dcrat | eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a

Analysis

max time kernel
297s
max time network
312s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21/08/2023, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe
Size

1.6MB
MD5

cd4ee1a7a160a3c103e775ec9136f10a
SHA1

53bedd6edbba3e0a56268362b3451e9a1fdc1627
SHA256

eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a
SHA512

220101710ac33527532d1b1c153ce8bd477b3b7a282fbb1a5e3139b8cd5f064fee305ef16b77b228970ce31cc378c3e9cdb57def29f36b978a4ba7f362db5d59
SSDEEP

24576:T2G/nvxW3WjfexVOsf1916TKXVF6A/fIreiReAqzEqB+qLzqb3nxBzP4U1xg:TbA3Gn6L9QeVAqzEqPOFBzPXu

Score

10^/10

dcrat evasion infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	164	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	396	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	396	schtasks.exe	74

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000600000001af8d-133.dat	dcrat
behavioral2/files/0x000600000001af8d-135.dat	dcrat
behavioral2/memory/4292-136-0x0000000000E00000-0x0000000000F52000-memory.dmp	dcrat
behavioral2/files/0x000600000001af90-148.dat	dcrat
behavioral2/files/0x000600000001af90-163.dat	dcrat
behavioral2/files/0x000600000001af90-165.dat	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
4292	BlockPerfmonitor.exe
4412	Idle.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ELAMBKUP\sppsvc.exe	BlockPerfmonitor.exe
File created	C:\Windows\ELAMBKUP\0a1fd5f707cd16	BlockPerfmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
164	schtasks.exe
212	schtasks.exe
4136	schtasks.exe
1804	schtasks.exe
4476	schtasks.exe
1480	schtasks.exe
3888	schtasks.exe
3588	schtasks.exe
924	schtasks.exe
3084	schtasks.exe
1888	schtasks.exe
4976	schtasks.exe
5056	schtasks.exe
528	schtasks.exe
2140	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings	BlockPerfmonitor.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4308	reg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4292	BlockPerfmonitor.exe
4292	BlockPerfmonitor.exe
4292	BlockPerfmonitor.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe
4412	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4412	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	BlockPerfmonitor.exe
Token: SeDebugPrivilege	4412	Idle.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 4428	3044	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	69
PID 3044 wrote to memory of 4428	3044	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	69
PID 3044 wrote to memory of 4428	3044	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	69
PID 3044 wrote to memory of 3776	3044	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	70
PID 3044 wrote to memory of 3776	3044	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	70
PID 3044 wrote to memory of 3776	3044	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	70
PID 4428 wrote to memory of 3616	4428	WScript.exe	71
PID 4428 wrote to memory of 3616	4428	WScript.exe	71
PID 4428 wrote to memory of 3616	4428	WScript.exe	71
PID 3616 wrote to memory of 4292	3616	cmd.exe	73
PID 3616 wrote to memory of 4292	3616	cmd.exe	73
PID 4292 wrote to memory of 2280	4292	BlockPerfmonitor.exe	90
PID 4292 wrote to memory of 2280	4292	BlockPerfmonitor.exe	90
PID 2280 wrote to memory of 3532	2280	cmd.exe	92
PID 2280 wrote to memory of 3532	2280	cmd.exe	92
PID 3616 wrote to memory of 4308	3616	cmd.exe	93
PID 3616 wrote to memory of 4308	3616	cmd.exe	93
PID 3616 wrote to memory of 4308	3616	cmd.exe	93
PID 2280 wrote to memory of 4412	2280	cmd.exe	94
PID 2280 wrote to memory of 4412	2280	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe
"C:\Users\Admin\AppData\Local\Temp\eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MscomSurrogatebrokerCrt\bCHfvnOhpBFuYP7qZ.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\MscomSurrogatebrokerCrt\zIFGDdD.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe
      "C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JigN4PJfPZ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3532
      - C:\MscomSurrogatebrokerCrt\Idle.exe
        
        "C:\MscomSurrogatebrokerCrt\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4308
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MscomSurrogatebrokerCrt\file.vbs"
  2⤵
  PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MscomSurrogatebrokerCrt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MscomSurrogatebrokerCrt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MscomSurrogatebrokerCrt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MscomSurrogatebrokerCrt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MscomSurrogatebrokerCrt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MscomSurrogatebrokerCrt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\ELAMBKUP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ELAMBKUP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\Idle.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\Idle.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\Idle.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\bCHfvnOhpBFuYP7qZ.vbe

Filesize
207B

MD5
95ced681f6ed091e814560cfd6263b67

SHA1
5ce23afdddf770d7db461d949be98bafdad7927d

SHA256
acaf58fd6f360831e6af609791bea73077ffe1b976b28fd8d7640f2a63be783a

SHA512
d2ef86bd18da42befe83fa3e06857303f43c39cc9b1bd4a887f2839c948966a5f953b390a2c27733b60acf3a62191bcd8d41a513f36816ce268995362e997b91

Download Submit
C:\MscomSurrogatebrokerCrt\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\MscomSurrogatebrokerCrt\zIFGDdD.bat

Filesize
161B

MD5
ae30d28aebaf9f4d8e0f0a5322a49a9c

SHA1
99096c4cb201ebe50adf30ce7849fac2d424f634

SHA256
aeabc11a80ec4da62577d0e529009cbf15d5258ca5fb3f0bfcc07ca472699f8d

SHA512
234db49cb976a1487286efdc4d53964188bab6766d37ab0676a86c91c00e942c5ed98f4facc4d629b5efaa8f8b33bbc781675e148279bff81b0ac7c2c764caf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JigN4PJfPZ.bat

Filesize
200B

MD5
c087e21b716836e8029e832914fffb6a

SHA1
2b3641af089ea3191d1dea4693110998a2744917

SHA256
443726e08be61059c26d5e942f0c52a9963dd6a809a9d2085aa43f778be97607

SHA512
15809eb839be243844dde28c2d241aa89c4f5663f1dc63403bee145a31dcc06b070ffe30e71e1431f021d9dbd03e6754ce93028092e90dcd418da85215106fe7

Download Submit
memory/4292-137-0x00007FF97DB70000-0x00007FF97E55C000-memory.dmp

Filesize
9.9MB

Download
memory/4292-139-0x00000000018B0000-0x00000000018CC000-memory.dmp

Filesize
112KB

Download
memory/4292-141-0x0000000003190000-0x00000000031A6000-memory.dmp

Filesize
88KB

Download
memory/4292-145-0x00000000031D0000-0x00000000031D8000-memory.dmp

Filesize
32KB

Download
memory/4292-144-0x00000000018D0000-0x00000000018DE000-memory.dmp

Filesize
56KB

Download
memory/4292-143-0x000000001C880000-0x000000001CDA6000-memory.dmp

Filesize
5.1MB

Download
memory/4292-140-0x00000000031E0000-0x0000000003230000-memory.dmp

Filesize
320KB

Download
memory/4292-142-0x0000000001890000-0x00000000018A2000-memory.dmp

Filesize
72KB

Download
memory/4292-162-0x00007FF97DB70000-0x00007FF97E55C000-memory.dmp

Filesize
9.9MB

Download
memory/4292-138-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

Filesize
64KB

Download
memory/4292-136-0x0000000000E00000-0x0000000000F52000-memory.dmp

Filesize
1.3MB

Download
memory/4412-166-0x00007FF97DB70000-0x00007FF97E55C000-memory.dmp

Filesize
9.9MB

Download
memory/4412-167-0x000000001B690000-0x000000001B6A0000-memory.dmp

Filesize
64KB

Download
memory/4412-168-0x00000000013D0000-0x00000000013E2000-memory.dmp

Filesize
72KB

Download
memory/4412-169-0x00007FF97DB70000-0x00007FF97E55C000-memory.dmp

Filesize
9.9MB

Download
memory/4412-170-0x000000001B690000-0x000000001B6A0000-memory.dmp

Filesize
64KB

Download