Analysis

  • max time kernel
    1050s
  • max time network
    1049s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/03/2025, 19:13

General

  • Target

    Element.exe

  • Size

    1.4MB

  • MD5

    adbe8f67d479b99bcd29824cf1f2a54c

  • SHA1

    a6a61e93fc60ab956114653b388d96a83d5fad04

  • SHA256

    579b72fd2fcc3cce6facff0b2b01a0571d041792d3a0b9f3ae7c7155467067a2

  • SHA512

    a88607580eb3848a990388e74e00402b594c437e0f732e16136feaba812a5ea47424eedfa3357af5ef70353a251a241e81636c21ada2504dc41d5526797239e7

  • SSDEEP

    24576:u2G/nvxW3WieCNKvNRRk656mvI/1mBnUjJB4j3ST6rlcAqpJ/jko:ubA3jNgT60qjJGCTAqxrN

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Element.exe
    "C:\Users\Admin\AppData\Local\Temp\Element.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\comSavesSessionbrokerNet\137ZAQtz7T0KfqnihMmUn1LNjeAvS.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\comSavesSessionbrokerNet\Dwq7lixZ2zOO3JgtN3iMKD.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2316
        • C:\comSavesSessionbrokerNet\ChainComsvc.exe
          "C:\comSavesSessionbrokerNet\ChainComsvc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comSavesSessionbrokerNet\ChainComsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\a6967cde399746f71342f34c4a76b5\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3344
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4zDtkd3Qf5.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5604
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:5372
              • C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
                "C:\a6967cde399746f71342f34c4a76b5\winlogon.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\a6967cde399746f71342f34c4a76b5\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\a6967cde399746f71342f34c4a76b5\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\a6967cde399746f71342f34c4a76b5\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2208
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\a6967cde399746f71342f34c4a76b5\winlogon.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3396
      • C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
        C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5272
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\a6967cde399746f71342f34c4a76b5\winlogon.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
        C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3304
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Links\dllhost.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Users\Admin\Links\dllhost.exe
        C:\Users\Admin\Links\dllhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4004
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Links\dllhost.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Users\Admin\Links\dllhost.exe
        C:\Users\Admin\Links\dllhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4248
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ApproveDebug.xlsx"
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1500
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:996
      • C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
        C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
        1⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5104
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b75baf2-5484-4a3c-819f-7600833c4dea.vbs"
          2⤵
            PID:5312
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3cc560f-b5f5-4388-814b-c28d10eca4b3.vbs"
            2⤵
              PID:4392
          • C:\Users\Admin\Links\dllhost.exe
            C:\Users\Admin\Links\dllhost.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:5908

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            627073ee3ca9676911bee35548eff2b8

            SHA1

            4c4b68c65e2cab9864b51167d710aa29ebdcff2e

            SHA256

            85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

            SHA512

            3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

            Filesize

            1KB

            MD5

            b4e91d2e5f40d5e2586a86cf3bb4df24

            SHA1

            31920b3a41aa4400d4a0230a7622848789b38672

            SHA256

            5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

            SHA512

            968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            944B

            MD5

            d0a4a3b9a52b8fe3b019f6cd0ef3dad6

            SHA1

            fed70ce7834c3b97edbd078eccda1e5effa527cd

            SHA256

            21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

            SHA512

            1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            119B

            MD5

            653a80b99a97f49f75810056c506c6fa

            SHA1

            0aab4d88583b1e2b99ca3e4ff78837b3d9e7421d

            SHA256

            aebc098fef76882bed89133396e5c360147a4ead9412af3487637eeb711bc3e3

            SHA512

            8d63fbd2d3a977785eb8bd05a27c4980a7d544ad08e1c54b9eed6d288c6f4afad5d487532bdcc0b4fd2d668c968b0f31ce6787b2e0f33fedbe8b2b895485b061

          • C:\Users\Admin\AppData\Local\Temp\2b75baf2-5484-4a3c-819f-7600833c4dea.vbs

            Filesize

            722B

            MD5

            c3e884914f81b58dd0351a310a518dfa

            SHA1

            7e8f1f25e2409fbe72bd585d4722f5fccd1a9881

            SHA256

            f6262894caf988449a7257c67daacba1ebca2fd20c1255899b517bc65629b245

            SHA512

            cc430995911c79344a39678b5b2e3cec159a55cc60ad344a955387b23ca8e6f0acf78ddd3320d9427342a97584c58227f5e595f26435bfec41acf184cf48e2b3

          • C:\Users\Admin\AppData\Local\Temp\4zDtkd3Qf5.bat

            Filesize

            211B

            MD5

            4be065dc182a8d88fb45711599ce9124

            SHA1

            5ed9e3bbd339acd8f944a84327f58c6e57c4e7a9

            SHA256

            956358299d966b23c7049679c128584632392fd1272f99db29f988c0306db164

            SHA512

            1d6a7c271ed6a87f50ab14d846e99c3b8aea7457434f12973893994d18e6ba66c06706900f1e14b75a52ee01059f76bbbad7287028bcfb209dc62da7a8eec039

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzft4155.0pb.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\f3cc560f-b5f5-4388-814b-c28d10eca4b3.vbs

            Filesize

            498B

            MD5

            6f3ebe7765309c7c1b05c13910299412

            SHA1

            c843c29082ea657550683a67d39fb7b734c6b3b6

            SHA256

            e7f0cf87ee1dbd0e85b7208065561b98817ecd34d72c726752d12ad8c543205d

            SHA512

            124636202e4c3dcadb9e43afbaf80e94ffc387c6ae5eec63b63a160274af370b8f9e438508b2f7b3d9752f36db43db2df468983ed35a98affab7f8a3a16a117c

          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

            Filesize

            313B

            MD5

            be41b05a3e7c0528746772a4c3bc6162

            SHA1

            bc00571f374897afcc705822f590bf33d8e9b133

            SHA256

            187114a0eb35677eefba7551f4596eb015ffd75c4e6ba6b8ac3415df23ebfbba

            SHA512

            197f5d2e884b6a652670e85cdf45708dd484f021b62912de854a9e88e78450daec7738a800f8807b70ff2e2960cf1c317e82dcd56704287a7b48c0809bc7aaad

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

            Filesize

            2KB

            MD5

            85c97c622888e3524681d8b38074631c

            SHA1

            2981cd2a554b8c107569578761d07a584457ff9a

            SHA256

            c81ee20e6869ae5d666b88cc7153fb4e74ffed5d934535d4893c09029e746250

            SHA512

            3bd16568a30bda2430fd2c3524b3d9a6fc258a44a0d2dc2dab959a1b711bca7f64727bbe4ba163f8dcc0db649564bc39fc6c8b77fef1e2677306d3b4af2c63b1

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

            Filesize

            2KB

            MD5

            e7cc737da781a06994c2ac99af084757

            SHA1

            e9c474257d5c304deb4de0907cd7d900067ab6b1

            SHA256

            f29f5ec5619622881cec276a5b1c94030a68a3b3ffe4925d03de23e0ca5cf0b1

            SHA512

            bec1a86a81b162c71791467c7fa9d1ee99ff1ee4241d232ae8e73d889ea419c4e4c486f9da2d7fe5c5644d3db3115ad10631e2f81ed065f85f24b9524095fff4

          • C:\comSavesSessionbrokerNet\137ZAQtz7T0KfqnihMmUn1LNjeAvS.vbe

            Filesize

            223B

            MD5

            8bda878ad816fcdfc732fbe16002def1

            SHA1

            9bc892a09cb9f9d945c16ba0afdc90aad639fbd6

            SHA256

            bdf68e1db80c1d790b7cb64580f80efd0f5a1beed23c3a3da2c4ebae2c601f76

            SHA512

            fba6b63daa0efcc5fe54065c7c3cf80e71bd838937dd1bf6a7861b33bbdb409fde9f9cf6dc5019726cbd64ba2396b16aedf596271b5e0e03cab9c559417e1cdd

          • C:\comSavesSessionbrokerNet\ChainComsvc.exe

            Filesize

            1.1MB

            MD5

            96fcb717c20c4e1629883d7bc366794f

            SHA1

            4f06e5ec4234031b67889afcba11cddaa7b2115d

            SHA256

            8635b498be98d750486f1a5e832bb862fe8c2248e983435546459bf101632221

            SHA512

            56037e13339873710c672c68f584aa1e6a2682248993a679b93ae07ad3e7f51d93c09e078d1e5c25a58fbca6869040fd2c363f8af43e95da5c9ed4cb00d092c6

          • C:\comSavesSessionbrokerNet\Dwq7lixZ2zOO3JgtN3iMKD.bat

            Filesize

            45B

            MD5

            1b8d4bcf85b42a18e60f7df6b5473318

            SHA1

            523c9e522f785f220dbf69f9c14f81bc8b221c3c

            SHA256

            587df711b165a596ca89bb178776223a1200d8a349a50dc06ec7a20d0483d16c

            SHA512

            735141589a81eadd8c16ba08f2befcc3b029d19f01e9ed701e85ab2876bcb2182833b96683795473a094e2e6c953337ef40accec685fd71e178d55aabefe3662

          • memory/1060-16-0x000000001C280000-0x000000001C7A8000-memory.dmp

            Filesize

            5.2MB

          • memory/1060-17-0x000000001B5F0000-0x000000001B5FC000-memory.dmp

            Filesize

            48KB

          • memory/1060-19-0x000000001B610000-0x000000001B61C000-memory.dmp

            Filesize

            48KB

          • memory/1060-18-0x000000001B600000-0x000000001B60A000-memory.dmp

            Filesize

            40KB

          • memory/1060-12-0x00007FFAF9613000-0x00007FFAF9615000-memory.dmp

            Filesize

            8KB

          • memory/1060-13-0x0000000000910000-0x0000000000A3A000-memory.dmp

            Filesize

            1.2MB

          • memory/1060-14-0x000000001B5B0000-0x000000001B5C0000-memory.dmp

            Filesize

            64KB

          • memory/1060-15-0x000000001B5C0000-0x000000001B5D2000-memory.dmp

            Filesize

            72KB

          • memory/1500-80-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

            Filesize

            64KB

          • memory/1500-81-0x00007FFAD7EF0000-0x00007FFAD7F00000-memory.dmp

            Filesize

            64KB

          • memory/1500-82-0x00007FFAD7EF0000-0x00007FFAD7F00000-memory.dmp

            Filesize

            64KB

          • memory/1500-77-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

            Filesize

            64KB

          • memory/1500-78-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

            Filesize

            64KB

          • memory/1500-79-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

            Filesize

            64KB

          • memory/1500-76-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

            Filesize

            64KB

          • memory/5992-44-0x0000027682DC0000-0x0000027682DE2000-memory.dmp

            Filesize

            136KB