dcrat | 4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe
Size

574KB
MD5

b5a28a29823b875076ccca3344499426
SHA1

cf51bddf543b5b3570e43d7eb83d201309da36a3
SHA256

4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df
SHA512

e9a648701f6612c1f5f0956d226282b5af26beee4e517a1d5670f97bb97dae8edd010080a1857213dd72d5b89f80da4f9f00f1d19c4459d1c06ca5ef936fe144
SSDEEP

12288:HQnk3GDYKGcbllbp8VTbS8thdRok51TvLH5W:JAOcZxpgTbS8tZokU

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\savessvc\svcnet.exe	dcrat
C:\savessvc\svcnet.exe	dcrat
C:\savessvc\svcnet.exe	dcrat
behavioral1/memory/612-74-0x0000000000F30000-0x0000000000F96000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

zE5aikUa0klpw3r9Qf0i.exesvcnet.exe

pid process

1988 zE5aikUa0klpw3r9Qf0i.exe
612 svcnet.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.execmd.exe

pid process

2040 cmd.exe
1336 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svcnet.exe

description pid process

Token: SeDebugPrivilege 612 svcnet.exe

pid	process
1988	zE5aikUa0klpw3r9Qf0i.exe
612	svcnet.exe

pid	process
2040	cmd.exe
1336	cmd.exe

description	pid	process
Token: SeDebugPrivilege	612	svcnet.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exeWScript.execmd.exezE5aikUa0klpw3r9Qf0i.exeWScript.execmd.exe

description	pid	process	target process
PID 988 wrote to memory of 964	988	4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe	WScript.exe
PID 988 wrote to memory of 964	988	4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe	WScript.exe
PID 988 wrote to memory of 964	988	4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe	WScript.exe
PID 988 wrote to memory of 964	988	4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe	WScript.exe
PID 964 wrote to memory of 2040	964	WScript.exe	cmd.exe
PID 964 wrote to memory of 2040	964	WScript.exe	cmd.exe
PID 964 wrote to memory of 2040	964	WScript.exe	cmd.exe
PID 964 wrote to memory of 2040	964	WScript.exe	cmd.exe
PID 2040 wrote to memory of 1988	2040	cmd.exe	zE5aikUa0klpw3r9Qf0i.exe
PID 2040 wrote to memory of 1988	2040	cmd.exe	zE5aikUa0klpw3r9Qf0i.exe
PID 2040 wrote to memory of 1988	2040	cmd.exe	zE5aikUa0klpw3r9Qf0i.exe
PID 2040 wrote to memory of 1988	2040	cmd.exe	zE5aikUa0klpw3r9Qf0i.exe
PID 1988 wrote to memory of 1944	1988	zE5aikUa0klpw3r9Qf0i.exe	WScript.exe
PID 1988 wrote to memory of 1944	1988	zE5aikUa0klpw3r9Qf0i.exe	WScript.exe
PID 1988 wrote to memory of 1944	1988	zE5aikUa0klpw3r9Qf0i.exe	WScript.exe
PID 1988 wrote to memory of 1944	1988	zE5aikUa0klpw3r9Qf0i.exe	WScript.exe
PID 1944 wrote to memory of 1336	1944	WScript.exe	cmd.exe
PID 1944 wrote to memory of 1336	1944	WScript.exe	cmd.exe
PID 1944 wrote to memory of 1336	1944	WScript.exe	cmd.exe
PID 1944 wrote to memory of 1336	1944	WScript.exe	cmd.exe
PID 1336 wrote to memory of 612	1336	cmd.exe	svcnet.exe
PID 1336 wrote to memory of 612	1336	cmd.exe	svcnet.exe
PID 1336 wrote to memory of 612	1336	cmd.exe	svcnet.exe
PID 1336 wrote to memory of 612	1336	cmd.exe	svcnet.exe

C:\Users\Admin\AppData\Local\Temp\4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe
"C:\Users\Admin\AppData\Local\Temp\4a8208bf9f396c802e85052dcec8f7640368941b3ad6aa575de3e1f4bfcfc3df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\savessvc\JUcz4WZXVbZk8gcmJxrEcb4ximqA6j.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\savessvc\sNk4kRXBNanZfVivadaVjhIxLvG7qo.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\savessvc\zE5aikUa0klpw3r9Qf0i.exe
zE5aikUa0klpw3r9Qf0i.exe -p72bd158fbe13eb6fc612f01b05e6c25dc8fa84ad
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\savessvc\DWBa6JeVc6vTABpoy0bZfYmmDxHKHw.vbe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\savessvc\4YgFlhWIPSsjQhMRmTQaO5X1cSnM5U.bat" "
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336

C:\savessvc\svcnet.exe
"C:\savessvc\svcnet.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\savessvc\4YgFlhWIPSsjQhMRmTQaO5X1cSnM5U.bat
Filesize
24B

MD5
412431155f5031d9ada5f524fea990a4

SHA1
580e09a584bd0a02f65bf008c9e8915db2113c2e

SHA256
1c2b54b913b727f357e89e2ce9faf5ea8eb6e520c4d59af56681bf7d15b57eaa

SHA512
1f8b66e63697e4d3f7f82b94e0a61aa9fd65e07183df7725c5106f5e70c704326b2be1048bfdf7f802818a7ea367c8656605fe364a62b6f8d7757a9d32568eb5

Download Submit
C:\savessvc\DWBa6JeVc6vTABpoy0bZfYmmDxHKHw.vbe
Filesize
220B

MD5
7504ec033e802fcdb608cb4c8a280776

SHA1
a79e62b38bef2ede56cb9fd2aa535b47b0dd3459

SHA256
c53facfea48298509fb9ee6df7d1bf92f01bd3cd73145e315ef5155f0146ddbb

SHA512
a8ebc85d0c28075065ae7c8cec406fb44e4d42cfc54e336c5db7cc3d311ada3f8028870f7e680d0a637b03d8390312d7dae078b145787e9bb100924cc7e85e26

Download Submit
C:\savessvc\JUcz4WZXVbZk8gcmJxrEcb4ximqA6j.vbe
Filesize
144B

MD5
3557d032c699a7de99188110aac459ef

SHA1
96d3160be15cdb3a547030b624fd2a8d6ff335ea

SHA256
eb6f895f786b67e38b3e14a3e5f40cc82f7e62e69d574ac3001896ced8a71615

SHA512
01a0fb2e0963b80b69d35a4cf1de1abcb17b3dc6d5ba631d50eb3a12da67e045026723aeba6438accf1fceca4ada970ce6bd2c17d6cc1cc3fe1e2f989166bbaf

Download Submit
C:\savessvc\sNk4kRXBNanZfVivadaVjhIxLvG7qo.bat
Filesize
615B

MD5
8f295bcb8644fb442459f3ac739270f1

SHA1
256371569e013d7d097f09a4ca1bab119621097c

SHA256
b7433239dffc8671a2eabc6700d4ffec37adbf199bf64d3228d9d48226250e27

SHA512
c2d61a11e92a871c689ca66d41eb4f20fc73919b38565060f4d81f5e17e807a8942d02593274ad0582d3091adceccc49e06796b40ddaac4080b3987add0ab919

Download Submit
C:\savessvc\svcnet.exe
Filesize
375KB

MD5
c855e27232bb8440beca03334c686b5a

SHA1
7b2043bc4d04fdd44c5be6c5e7676b9f16ce21e7

SHA256
86635219f27c28bb252af0d9e551f379ec4151318268aaca3523616cf716f8ab

SHA512
cc282f5c1c3d56a9f20fc2aa49ff8ea1afd6bdc246d51400abd83631d3adeb3a9458e541e24771c1bb7907d7a663a930024c4e2cc3f298529502b964242e33d1

Download Submit
C:\savessvc\svcnet.exe
Filesize
375KB

MD5
c855e27232bb8440beca03334c686b5a

SHA1
7b2043bc4d04fdd44c5be6c5e7676b9f16ce21e7

SHA256
86635219f27c28bb252af0d9e551f379ec4151318268aaca3523616cf716f8ab

SHA512
cc282f5c1c3d56a9f20fc2aa49ff8ea1afd6bdc246d51400abd83631d3adeb3a9458e541e24771c1bb7907d7a663a930024c4e2cc3f298529502b964242e33d1

Download Submit
C:\savessvc\zE5aikUa0klpw3r9Qf0i.exe
Filesize
439KB

MD5
608b5a7325eaf4d926ddf6f386297f40

SHA1
697f30c063d7d5330495bc4742a6dbc1e38d1d31

SHA256
3264159e72fc0d2f1890b99ed3c91501194a189e32ba73c34e8b69a2214d8590

SHA512
577e2ebee6ee5fde12adff78ad4344a6e9f89d810ca380e3aa499ffc235c05392d1847493c20a066ab1d8f5344b5dc02fc104a5d31f28c0256f82a91c0dee652

Download Submit
C:\savessvc\zE5aikUa0klpw3r9Qf0i.exe
Filesize
439KB

MD5
608b5a7325eaf4d926ddf6f386297f40

SHA1
697f30c063d7d5330495bc4742a6dbc1e38d1d31

SHA256
3264159e72fc0d2f1890b99ed3c91501194a189e32ba73c34e8b69a2214d8590

SHA512
577e2ebee6ee5fde12adff78ad4344a6e9f89d810ca380e3aa499ffc235c05392d1847493c20a066ab1d8f5344b5dc02fc104a5d31f28c0256f82a91c0dee652

Download Submit
\savessvc\svcnet.exe
Filesize
375KB

MD5
c855e27232bb8440beca03334c686b5a

SHA1
7b2043bc4d04fdd44c5be6c5e7676b9f16ce21e7

SHA256
86635219f27c28bb252af0d9e551f379ec4151318268aaca3523616cf716f8ab

SHA512
cc282f5c1c3d56a9f20fc2aa49ff8ea1afd6bdc246d51400abd83631d3adeb3a9458e541e24771c1bb7907d7a663a930024c4e2cc3f298529502b964242e33d1

Download Submit
\savessvc\zE5aikUa0klpw3r9Qf0i.exe
Filesize
439KB

MD5
608b5a7325eaf4d926ddf6f386297f40

SHA1
697f30c063d7d5330495bc4742a6dbc1e38d1d31

SHA256
3264159e72fc0d2f1890b99ed3c91501194a189e32ba73c34e8b69a2214d8590

SHA512
577e2ebee6ee5fde12adff78ad4344a6e9f89d810ca380e3aa499ffc235c05392d1847493c20a066ab1d8f5344b5dc02fc104a5d31f28c0256f82a91c0dee652

Download Submit
memory/612-71-0x0000000000000000-mapping.dmp

Download
memory/612-74-0x0000000000F30000-0x0000000000F96000-memory.dmp

Filesize
408KB

Download
memory/964-55-0x0000000000000000-mapping.dmp

Download
memory/988-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1336-69-0x0000000000000000-mapping.dmp

Download
memory/1944-65-0x0000000000000000-mapping.dmp

Download
memory/1988-62-0x0000000000000000-mapping.dmp

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download