dcrat | a3c2b70ef27805fbc7eaf588860f68000b7060b253817331db53b30dd77bc440

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 10:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

56452dc78822885d0a2512783227f1dd.exe
Size

1.6MB
MD5

56452dc78822885d0a2512783227f1dd
SHA1

25f44f44a36aeba660e5d919d54078d722635b68
SHA256

a3c2b70ef27805fbc7eaf588860f68000b7060b253817331db53b30dd77bc440
SHA512

b281bdf4835ebf7a80ce308ef96e62ed0039b2deb74ae552653d3642b50e135fa004553c1897c76e8958633531c1834580b02246b48a1888292b4ba071b7ca9d
SSDEEP

24576:I2G/nvxW3WcQdm0INy7ki6HAYWbNAtjrpMlcOV+3xNFTG+FWx+4S:IbA3IwC7h6HIAtltxDG+JJ

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000015cfe-11.dat	dcrat
behavioral1/files/0x0009000000015cfe-9.dat	dcrat
behavioral1/files/0x0009000000015cfe-12.dat	dcrat
behavioral1/memory/2572-13-0x00000000010C0000-0x00000000011F4000-memory.dmp	dcrat
behavioral1/memory/1204-35-0x0000000000F20000-0x0000000001054000-memory.dmp	dcrat
behavioral1/memory/1204-37-0x000000001B1E0000-0x000000001B260000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2572	reviewhostperfCommonfonthostperf.exe
1204	wininit.exe

Loads dropped DLL 1 IoCs

pid	Process
2796	cmd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\WinSyncProviders\wininit.exe	reviewhostperfCommonfonthostperf.exe
File opened for modification	C:\Windows\System32\WinSyncProviders\wininit.exe	reviewhostperfCommonfonthostperf.exe
File created	C:\Windows\System32\WinSyncProviders\560854153607923c4c5f107085a7db67be01f252	reviewhostperfCommonfonthostperf.exe
File created	C:\Windows\System32\rdpcore\wininit.exe	reviewhostperfCommonfonthostperf.exe
File created	C:\Windows\System32\rdpcore\560854153607923c4c5f107085a7db67be01f252	reviewhostperfCommonfonthostperf.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe	reviewhostperfCommonfonthostperf.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\6ccacd8608530fba3a93e87ae2225c7032aa18c1	reviewhostperfCommonfonthostperf.exe
File created	C:\Program Files\Windows Media Player\es-ES\wininit.exe	reviewhostperfCommonfonthostperf.exe
File created	C:\Program Files\Windows Media Player\es-ES\560854153607923c4c5f107085a7db67be01f252	reviewhostperfCommonfonthostperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2616	schtasks.exe
2748	schtasks.exe
2496	schtasks.exe
2432	schtasks.exe
2692	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2420	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2572	reviewhostperfCommonfonthostperf.exe
1204	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	reviewhostperfCommonfonthostperf.exe
Token: SeDebugPrivilege	1204	wininit.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2844	1364	56452dc78822885d0a2512783227f1dd.exe	28
PID 1364 wrote to memory of 2844	1364	56452dc78822885d0a2512783227f1dd.exe	28
PID 1364 wrote to memory of 2844	1364	56452dc78822885d0a2512783227f1dd.exe	28
PID 1364 wrote to memory of 2844	1364	56452dc78822885d0a2512783227f1dd.exe	28
PID 2844 wrote to memory of 2796	2844	WScript.exe	29
PID 2844 wrote to memory of 2796	2844	WScript.exe	29
PID 2844 wrote to memory of 2796	2844	WScript.exe	29
PID 2844 wrote to memory of 2796	2844	WScript.exe	29
PID 2796 wrote to memory of 2572	2796	cmd.exe	31
PID 2796 wrote to memory of 2572	2796	cmd.exe	31
PID 2796 wrote to memory of 2572	2796	cmd.exe	31
PID 2796 wrote to memory of 2572	2796	cmd.exe	31
PID 2572 wrote to memory of 2616	2572	reviewhostperfCommonfonthostperf.exe	34
PID 2572 wrote to memory of 2616	2572	reviewhostperfCommonfonthostperf.exe	34
PID 2572 wrote to memory of 2616	2572	reviewhostperfCommonfonthostperf.exe	34
PID 2572 wrote to memory of 2692	2572	reviewhostperfCommonfonthostperf.exe	46
PID 2572 wrote to memory of 2692	2572	reviewhostperfCommonfonthostperf.exe	46
PID 2572 wrote to memory of 2692	2572	reviewhostperfCommonfonthostperf.exe	46
PID 2572 wrote to memory of 2432	2572	reviewhostperfCommonfonthostperf.exe	45
PID 2572 wrote to memory of 2432	2572	reviewhostperfCommonfonthostperf.exe	45
PID 2572 wrote to memory of 2432	2572	reviewhostperfCommonfonthostperf.exe	45
PID 2572 wrote to memory of 2496	2572	reviewhostperfCommonfonthostperf.exe	44
PID 2572 wrote to memory of 2496	2572	reviewhostperfCommonfonthostperf.exe	44
PID 2572 wrote to memory of 2496	2572	reviewhostperfCommonfonthostperf.exe	44
PID 2572 wrote to memory of 2748	2572	reviewhostperfCommonfonthostperf.exe	43
PID 2572 wrote to memory of 2748	2572	reviewhostperfCommonfonthostperf.exe	43
PID 2572 wrote to memory of 2748	2572	reviewhostperfCommonfonthostperf.exe	43
PID 2572 wrote to memory of 2904	2572	reviewhostperfCommonfonthostperf.exe	42
PID 2572 wrote to memory of 2904	2572	reviewhostperfCommonfonthostperf.exe	42
PID 2572 wrote to memory of 2904	2572	reviewhostperfCommonfonthostperf.exe	42
PID 2904 wrote to memory of 1992	2904	cmd.exe	40
PID 2904 wrote to memory of 1992	2904	cmd.exe	40
PID 2904 wrote to memory of 1992	2904	cmd.exe	40
PID 2904 wrote to memory of 2420	2904	cmd.exe	39
PID 2904 wrote to memory of 2420	2904	cmd.exe	39
PID 2904 wrote to memory of 2420	2904	cmd.exe	39
PID 2904 wrote to memory of 1204	2904	cmd.exe	47
PID 2904 wrote to memory of 1204	2904	cmd.exe	47
PID 2904 wrote to memory of 1204	2904	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\56452dc78822885d0a2512783227f1dd.exe
"C:\Users\Admin\AppData\Local\Temp\56452dc78822885d0a2512783227f1dd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewhostperfCommon\vQAgT2wcLkn.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\reviewhostperfCommon\kPEri9B5nQhmZuDpCB.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\reviewhostperfCommon\reviewhostperfCommonfonthostperf.exe
      "C:\reviewhostperfCommon\reviewhostperfCommonfonthostperf.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\WinSyncProviders\wininit.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qyabxECyC7.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Program Files\Windows Media Player\es-ES\wininit.exe
        
        "C:\Program Files\Windows Media Player\es-ES\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2748
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\rdpcore\wininit.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2496
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\wininit.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2432
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2692

C:\Windows\system32\PING.EXE
ping -n 5 localhost
1⤵
- Runs ping.exe
PID:2420

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\reviewhostperfCommon\kPEri9B5nQhmZuDpCB.bat

Filesize
62B

MD5
a48389bde68f6d990898fc9a495edf8a

SHA1
ce74da6d64b009f27dc7ed8f0377881f5c7a716f

SHA256
186d091773a7cebbb5aa0a213d8ed96faeb5e714f7242e97f19ebe61baac9e7a

SHA512
41ec3e7d778beacfcbdbdb5fe3fd22a84fd9c109dd5741f5526dc938cc8a66f304016ccdb66eeebccbbbc01c11c818ac3699945676c3af3c10d1c0c85d384da9

Download Submit
C:\reviewhostperfCommon\reviewhostperfCommonfonthostperf.exe

Filesize
331KB

MD5
b3c4e17e0cc6eca476dbc2473687e7bc

SHA1
90d7d4399dd9ca8e34fcd8fbfc5ef01423be9753

SHA256
16e446ebc1692f48865f3b2ce5097c86476f601578326861fd3aae2417873af3

SHA512
dfc11df34b02c420e9bf10ef5988e515db7e54fc901bc24fdd708284508b96abb8bd9d0b012922e9b349170bd9704fc22aa38123493cd0b4848db79ebea0504e

Download Submit
C:\reviewhostperfCommon\reviewhostperfCommonfonthostperf.exe

Filesize
96KB

MD5
ec23c90eb6102cc4d6ebc7c600847372

SHA1
3a0e207a05e778b9403742e8b23436de9f6a6b94

SHA256
908ecff80349cef838fb72981ce9fa7630a155d0710a1b0446aec31cd46668be

SHA512
30cffd96b6384f0776f59428d5bb1467488a52bb2f051451989707075100ae42275c796c873fbcaf1a72e0a24dba09836594dc2916cfca1d2199af0623361a41

Download Submit
C:\reviewhostperfCommon\vQAgT2wcLkn.vbe

Filesize
215B

MD5
8bbffc54f76d877b85a862d4d8c31d46

SHA1
de9514cbd5f272d4e38eff043dadeb5bfd0f5deb

SHA256
064700c9dc9db339fa6664762ad7c74068131c1a197c1e719a032612c36d252e

SHA512
ed16d49c8533350d11bb32d343bd83fc96565c97b3e3faa5a6f6d6c90a85e185c7b7247c716d147e21fc351d765044260c17ae16799afd59a6b3426d1dd2dd4d

Download Submit
\reviewhostperfCommon\reviewhostperfCommonfonthostperf.exe

Filesize
384KB

MD5
15b1c48a965731a06d14240d2306724f

SHA1
4feedef1e5166eb4fdaffa43a0330774c65fa64b

SHA256
a0b4ba73ee529929490e2cda02e6c474e53e8f26a5c1be51ab9e36cd31ab9e81

SHA512
2e5f486c21baab2246a6d098efed721dafde0226026ff0a52430fbaaa7e9f9b17d02cf10735f1a68a8eb180239b589d8d39ec2822538c130bb1f7811ed921e59

Download Submit
memory/1204-35-0x0000000000F20000-0x0000000001054000-memory.dmp

Filesize
1.2MB

Download
memory/1204-36-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1204-37-0x000000001B1E0000-0x000000001B260000-memory.dmp

Filesize
512KB

Download
memory/1204-38-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1204-39-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2572-14-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2572-15-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/2572-31-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2572-13-0x00000000010C0000-0x00000000011F4000-memory.dmp

Filesize
1.2MB

Download