Analysis
-
max time kernel
60s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 20:17
General
-
Target
85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
-
Size
1.6MB
-
MD5
c87ae2c7c0c0a77294bdf61219b952f5
-
SHA1
009d29952e3cec0966402de8b8ffeb264c78a956
-
SHA256
85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f
-
SHA512
b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c
-
SSDEEP
24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe"C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\OfficeClickToRun.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Registry.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xqMEPA9M3G.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Users\Admin\Registry.exe"C:\Users\Admin\Registry.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\708b4d37-ae68-43ca-bf62-222182aa8fed.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Registry.exeC:\Users\Admin\Registry.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b1195eb-8882-41b3-938e-0f22c76ae8cf.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Registry.exeC:\Users\Admin\Registry.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c2f5efd-b570-48e0-9580-84fd2abd18dc.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Registry.exeC:\Users\Admin\Registry.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3523779-b33b-4c01-ae07-d3ed634e2e01.vbs"10⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7db13de-2650-4484-8e5c-ae371fd0dc75.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93784b2f-ccb5-4f75-b1e2-4b120b8e59be.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc9f4e3b-d8a8-4672-95e4-af95c994abe0.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f57a45d3-cbf3-4081-ad90-11bc404357fb.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\f170d29a37c9c9775251\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\f170d29a37c9c9775251\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5efa4168b73a5e8ae56d49bcac4d67861
SHA1b3fe6b2d9fc05ad7892a2c8b96914764336b3067
SHA2567aab157fba3a543647a38cc8729ffb962a58cc2093d94566c9e68ff73d134dca
SHA512a1f305eac9c73c951f22e76f3904c1c6bb518b12d8a74bbea544c845f3d592e7915ec47d6531a3a4e669f6ab12311f3a632ff47a68f36370111d1c82cf8b6e99
-
Filesize
944B
MD5555e68af1b8e33f84346bf2335e6191a
SHA1fa078ed3a608f05ae2dd2db8ed52d6bafe8d510e
SHA25691a76a2c6c73116293fb7e5bfb12b00ef8128a04fbbb44153f4fd63794b2b8ae
SHA5126f3d5be098271b844d0cbd21d902e68ce80f0bcfa67e3fb507d11bacf15227d3e66397fec2691d7f3333194d4d2067ea416bcbb1d9739f661db3bab0259af44e
-
Filesize
944B
MD5084d49c16a0db5a169356315e8e97d83
SHA1af662c8666ef7c52c9711c0f143e0b8620f27d19
SHA256a374d799d8b4b9c2cac922c093a90cbaf6d0bda3155faf176c6f95b46b8f35d2
SHA512c14524f55f0e58bb64a99298b82d995136a0057c2a7e4e972b9c90477871ae416063318ba8b7f43a4fc66ca8b21eca26505645c4d195fe3ab9419c8d35a459fb
-
Filesize
703B
MD585819586dac30f86c6d5ec2741a8c7cf
SHA178c225ab9158f84ccaf621953a3c8edfdc411b9c
SHA256dd0123a83d13d92f0dfbe8eb916d27649a2cc374b40128ad903f60a88d26c833
SHA512d1778707274a0e9415b288855d9a3eae9f05f1fd67e8dbb95fef4e34554d365b1f4063f4c2a42153fa56cfbede27a525282e48bc9446c6945979541b2df17deb
-
Filesize
703B
MD5fb1679971fc8b47e21145c481db539a5
SHA154596b0eeb579ff68670f64ab1b2c3f2dc543301
SHA2568127264dcbd86525ab411e468a45c898dfb092fe7c6859bdc0f710895a7dca74
SHA5126e1e68ff044e535dedecd160e010f92e5aa7af21d1f2c7f0b2bc04570f2690e847bdebfae1140a516fd0e3a81e3e1c69c72c34c1ba44222246e2c0c127619dc4
-
Filesize
703B
MD54dcd86a0e24167c8c8e3c792ff07d0af
SHA13bce836e52232e29591a7d79a439eef70667cc60
SHA2569603dd9bd9eb8d7e05bb326063f3493b873368984f74dc4564bc1b02ca1ba0ff
SHA5129d902da2d4cbd58ede8114adde734d30cfb8b30d6f715764c14af95f4a83e794d072eeb8525691ce601a4ba5b1f5df39a0b625a2481395c079c870dfe9b52d74
-
Filesize
1.6MB
MD5c87ae2c7c0c0a77294bdf61219b952f5
SHA1009d29952e3cec0966402de8b8ffeb264c78a956
SHA25685c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f
SHA512b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
703B
MD556978e437a92b83ca08eccea8c6e4c8d
SHA1054e0161c795016245638efbe5bd9edb020b4293
SHA25630be05e50bdff128a667f61be33ebad4c622bb7b32e82e8cc6b6024b200635bb
SHA5124e2ab80c86ad2e6c9f9cf5a9784da53a7a54182fb7aafb4306ae8a5449cac013b22d1eecb455f4321b442d71fdfd67bb214fe9a370b55f35088a9d5ad403cffb
-
Filesize
479B
MD5c71495b43d6ac911a7a3ad2dfcd6ed5b
SHA1d696a7143af526e96d9fc087045a084592597b10
SHA25622bd7f4c3a564a84ed1cebca7938c191527131d36b487306478ec00667f7b07b
SHA512bcf9dbc353f0292ac193e7e16a867069c7a9870f3d1e6e41637d1152b4ce9782af25a46612b6ebf88320ec0b0c5b02374e89c9830f2373ad8e5ce01482117d67
-
Filesize
192B
MD5d611925b58c6127e5470423a3932bcd1
SHA185425dec7eb0be9363dca144efeacfd7d9956968
SHA256d6fa8334e32ab262bcfeefb23b908637d033cbf350e32049b63b3de92d2dabcf
SHA5120a28c1e0ca03fc395a4a70c3ddebbb638d7bc89619f28cfc0b0b94cc7b3c047b7faeca682f05e85b96d6762291b3ec6305c13173939ae4fb0bb532272705d57a
-
Filesize
1.6MB
MD50a5e6b42613f06262e8c52264755e986
SHA1b68dd9c1203ea8c9a24275da330ba698ce17a781
SHA25604301894b15dddb361d52ccb41e1e74eca9e07a6381cc66ec9a9c72cb1d54650
SHA512a361341b1ba1260af716658e22348bfb10098e4663f402b56b13096abf89275cf1e60cd0cd685759e4df821a6b0e6a654d4365bbec3810a19909502ef8093e2f
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
1.6MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
136KB