games\taskhostw.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55c8db03-cc92-4151-b023-35cc054f0b2b.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Saved Games\taskhostw.exe"C:\Users\Admin\Saved Games\taskhostw.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\986290dd-c3cc-43dd-8617-6dafd16b3dc4.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Saved Games\taskhostw.exe"C:\Users\Admin\Saved Games\taskhostw.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06e1fe0f-4981-4c16-b13f-31259a6775a3.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Saved Games\taskhostw.exe"C:\Users\Admin\Saved Games\taskhostw.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8934f0ac-3a61-4767-8921-5d0f00c35f88.vbs"11⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77c98f8b-86cc-46a4-8442-28292ed224cd.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76913030-b8df-4304-bc57-a861add51cf3.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98ec2585-e11c-44d9-914f-900bec82abef.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8f209d6-46a4-4ff9-b376-958790a9d97b.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cef98ba2-e4e0-4a10-b34d-3a23795ddbb9.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
944B
MD5029fbf628b046653ab7ff10b31deeeb2
SHA193c2cb1905c8f5e71f5ea97a1e8a8c891eae077c
SHA25685f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26
SHA512d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c
-
Filesize
944B
MD587d9fe9e5ee685ff2b66e5396fcdcb99
SHA10ac74edba86591b97d1a7531c3d2e659f0843b7f
SHA256f84df996802a7b65b0a58ecd1960f157bdc82f817bae81409eb4184e438ed9b8
SHA512ce602ffb6822849af961afc13b972d0d344bbfaa50c5fe372cf475f424a9227f788ea64a1dfa9b96d8e01cfa2b7f0f9e695ea001ea37a6c7c235c86931d1cf3e
-
Filesize
716B
MD56cf1fb33244a9517c166fa55a42c27e4
SHA10bed4b85d1def932af6e35ccea00fc643e166175
SHA256a4c7d7ebdd98e99e0f5624e4c9e82300d5a93a2b382c21f2c912247010569aeb
SHA51292a6458b74c2183fc85556faa2725c1e36e8b25f7247ef3f6835f2612435c4f38616113a27207c9a116434a204744d4a7c841da1ab9b7068ee47bc172ff5a834
-
Filesize
716B
MD5d390e4695797f7b969d71f061c8ff1eb
SHA18fa08c25f9a8b7283384b218b152675b7a550e27
SHA256236fb90a9a07820041a31929db0940d46172c60490adfddd408d8be4c3a6386e
SHA5129537d1ed151b0b478b272d5915214a68e42a9d50b84af48de6bc6ceab8f36d26d8442c2cc5f34e41794496ce6669981905c5f02f476421251faec03c2284f475
-
Filesize
716B
MD56763b3940ec91a4714a562b7f5667c7e
SHA186839cdfbc67ea5e79b6e072f9baf908465a9542
SHA256c46d52cb7ce43e2ff54382c5ea2b268819e385865901fce0f7242cfc906bdb92
SHA51274a84253af126709b5a739e0f33eae5e99fb8c9dc636933cefa6c16b6264e893d054bffeebb3b41168e4177171890efc26faf1b2678b9e2a6c744df613295ea4
-
Filesize
716B
MD53f0ad48e98b013e4d61659d629fd4236
SHA16d9eac54318767bdb4341b98111092e0caa74c9f
SHA25656b962b3a5c481b8270bd8c33940bed0f835e95432d3d2ca1e885cd7924d789a
SHA512e9a4cc47984ed8b92fc3e23bc1e3f87c83ba7fb85d1d93e87f4242f944adbac770f39b47ce825c0c09ecfc351ab112022ceaa38f13208e39a8dc3d3df0310197
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
492B
MD5bca45ea7e8ebce36fb86bafb201d68cb
SHA1842c99a69073dc6c195bc1944ac15be3c12b7c9a
SHA256783853797e7c35a8c993407f2712f7670459a8df5f2d459d288bcf6bfaaadba8
SHA51246756bb0bfc045cac284e63a74be586883d4e29b24260e748a65d58e0e77cac56c02c2aa920ae1deeaec074607bd9f362c7058ee500c086691f8dbe6166045ea
-
Filesize
716B
MD507b785c519e3fdd5e76f0796308f8c32
SHA1e4e5efd9eda1a4dd0880492706afa7a541dd4cf4
SHA2564fb690756eb0f3bd5c79d5434a546deb2f9683dfb9755a8975f9ba4ea401adce
SHA512e2abec1d75393160de03487e88badcc35d7ba8aa4255c82f777f62d8477c2b2f7d000067beeee4a89fdacdd4296277583316707a6ea2b51871979a5d9cab7647
-
Filesize
1.6MB
MD52c4dbe075f37719580a096bf67bf048e
SHA171673f7af94683985e875f3db73cbf1a5509228e
SHA2561f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567
SHA5126d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70
-
Filesize
1.6MB
MD5d105b4d7801c85fdc7e8d1aa24e0320f
SHA1720df7f2c33514426bd2c8dd4074b6a85809e29e
SHA256e9bd21dc1ee5fcd57cea7c971d8fcb75dd3130422a16a49d74ee3c0b7d7b51f7
SHA512fec753b4c4754010b0f7638eabf3112ecf513a78908a178d47ff49e19d9999023a42a6c09af9f603df404b43b9f46992623882873a855344937af148557478ed
-
Filesize
136KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
1.6MB