Analysis
-
max time kernel
59s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
22/03/2025, 20:17
General
-
Target
86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe
-
Size
1.6MB
-
MD5
522b3cc9b8e0565c5a2eb2d40b7a9513
-
SHA1
86d71ba007afecc0f28e9815086992099a13f2c4
-
SHA256
86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12
-
SHA512
a22e86028dc923064c045563341d3c144f9d3473935c8ebecf54e2a6ab4afb5b21d2cc0a80f92dc96ceb294dbbf2a33ebc48122079acb62f9ec140230e3e6c73
-
SSDEEP
24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 5 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe"C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nbjzFmbPFe.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files\7-Zip\wininit.exe"C:\Program Files\7-Zip\wininit.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da1dbcbf-d4b8-4b09-8df1-724b7a830ef0.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\wininit.exe"C:\Program Files\7-Zip\wininit.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f269809c-3677-471b-80bd-caffc0eadd83.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\wininit.exe"C:\Program Files\7-Zip\wininit.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35c3e8f9-21d4-43d5-85e8-5adf10f13b66.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\wininit.exe"C:\Program Files\7-Zip\wininit.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8ba2609-4f27-436a-a01a-aff8e4ebcde2.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\wininit.exe"C:\Program Files\7-Zip\wininit.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5895c246-ec3c-4abe-be82-6a9b46cca2d0.vbs"12⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ccab419-892b-4f67-8c1e-a46a6706c4b4.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e36f7c35-020e-4895-84d4-d0481cd13d05.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4645d953-c2f4-45be-96e7-cc7235f4d481.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d942a078-5d76-4415-a43a-f72e5be7b6e9.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e738fd97-fe46-4464-9a1f-0e89c3f99dc2.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Fonts\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD55fa4f46215c0b832d7f8b676b37cbf8d
SHA12e1bdf2fc115eafda488aa6dfdc8038b2fff5070
SHA25660a19df832b62c5fc3b03d643fd441b9a60843c7288a5532059326bd0ed96764
SHA512843c50e322763e349c1cc70a2566225e4b220f9ca81785639134ab0b43f1dcdb572b680db92c1f61c8e5d51127ffde427c4281ba724acff71c2b03afc30ce567
-
Filesize
710B
MD513ff722d0560ed39905c66e89ba4e2c8
SHA10fa1a4af41fd706b633bf8c42b4602c29a8d1170
SHA2564d4767c2bb0084dd3d17cc89af82a61bf686bae6b99880bf6c67b90f57794aaf
SHA51264ae51de1745a2c6a5f27de46fd4666ed069823ffa31cc5bff1fb7de5d4926d39048181aea3ee3bb2cb9ac69a1e98ee4c14164014ebbb4fe1a138816587f4d9a
-
Filesize
709B
MD56aa233546dcddc38c0d81ad6fd688f68
SHA132d7d8bafd1e7b2b04c7b1bb6659b00a62cfd140
SHA2566908575c30884f644b8a1f286169ee62bd9d63cea15c8aa7a849c38f36cab33f
SHA5127a45db218a76d5763cf0c11591c3210a7918415e5ebb525b8b372c5364831a0765cd1d72a9aed429700e9bfd74e39a154cc93869f3b1caa566430bdd651b34ff
-
Filesize
1.6MB
MD5522b3cc9b8e0565c5a2eb2d40b7a9513
SHA186d71ba007afecc0f28e9815086992099a13f2c4
SHA25686700eca731eb2e78b5995d66bec509b0438494b6a573d777043b6d21f10ac12
SHA512a22e86028dc923064c045563341d3c144f9d3473935c8ebecf54e2a6ab4afb5b21d2cc0a80f92dc96ceb294dbbf2a33ebc48122079acb62f9ec140230e3e6c73
-
Filesize
710B
MD538574fda645e94aec85ed134c7d7883e
SHA11978e8a949f6495a9a3f7cd448d7f7e17d84696c
SHA2566e5653c835c752ecb44afce5fd101d2854e38cf24980c5c77473ed7ad0429b1b
SHA51235a07052d3536ec29d057fb40daed963f6fe2d51911089618ad2a5884053b3f54b6e10e58993f52f95ef8edff933338395605b487a56e87dfa968bb4656d8c6a
-
Filesize
710B
MD515589c8c0139394967b03e5795dde3da
SHA142c433b312c322116ded1f700752b006be41026b
SHA2566074668dc1d0ee0800625d5110dd38071b4c159b3432bfe26a6c9b9e83f95b9f
SHA512cba1da93b65ea5cb56bd6087b5418d0819b68f81bad74e41fcb0ae7d3d0158ffc41f73bd31c9ecc1b924a763bf1723c65b44af9ad7155f4aa40dd7183026c599
-
Filesize
486B
MD5f57d317030bf391362180861ceadc2b1
SHA1a8152a563dea3ec0ae6b48c4315dd2ed4a733759
SHA256595571a2391da0f3b17b7054b63b0cdb29c0097ee12ef31fd3bf60e606dffe0c
SHA5120a3061744361c7cef4fd53842badce324d824fa89fac17d5ac73685815a7e86a58db49d0e094b27c5d6c42996a04a6ed8b688a27574fd81a1ad5c6ae2c0b6e0f
-
Filesize
710B
MD5c9d3b76946507306ce360bc3b5f4823c
SHA19b9bedc001104f768ce257fc65d166348af267e0
SHA256b6a83dcec8689835ebf850e5ff58b2af992edf67b3873a28d3cc1edd533e774f
SHA5128ad6d079e3e9f408da33c13426ace560d60704ab5fa9473f8e76c11dfbe675d027aa951272c0d61659fc5d14ae370695eb0a01dc05885ee96edd10f603db4153
-
Filesize
199B
MD53cf20f989878056adbb4cf66af322bb2
SHA152650f280a3240944db59b8c46ab5a60499e32df
SHA256c09e291659371c1d7a1bcb6fa06fef5509cb2ead2e21baa57006825b0cd3cea5
SHA5122b2f5d87fe5b13474c2b91d8cad5317f6cbfb809235a4a8c659ee41e4042e2a69f321e105d1fc944af9b34986f290056c20a9449b1a39b5977079fef82de4e5d
-
Filesize
7KB
MD5c6933d0194f6ae6557ce71115e2814d7
SHA11bcd5a89a6f28b2f10dd21b770aec65421af8182
SHA2569fd49e15e41f019a82688c3b61237122e98dd06710777949d1157218c13c3a5f
SHA512578eabbf3274cf5e5dfd30b8efffaa8edb20dced6b2271a0c36efb379819e4c7602d8c2c1ff754b40d1114d584dc1268a8dd5f13386a3b83f59384a1aeb536cc
-
Filesize
1.6MB
MD5283b1e7fafad30f27ff0c24b8b5b63da
SHA11f25dae1e4e46df2b9aff0c2d10ac0153613994d
SHA25640a2a39dc17c1c481b30fb7c30ff56208f0468e7cace33d15e588d0f9c34ddd0
SHA51274dba5cd2d182e3cacb86fe4cc128426e4c17856ffaa1fa5ebcae670b2264c19b69b793b1eb25f6bb453788afe222480c1d56c80319147bf7350604cba547fe6
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
2.9MB
-
Filesize
1.6MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
1.6MB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
1.6MB