dcrat | 17911103687aab297d51b99468b26da38ea4331c6b7c5d2fe36d33c066f7b076

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 00:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

450db4964978e42ce9403a9dd174586a.exe
Size

505KB
MD5

450db4964978e42ce9403a9dd174586a
SHA1

2ea8411c00fd913b54c0ec19824beee5a3256a9c
SHA256

17911103687aab297d51b99468b26da38ea4331c6b7c5d2fe36d33c066f7b076
SHA512

59cdd260f0348ae5eaa966e70d3751553021c1e025c5c9442b9d606acee7f6aba4a3e4db394931228ebe22c2fa0377eaa856d77d9d97d6254c7aece5ff443482
SSDEEP

12288:rs9sZu3LQWKvXcCf4G3yXFUajm4aqYDHdstYKnKMHClGX:rcNqkCfNGFUa1aqYDHdstPT

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000015c71-8.dat	dcrat
behavioral1/files/0x0009000000015c71-10.dat	dcrat
behavioral1/files/0x0009000000015c71-5.dat	dcrat
behavioral1/memory/2508-26-0x0000000001170000-0x000000000121A000-memory.dmp	dcrat
behavioral1/memory/1960-54-0x0000000001380000-0x000000000142A000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
3060	WindowsProtect.exe
2508	reviewWinMonitornetwinref.exe
1960	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	450db4964978e42ce9403a9dd174586a.exe
2132	cmd.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iertutil\notepad.exe	reviewWinMonitornetwinref.exe
File created	C:\Windows\SysWOW64\iertutil\e9db699ef0888fe86d4c07da866b9dd0f16aef35	reviewWinMonitornetwinref.exe
File created	C:\Windows\System32\sxsstore\lsass.exe	reviewWinMonitornetwinref.exe
File created	C:\Windows\System32\sxsstore\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	reviewWinMonitornetwinref.exe
File created	C:\Windows\System32\mmci\services.exe	reviewWinMonitornetwinref.exe
File created	C:\Windows\System32\mmci\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	reviewWinMonitornetwinref.exe
File created	C:\Windows\System32\bthpanapi\csrss.exe	reviewWinMonitornetwinref.exe
File created	C:\Windows\System32\bthpanapi\886983d96e3d3e31032c679b2d4ea91b6c05afef	reviewWinMonitornetwinref.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\de-DE\smss.exe	reviewWinMonitornetwinref.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\smss.exe	reviewWinMonitornetwinref.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\69ddcba757bf72f7d36c464c71f42baab150b2b9	reviewWinMonitornetwinref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2972	schtasks.exe
2568	schtasks.exe
1696	schtasks.exe
784	schtasks.exe
2520	schtasks.exe
1888	schtasks.exe
2356	schtasks.exe
1652	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1448	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2508	reviewWinMonitornetwinref.exe
2508	reviewWinMonitornetwinref.exe
2508	reviewWinMonitornetwinref.exe
1960	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	reviewWinMonitornetwinref.exe
Token: SeDebugPrivilege	1960	cmd.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3060	2548	450db4964978e42ce9403a9dd174586a.exe	20
PID 2548 wrote to memory of 3060	2548	450db4964978e42ce9403a9dd174586a.exe	20
PID 2548 wrote to memory of 3060	2548	450db4964978e42ce9403a9dd174586a.exe	20
PID 2548 wrote to memory of 3060	2548	450db4964978e42ce9403a9dd174586a.exe	20
PID 2548 wrote to memory of 3032	2548	450db4964978e42ce9403a9dd174586a.exe	19
PID 2548 wrote to memory of 3032	2548	450db4964978e42ce9403a9dd174586a.exe	19
PID 2548 wrote to memory of 3032	2548	450db4964978e42ce9403a9dd174586a.exe	19
PID 2548 wrote to memory of 3032	2548	450db4964978e42ce9403a9dd174586a.exe	19
PID 3060 wrote to memory of 2692	3060	WindowsProtect.exe	18
PID 3060 wrote to memory of 2692	3060	WindowsProtect.exe	18
PID 3060 wrote to memory of 2692	3060	WindowsProtect.exe	18
PID 3060 wrote to memory of 2692	3060	WindowsProtect.exe	18
PID 2692 wrote to memory of 2132	2692	WScript.exe	34
PID 2692 wrote to memory of 2132	2692	WScript.exe	34
PID 2692 wrote to memory of 2132	2692	WScript.exe	34
PID 2692 wrote to memory of 2132	2692	WScript.exe	34
PID 2132 wrote to memory of 2508	2132	cmd.exe	32
PID 2132 wrote to memory of 2508	2132	cmd.exe	32
PID 2132 wrote to memory of 2508	2132	cmd.exe	32
PID 2132 wrote to memory of 2508	2132	cmd.exe	32
PID 2508 wrote to memory of 2972	2508	reviewWinMonitornetwinref.exe	36
PID 2508 wrote to memory of 2972	2508	reviewWinMonitornetwinref.exe	36
PID 2508 wrote to memory of 2972	2508	reviewWinMonitornetwinref.exe	36
PID 2508 wrote to memory of 1652	2508	reviewWinMonitornetwinref.exe	55
PID 2508 wrote to memory of 1652	2508	reviewWinMonitornetwinref.exe	55
PID 2508 wrote to memory of 1652	2508	reviewWinMonitornetwinref.exe	55
PID 2508 wrote to memory of 2356	2508	reviewWinMonitornetwinref.exe	54
PID 2508 wrote to memory of 2356	2508	reviewWinMonitornetwinref.exe	54
PID 2508 wrote to memory of 2356	2508	reviewWinMonitornetwinref.exe	54
PID 2508 wrote to memory of 1888	2508	reviewWinMonitornetwinref.exe	53
PID 2508 wrote to memory of 1888	2508	reviewWinMonitornetwinref.exe	53
PID 2508 wrote to memory of 1888	2508	reviewWinMonitornetwinref.exe	53
PID 2508 wrote to memory of 2520	2508	reviewWinMonitornetwinref.exe	50
PID 2508 wrote to memory of 2520	2508	reviewWinMonitornetwinref.exe	50
PID 2508 wrote to memory of 2520	2508	reviewWinMonitornetwinref.exe	50
PID 2508 wrote to memory of 784	2508	reviewWinMonitornetwinref.exe	48
PID 2508 wrote to memory of 784	2508	reviewWinMonitornetwinref.exe	48
PID 2508 wrote to memory of 784	2508	reviewWinMonitornetwinref.exe	48
PID 2508 wrote to memory of 1696	2508	reviewWinMonitornetwinref.exe	47
PID 2508 wrote to memory of 1696	2508	reviewWinMonitornetwinref.exe	47
PID 2508 wrote to memory of 1696	2508	reviewWinMonitornetwinref.exe	47
PID 2508 wrote to memory of 2568	2508	reviewWinMonitornetwinref.exe	46
PID 2508 wrote to memory of 2568	2508	reviewWinMonitornetwinref.exe	46
PID 2508 wrote to memory of 2568	2508	reviewWinMonitornetwinref.exe	46
PID 2508 wrote to memory of 1540	2508	reviewWinMonitornetwinref.exe	45
PID 2508 wrote to memory of 1540	2508	reviewWinMonitornetwinref.exe	45
PID 2508 wrote to memory of 1540	2508	reviewWinMonitornetwinref.exe	45
PID 1540 wrote to memory of 1604	1540	cmd.exe	43
PID 1540 wrote to memory of 1604	1540	cmd.exe	43
PID 1540 wrote to memory of 1604	1540	cmd.exe	43
PID 1540 wrote to memory of 1448	1540	cmd.exe	42
PID 1540 wrote to memory of 1448	1540	cmd.exe	42
PID 1540 wrote to memory of 1448	1540	cmd.exe	42
PID 1540 wrote to memory of 1960	1540	cmd.exe	56
PID 1540 wrote to memory of 1960	1540	cmd.exe	56
PID 1540 wrote to memory of 1960	1540	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\450db4964978e42ce9403a9dd174586a.exe
"C:\Users\Admin\AppData\Local\Temp\450db4964978e42ce9403a9dd174586a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ERROR REPORT.txt
  2⤵
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\WindowsProtect.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsProtect.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\reviewWinMonitornet\eBsNFS4M1Cr6.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\reviewWinMonitornet\bd5em.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2132

C:\reviewWinMonitornet\reviewWinMonitornetwinref.exe
"C:\reviewWinMonitornet\reviewWinMonitornetwinref.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\smss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pyyffD4phY.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Documents and Settings\cmd.exe
    "C:\Documents and Settings\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\bthpanapi\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2568
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\mmci\services.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1696
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\sxsstore\lsass.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:784
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2520
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Documents and Settings\cmd.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1888
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "notepad" /sc ONLOGON /tr "'C:\ProgramData\Desktop\notepad.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2356
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "notepad" /sc ONLOGON /tr "'C:\Windows\SysWOW64\iertutil\notepad.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1652

C:\Windows\system32\PING.EXE
ping -n 5 localhost
1⤵
- Runs ping.exe
PID:1448

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsProtect.exe

Filesize
92KB

MD5
2aed467eb8624d3d8c58fbb4659d1b6e

SHA1
c7d914adcb360159a5a0e6d381a032bd66ee16bf

SHA256
b53f4d9ad9877e4fd8900dd373d3b0432f39e2c47fffa4f839fcdad9eb8c4203

SHA512
a4f3ce761962c122546893e9fdf326d559e26411b382a027ff6e33d0bde76041160f6057f1bb0a691e83de0ca3287c6594e9574a6ece4b263f34155e5659093c

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsProtect.exe

Filesize
94KB

MD5
87da953cce38a09783042b5addcd2c3d

SHA1
d2408a017ace3539af647f53ee5bfc00ea573715

SHA256
a740975051a93732c371e370ccd52b610c5ea55d3f1656616bf77c1a6ce3d48b

SHA512
b86d1237393db9f7ca94b35ae9edc4bc81f8ee639dfbc726843d66fafeba083f161989560526a2886ff0a57569716bba401a1e609544ad399b9d9cbe066a0e98

Download Submit
memory/1960-54-0x0000000001380000-0x000000000142A000-memory.dmp

Filesize
680KB

Download
memory/1960-55-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1960-56-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download
memory/1960-57-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/2508-26-0x0000000001170000-0x000000000121A000-memory.dmp

Filesize
680KB

Download
memory/2508-27-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2508-28-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2508-50-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-1-0x0000000074FE0000-0x000000007558B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-2-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/2548-12-0x0000000074FE0000-0x000000007558B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-0-0x0000000074FE0000-0x000000007558B000-memory.dmp

Filesize
5.7MB

Download