Analysis
-
max time kernel
59s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 20:17
General
-
Target
86513494c7861a5a0c9f1c0fb478e36d.exe
-
Size
2.5MB
-
MD5
86513494c7861a5a0c9f1c0fb478e36d
-
SHA1
0e7ef50b5b4d51bda8789151b444505e4fdec51f
-
SHA256
80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794
-
SHA512
e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff
-
SSDEEP
49152:bcuxJ/hk+7ZklWBJPxWMbKdZeQUj5xqJb6TquwYhx19ZyBNDGE:bcsSFlWBJJVbKkl2z/YhryBNDn
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Drops file in System32 directory 30 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 8 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe"C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wiaaut\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDNEPR\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\verclsid\sihost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\msdelta\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\C_21025\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\recdisc\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\KBDNEPR\RuntimeBroker.exe"C:\Windows\System32\KBDNEPR\RuntimeBroker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8c3037d-e840-4542-b3c9-b62dcf5c2c48.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\KBDNEPR\RuntimeBroker.exeC:\Windows\System32\KBDNEPR\RuntimeBroker.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20247722-4654-4896-8475-bbf891dc7c89.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\KBDNEPR\RuntimeBroker.exeC:\Windows\System32\KBDNEPR\RuntimeBroker.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20385c0e-2a12-486a-b895-b9695b4d2e44.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\KBDNEPR\RuntimeBroker.exeC:\Windows\System32\KBDNEPR\RuntimeBroker.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f17b6b3-2b51-4ede-b672-44354178f2ae.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\KBDNEPR\RuntimeBroker.exeC:\Windows\System32\KBDNEPR\RuntimeBroker.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02d2a24f-c73e-4ecf-9800-0ca672abce02.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\KBDNEPR\RuntimeBroker.exeC:\Windows\System32\KBDNEPR\RuntimeBroker.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcda4d28-495c-4515-b752-8f9382ee3e0c.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\KBDNEPR\RuntimeBroker.exeC:\Windows\System32\KBDNEPR\RuntimeBroker.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a61f65b-20ff-4c95-bcf8-a6a605e17db9.vbs"15⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\938e7d20-e767-4eb5-8076-0b75ba801d05.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d6a3d9c-dbcc-436c-9960-cd513ce53808.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e80b5fcf-73bb-44b3-a72f-ef92cf6d4d04.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b38bcbd9-cb65-47c6-8423-3b18549401e4.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33a6d5ca-cf44-4603-b860-d7dc9762a10f.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2b755d9-ec19-4f35-98c7-f20d494075c2.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd7b59a9-b612-4255-88a2-f4b47ee347c3.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\wiaaut\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\KBDNEPR\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\verclsid\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\msdelta\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\C_21025\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\recdisc\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5f7c3b7f4b34f8f329a39206616387053
SHA1a1f4bedecf34e1acfa59f1d3d9d3d73637fcac6a
SHA256a25a87d8f625f49964c7f1d351d0ce69eee6e6811ab385d07ed139d04e7238c1
SHA512db082201c8491e5b03c9cbec50d8486e280c055852ca0cabf67842af2b3d3bbe16dad3d031df59731ed17e3dee0fd8b49502693efcfa46331360d239abb206bd
-
Filesize
1KB
MD59699cf9bb24ebbc9b1035710e92b7bd2
SHA173f0f26db57ea306970a76f42c647bbce02a3f23
SHA256fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5
SHA5123a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD59a4c098e7f453518a67df7ef0a5812f6
SHA19209c50173499fd63e000b6af1afb1711b03b041
SHA256d16d10131154fc0e9c631e6f096e74ceb26684158993943a34bc8d94c7678071
SHA512568c81f4762cf2a03a428497762f360b91544fdba7b080bb9fe2b1fccc5c1aacaf3d8bbc64cbfc34e57f2c9a26ff22942b5b60bc1dfe57198ab5ef70e204be15
-
Filesize
944B
MD5672e8b21617ca3b368c6c154913fcfff
SHA1cb3dab8c008b5fba2af958ce2c416c01baa6a98b
SHA256b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec
SHA51298b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad
-
Filesize
944B
MD5c79cf713064165d9921621736789b679
SHA14d8b3c69ddab8dd528496de06ce7e6e6c2758389
SHA2566de25d006efb9912c4460725c3ff494adc8585749971235d743dae6cb568068e
SHA51222dbec206c054253a245c7eac9cbfa4d62b49a11b02adea88b6dc8e1ee4243d46e8f61efa5374d43260ff686dbd3c769b7e14bbc6d5fb2f8999f258a904a04a5
-
Filesize
721B
MD5d1abad12d59127530dc4ea9327bb026f
SHA1594f0d350e0bcb08111a0b08631ebdfe1cdd8d76
SHA256831c0164c4e92bb7fe577f683ccf19249cc29585a4e29e5b9819bbeb32c68ed7
SHA5121545438658530020140f738e48d9bea2a54c83118d6566f40e682ce343b9f4a2b966cfbb144bf684edc0b577990f52eb009b2a45e35e5f65e11daa4f40976ada
-
Filesize
720B
MD5768f30b509899707637936ec368591fe
SHA19aecb821e76ce0b0046e81cf2ae5dbeae014a31c
SHA256d13965c971562ee1e26dbcfa469ea01f184ac2c9e35d961b2e67d10f74a080e7
SHA51206c2d2397b9995adcfe994565c6dcd598189da0fb4f30c1f583d9ae6c791d584c70301cfef38d3cf6d42b5efa973789f9bc380c0335f79a02cf493d5f0f77897
-
Filesize
721B
MD594776342b5f82f3c64acca5459d3ac7c
SHA1a46d582ebb79eff2d818a832c7d23ea1b39dbb59
SHA256d7df7bbcc24e5d87b734379b17a58eddb14160112c195c1a787eb218a54765e0
SHA5125c48df181a263aac500140861d5db38b98942a22402886810010f6aef4b7bec528a1fe5791a8950a92d311be8f69493f8b2e7bbae0c171c6af0bd71e737f164b
-
Filesize
721B
MD5d35c34bf3d6683abec9b794b94ecb7f4
SHA189e10c139a1053d9865c96cb7a4ae9dcac916f18
SHA25671e8c3906be8443893ab2bee650e9253cf8fbd0424ff02918ba51c24f0d010af
SHA512e7aa7b863f04933a0369169227176da5590a08f3264a154e5f2c6fdc22dc6099b2656eafe1117457e1226395a747772425abb1e79b9f62467a82e0738b77b1ee
-
Filesize
721B
MD54278d851261c0481e27774212d1cbce6
SHA1cb33d96730119f3a6fbac9d42e19af9683607592
SHA256ea8ed167dfeb3908bb3ac0f2ee3d7f864beea3bb209fc346fdee64615c1501a7
SHA5122a32c945b1e6de0e57a61c74e03da8747746625743ba25232a8a1762a88ccfb40ee5808318426b49bb413921ff422fb0cc4857f59e829ee31ce44ae2f9f5b2a1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
721B
MD5f2a0f65e58d34b65a992b3a7ed97d732
SHA199b46dad44777c5b3f1bceee76302205a8a595f1
SHA256788eedc5a3e5273f7302445b7fff5548a686fb122cc9e422c201aadd7e14e0a0
SHA512507d1745326cf3f389292bf0508f1eb89b2be17ed8f00ccf4bcc749be79bde21454d503cbcd50f307511472a676d8da2bed36b88315021f565de4833dacf23db
-
Filesize
721B
MD5d015f33c059e9060e166f032d7fd01ad
SHA1bf922da7df556fec1dfe4f23b73491d3f4f1ffed
SHA256175dfb808e7344a43ffdac1637074cf8205a7dd03172038c7b0bc6ff7927781b
SHA51279f2f3e162ef40fd678d3da086bfed4105d148a4d4ae5cb2fe9e3289841be180fb51d20e34abca56272c15643bc83202a1c6cfc2b8c3628b6d43de8bebce5d9e
-
Filesize
497B
MD5bfccc313b7471b5ef8539e76253c67b7
SHA1c06c0794e2c3733b40d49ed6c39698d75ea8d774
SHA256c4a24049c34ca8acede6219ac86591b78a213a4849a88edc237a03bffa85dab8
SHA51284f99d6eaedf51d2bfc1685d4811484654d4195e6e403c5d3106dd87805fbb5cfdfd14834f5b4280d7a21327d30db328ab51d35029a14b3558bdcc33a094162c
-
Filesize
2.5MB
MD586513494c7861a5a0c9f1c0fb478e36d
SHA10e7ef50b5b4d51bda8789151b444505e4fdec51f
SHA25680c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794
SHA512e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
2.5MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
344KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
344KB
-
Filesize
136KB