dcrat | 82c160832568258001ad498291a7c3b6f0500bdd1f93153d8ae1b0e3b9033e44

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c5beacf795033142fa3ed081ada1b30.exe
Size

1.2MB
MD5

1c5beacf795033142fa3ed081ada1b30
SHA1

2e38208dfd2bf4b52e82359cd5101d08667e5b4c
SHA256

82c160832568258001ad498291a7c3b6f0500bdd1f93153d8ae1b0e3b9033e44
SHA512

42540ac45358cbaf44d7148dd6f64dc9cd45ccdcf50b3550c1c02eb9e2e1098f05d92f3630abdee4e6d9bed35c389768e98680fd7a406a7d35c09abe5f8e7634
SSDEEP

24576:Rm0INy7ki6HAYWbNAtjrpMlcOV+3xNFTG+FWx+4:MC7h6HIAtltxDG+J

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2880-0-0x0000000001350000-0x0000000001484000-memory.dmp	dcrat
behavioral1/files/0x00060000000165e4-11.dat	dcrat
behavioral1/memory/2880-16-0x000000001B150000-0x000000001B1D0000-memory.dmp	dcrat
behavioral1/files/0x000900000001624f-24.dat	dcrat
behavioral1/files/0x000900000001624f-25.dat	dcrat
behavioral1/memory/1468-26-0x0000000000890000-0x00000000009C4000-memory.dmp	dcrat
behavioral1/memory/1468-29-0x000000001B290000-0x000000001B310000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1468	csrss.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\msports\\lsm.exe\""	1c5beacf795033142fa3ed081ada1b30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\msafd\\csrss.exe\""	1c5beacf795033142fa3ed081ada1b30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\ProgramData\\Start Menu\\System.exe\""	1c5beacf795033142fa3ed081ada1b30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\\lsm.exe\""	1c5beacf795033142fa3ed081ada1b30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\""	1c5beacf795033142fa3ed081ada1b30.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\msports\lsm.exe	1c5beacf795033142fa3ed081ada1b30.exe
File created	C:\Windows\System32\msports\101b941d020240259ca4912829b53995ad543df6	1c5beacf795033142fa3ed081ada1b30.exe
File created	C:\Windows\System32\msafd\csrss.exe	1c5beacf795033142fa3ed081ada1b30.exe
File created	C:\Windows\System32\msafd\886983d96e3d3e31032c679b2d4ea91b6c05afef	1c5beacf795033142fa3ed081ada1b30.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fonts\csrss.exe	1c5beacf795033142fa3ed081ada1b30.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\csrss.exe	1c5beacf795033142fa3ed081ada1b30.exe
File created	C:\Program Files\Mozilla Firefox\fonts\886983d96e3d3e31032c679b2d4ea91b6c05afef	1c5beacf795033142fa3ed081ada1b30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2796	schtasks.exe
2928	schtasks.exe
2632	schtasks.exe
2544	schtasks.exe
3056	schtasks.exe
2952	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2160	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2880	1c5beacf795033142fa3ed081ada1b30.exe
1468	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	1c5beacf795033142fa3ed081ada1b30.exe
Token: SeDebugPrivilege	1468	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2952	2880	1c5beacf795033142fa3ed081ada1b30.exe	30
PID 2880 wrote to memory of 2952	2880	1c5beacf795033142fa3ed081ada1b30.exe	30
PID 2880 wrote to memory of 2952	2880	1c5beacf795033142fa3ed081ada1b30.exe	30
PID 2880 wrote to memory of 2796	2880	1c5beacf795033142fa3ed081ada1b30.exe	32
PID 2880 wrote to memory of 2796	2880	1c5beacf795033142fa3ed081ada1b30.exe	32
PID 2880 wrote to memory of 2796	2880	1c5beacf795033142fa3ed081ada1b30.exe	32
PID 2880 wrote to memory of 2928	2880	1c5beacf795033142fa3ed081ada1b30.exe	34
PID 2880 wrote to memory of 2928	2880	1c5beacf795033142fa3ed081ada1b30.exe	34
PID 2880 wrote to memory of 2928	2880	1c5beacf795033142fa3ed081ada1b30.exe	34
PID 2880 wrote to memory of 2632	2880	1c5beacf795033142fa3ed081ada1b30.exe	35
PID 2880 wrote to memory of 2632	2880	1c5beacf795033142fa3ed081ada1b30.exe	35
PID 2880 wrote to memory of 2632	2880	1c5beacf795033142fa3ed081ada1b30.exe	35
PID 2880 wrote to memory of 2544	2880	1c5beacf795033142fa3ed081ada1b30.exe	37
PID 2880 wrote to memory of 2544	2880	1c5beacf795033142fa3ed081ada1b30.exe	37
PID 2880 wrote to memory of 2544	2880	1c5beacf795033142fa3ed081ada1b30.exe	37
PID 2880 wrote to memory of 3056	2880	1c5beacf795033142fa3ed081ada1b30.exe	39
PID 2880 wrote to memory of 3056	2880	1c5beacf795033142fa3ed081ada1b30.exe	39
PID 2880 wrote to memory of 3056	2880	1c5beacf795033142fa3ed081ada1b30.exe	39
PID 2880 wrote to memory of 3008	2880	1c5beacf795033142fa3ed081ada1b30.exe	41
PID 2880 wrote to memory of 3008	2880	1c5beacf795033142fa3ed081ada1b30.exe	41
PID 2880 wrote to memory of 3008	2880	1c5beacf795033142fa3ed081ada1b30.exe	41
PID 3008 wrote to memory of 1084	3008	cmd.exe	43
PID 3008 wrote to memory of 1084	3008	cmd.exe	43
PID 3008 wrote to memory of 1084	3008	cmd.exe	43
PID 3008 wrote to memory of 2160	3008	cmd.exe	45
PID 3008 wrote to memory of 2160	3008	cmd.exe	45
PID 3008 wrote to memory of 2160	3008	cmd.exe	45
PID 3008 wrote to memory of 1468	3008	cmd.exe	47
PID 3008 wrote to memory of 1468	3008	cmd.exe	47
PID 3008 wrote to memory of 1468	3008	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1c5beacf795033142fa3ed081ada1b30.exe
"C:\Users\Admin\AppData\Local\Temp\1c5beacf795033142fa3ed081ada1b30.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2952
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\msports\lsm.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2796
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\msafd\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2928
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\System.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2632
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\lsm.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2544
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:3056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UzziNQiyce.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1084
- - C:\Windows\system32\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:2160
- - C:\Windows\System32\msafd\csrss.exe
    "C:\Windows\System32\msafd\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\lsm.exe

Filesize
369KB

MD5
74a83d127f0905d8bbefb67585cab079

SHA1
28d5a8d122403d470478d06afba99e475b91c4c8

SHA256
3daaf2ca438f4639bf99fc5c6e532456247028d94511ccb9411f8e7b9b15ea4e

SHA512
bda69be2997fd1a9c102548f3d938aab26e4250ddcf90482c3b08b7e89d96cae4ee45e724ed35e510ffe00c76be7a6ae91750c8633c97ab69862c2486f318377

Download Submit
C:\Users\Admin\AppData\Local\Temp\UzziNQiyce.bat

Filesize
201B

MD5
1be32c313e389d0444dd88a95e4c5f9f

SHA1
774611aa8a9f00ba48b68e59f96094111a94bf7e

SHA256
4b2b091b4be5ea9ab0b4a5b0d4196299ccb3d4fe354602bc05d7b9dd9f3042dc

SHA512
24564dd9b21bfcd4985cfa717bb39186bbd3a1673189145ce26fdffc476fb5cd12e4decea373fd3b515509545ecb3a249744aa2d0784a91db06c9666517b3015

Download Submit
C:\Windows\System32\msafd\csrss.exe

Filesize
863KB

MD5
9baf31aa751c8d3fb90ee3125ba4c809

SHA1
8a7574e7dfee095dabbd81f28ac97ed46d5c4d48

SHA256
3034f2b259cf5c473f97bf1ad6eefbef5f39e3c8dc19416dc843a049e7dbda00

SHA512
5bc43ca9976b58506b1a2dacacaf606bb8fe2a88b0ef8c6b68d1ba12298c73a40353a5bdfcfbcaaf0add210a1b605ccc86e4cc10365e3bc650b356a9bc60e913

Download Submit
C:\Windows\System32\msafd\csrss.exe

Filesize
716KB

MD5
98e5a952c04c82534796e9016ee04066

SHA1
2287c23e989dc9b186480d2ac3b9dbdbb4bec4b6

SHA256
1a74b99f127e37a4c2da928984c978c67cee031597c11bbb1f713ee1fb5f9c2e

SHA512
f7f0cf2f1446dcf730d81bb71f2decfe53104af52977c217e8c1591b31298ca387ccafc8e6c75d0afa5bbdf72661912505eea985d41709732b1a7bd8ded4cec4

Download Submit
memory/1468-27-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1468-26-0x0000000000890000-0x00000000009C4000-memory.dmp

Filesize
1.2MB

Download
memory/1468-28-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1468-29-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download
memory/1468-30-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-16-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download
memory/2880-0-0x0000000001350000-0x0000000001484000-memory.dmp

Filesize
1.2MB

Download
memory/2880-22-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-15-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-1-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-2-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download