dcrat | c4ec5d7b7a9bf60de2c201ebaca15ef8da3590033d4abc42fa402bcd2e5abd79

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-01-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

z2DYSM12rQX8EmA4l5Eobd3.exe
Size

1.5MB
MD5

813189503ba0d948993203ca259d5810
SHA1

5553917d633963716eda6954c50a8ff0efd01cfb
SHA256

c4ec5d7b7a9bf60de2c201ebaca15ef8da3590033d4abc42fa402bcd2e5abd79
SHA512

8e46d84b7da61eed6f4b78023ed4b5deefe4324a1e1a985f46ebd496063abb5dc208f4a3008f7761b46cc9decb19846e8ea21c62b3490e6c5fb777a57ac13338
SSDEEP

24576:ceaMajUi+6C+mDjn7gbkFaSH7Wu4mIWGE1Sy/fBEXTHhaTEEER71RM4I13:ceaj9bHmMbkBHVdGE1Sy/ujhaIh+1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2600	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2600	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2600	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2600	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2600	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2600	schtasks.exe	28

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2252-0-0x0000000000FA0000-0x000000000112E000-memory.dmp	dcrat
behavioral1/files/0x000a000000012255-29.dat	dcrat
behavioral1/files/0x0005000000019486-36.dat	dcrat
behavioral1/files/0x000c000000012255-48.dat	dcrat
behavioral1/files/0x0005000000019486-57.dat	dcrat
behavioral1/files/0x0005000000019486-58.dat	dcrat
behavioral1/memory/1768-59-0x0000000000090000-0x000000000021E000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	z2DYSM12rQX8EmA4l5Eobd3.exe

Executes dropped EXE 1 IoCs

pid	Process
1768	spoolsv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\RCX653E.tmp	z2DYSM12rQX8EmA4l5Eobd3.exe
File opened for modification	C:\Program Files\Uninstall Information\explorer.exe	z2DYSM12rQX8EmA4l5Eobd3.exe
File created	C:\Program Files\Uninstall Information\explorer.exe	z2DYSM12rQX8EmA4l5Eobd3.exe
File created	C:\Program Files\Uninstall Information\7a0fd90576e088	z2DYSM12rQX8EmA4l5Eobd3.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX64C0.tmp	z2DYSM12rQX8EmA4l5Eobd3.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system\spoolsv.exe	z2DYSM12rQX8EmA4l5Eobd3.exe
File opened for modification	C:\Windows\system\spoolsv.exe	z2DYSM12rQX8EmA4l5Eobd3.exe
File created	C:\Windows\system\f3b6ecef712a24	z2DYSM12rQX8EmA4l5Eobd3.exe
File opened for modification	C:\Windows\system\RCX61D1.tmp	z2DYSM12rQX8EmA4l5Eobd3.exe
File opened for modification	C:\Windows\system\RCX628D.tmp	z2DYSM12rQX8EmA4l5Eobd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2884	schtasks.exe
2576	schtasks.exe
2624	schtasks.exe
2128	schtasks.exe
2416	schtasks.exe
1824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
2252	z2DYSM12rQX8EmA4l5Eobd3.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	z2DYSM12rQX8EmA4l5Eobd3.exe
Token: SeDebugPrivilege	1768	spoolsv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1768	2252	z2DYSM12rQX8EmA4l5Eobd3.exe	35
PID 2252 wrote to memory of 1768	2252	z2DYSM12rQX8EmA4l5Eobd3.exe	35
PID 2252 wrote to memory of 1768	2252	z2DYSM12rQX8EmA4l5Eobd3.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\z2DYSM12rQX8EmA4l5Eobd3.exe
"C:\Users\Admin\AppData\Local\Temp\z2DYSM12rQX8EmA4l5Eobd3.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\system\spoolsv.exe
  "C:\Windows\system\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\system\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\system\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\system\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\explorer.exe

Filesize
1.5MB

MD5
d16ae4c3e434b3f89ca6327eff5196f8

SHA1
850b8b39b219c90b650a59ef349c7c7a6f4433c5

SHA256
ab1a988864ef626db0a4b121e390fc6228085aaa5fe7cc562884cdd22c23b19f

SHA512
73d5c3d8eb53b41743f8cc069bdbb37600a7934ca1a2fa53d6e79bb5b039988075c2c10d55fde6fce35023c6ca36c37a2a760506947c1fddf8fc134754b2b40b

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.5MB

MD5
1388b7a63f9144d14750c57dd45b373a

SHA1
ffa085ed18a74ee0983259f5d419d41567ca68cc

SHA256
289f14f229e1019bac613f7fec9f31e7cc5233cd74b1853e90fc778e4b5d79c5

SHA512
85abe9f98f275a1282d98638d2a35e19d9700a9b99e3658e2f5d65bd403b90918c2660b326535b511455737e97b2f86d504e4976b3f6f37495497bc75c458ef2

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
960KB

MD5
4b96ee35e87378674c32cb8de37cf815

SHA1
7441cfc1e9297f90c81cf28a8cae553e6084acdd

SHA256
e023d1e97525d889aa68c23b495ac7f25d28cc91490fba9d0a702b2c8e85399f

SHA512
762e4c638609c2c6ce62bcb6dbdc96b4fb3543cf33ce485313a7b51b3cb9a8ff051619acdefe60b6191134fd76d6773976dc3c13489e6c3da38ec8e862a833ea

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.3MB

MD5
e0e2e52796c6736d1602b3ceb5d91f8f

SHA1
03a1689e02ff0ee824e184ff46d69b9f2653a8bc

SHA256
412543917c1d3757b8a7339a1eecdc05226bc0c340523f5560cc18f6b7294f31

SHA512
b15583a3f214e6aa8cdfa265f8f4d5a9c345e103d74a6482743e3f75dff72fccfed1aad00c07b10368e769908b2fc50b01673273f90a14df460881ebbd14e6ce

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
1.5MB

MD5
813189503ba0d948993203ca259d5810

SHA1
5553917d633963716eda6954c50a8ff0efd01cfb

SHA256
c4ec5d7b7a9bf60de2c201ebaca15ef8da3590033d4abc42fa402bcd2e5abd79

SHA512
8e46d84b7da61eed6f4b78023ed4b5deefe4324a1e1a985f46ebd496063abb5dc208f4a3008f7761b46cc9decb19846e8ea21c62b3490e6c5fb777a57ac13338

Download Submit
memory/1768-73-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-65-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-72-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-71-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-70-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-69-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-68-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-67-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-66-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-74-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-64-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-63-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-62-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-75-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-76-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-60-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-77-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1768-59-0x0000000000090000-0x000000000021E000-memory.dmp

Filesize
1.6MB

Download
memory/1768-78-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-12-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/2252-52-0x0000000000530000-0x00000000005B0000-memory.dmp

Filesize
512KB

Download
memory/2252-39-0x0000000000530000-0x00000000005B0000-memory.dmp

Filesize
512KB

Download
memory/2252-61-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-25-0x0000000000530000-0x00000000005B0000-memory.dmp

Filesize
512KB

Download
memory/2252-17-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/2252-16-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2252-15-0x0000000000530000-0x00000000005B0000-memory.dmp

Filesize
512KB

Download
memory/2252-14-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2252-13-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2252-0-0x0000000000FA0000-0x000000000112E000-memory.dmp

Filesize
1.6MB

Download
memory/2252-11-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2252-10-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2252-8-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2252-7-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2252-6-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download
memory/2252-5-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2252-4-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/2252-3-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2252-2-0x0000000000530000-0x00000000005B0000-memory.dmp

Filesize
512KB

Download
memory/2252-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download