dcrat | 94009d1129caa3d7c53557e6f0bc10c546b70389242959cf710ec19b64d66d7a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88d152d4ca2aad8c3aec5567cf9d6962.exe
Size

365KB
MD5

88d152d4ca2aad8c3aec5567cf9d6962
SHA1

d98c4fdccbe6e012803e889a712919c94b279b78
SHA256

94009d1129caa3d7c53557e6f0bc10c546b70389242959cf710ec19b64d66d7a
SHA512

bbf281515abe55d6b4853368dc74d030b62709976ba413b7b8d5c05105d99980eb19a2b1bf128d09c2e77c3331ad83e590a206f840a6afb9d60ec52d606102fb
SSDEEP

6144:Khg8RILtEndj8KoOnBCI9LtzN+4lPkJDuXAuY+DWRNqqDL:KpndjJIan+4lkD0Y+Vqn

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2192-0-0x0000000000AC0000-0x0000000000B22000-memory.dmp	dcrat
behavioral1/files/0x00060000000173d2-11.dat	dcrat
behavioral1/memory/632-24-0x0000000001030000-0x0000000001092000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
632	services.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	88d152d4ca2aad8c3aec5567cf9d6962.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Media\\Sonata\\csrss.exe\""	88d152d4ca2aad8c3aec5567cf9d6962.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\PerfLogs\\Admin\\sppsvc.exe\""	88d152d4ca2aad8c3aec5567cf9d6962.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Microsoft Help\\services.exe\""	88d152d4ca2aad8c3aec5567cf9d6962.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Help\\mui\\0C0A\\dwm.exe\""	88d152d4ca2aad8c3aec5567cf9d6962.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\audiodg.exe\""	88d152d4ca2aad8c3aec5567cf9d6962.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\Libraries\\services.exe\""	88d152d4ca2aad8c3aec5567cf9d6962.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	88d152d4ca2aad8c3aec5567cf9d6962.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\csrss.exe\""	88d152d4ca2aad8c3aec5567cf9d6962.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	88d152d4ca2aad8c3aec5567cf9d6962.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76da408ea6a601e682e64743153ad	88d152d4ca2aad8c3aec5567cf9d6962.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\csrss.exe	88d152d4ca2aad8c3aec5567cf9d6962.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\886983d96e3d3e31032c679b2d4ea91b6c05afef	88d152d4ca2aad8c3aec5567cf9d6962.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\audiodg.exe	88d152d4ca2aad8c3aec5567cf9d6962.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\42af1c969fbb7b2ae36b0e06bea61fc9a154b4af	88d152d4ca2aad8c3aec5567cf9d6962.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Media\Sonata\csrss.exe	88d152d4ca2aad8c3aec5567cf9d6962.exe
File created	C:\Windows\Media\Sonata\886983d96e3d3e31032c679b2d4ea91b6c05afef	88d152d4ca2aad8c3aec5567cf9d6962.exe
File created	C:\Windows\Help\mui\0C0A\dwm.exe	88d152d4ca2aad8c3aec5567cf9d6962.exe
File created	C:\Windows\Help\mui\0C0A\6cb0b6c459d5d3455a3da700e713f2e2529862ff	88d152d4ca2aad8c3aec5567cf9d6962.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2704	schtasks.exe
2892	schtasks.exe
2628	schtasks.exe
2600	schtasks.exe
1648	schtasks.exe
2796	schtasks.exe
2792	schtasks.exe
1808	schtasks.exe
2560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2192	88d152d4ca2aad8c3aec5567cf9d6962.exe
632	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe
Token: SeDebugPrivilege	632	services.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2704	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	29
PID 2192 wrote to memory of 2704	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	29
PID 2192 wrote to memory of 2704	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	29
PID 2192 wrote to memory of 2892	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	31
PID 2192 wrote to memory of 2892	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	31
PID 2192 wrote to memory of 2892	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	31
PID 2192 wrote to memory of 2796	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	33
PID 2192 wrote to memory of 2796	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	33
PID 2192 wrote to memory of 2796	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	33
PID 2192 wrote to memory of 2792	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	35
PID 2192 wrote to memory of 2792	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	35
PID 2192 wrote to memory of 2792	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	35
PID 2192 wrote to memory of 1808	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	37
PID 2192 wrote to memory of 1808	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	37
PID 2192 wrote to memory of 1808	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	37
PID 2192 wrote to memory of 2560	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	39
PID 2192 wrote to memory of 2560	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	39
PID 2192 wrote to memory of 2560	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	39
PID 2192 wrote to memory of 2628	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	41
PID 2192 wrote to memory of 2628	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	41
PID 2192 wrote to memory of 2628	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	41
PID 2192 wrote to memory of 2600	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	43
PID 2192 wrote to memory of 2600	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	43
PID 2192 wrote to memory of 2600	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	43
PID 2192 wrote to memory of 1648	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	45
PID 2192 wrote to memory of 1648	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	45
PID 2192 wrote to memory of 1648	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	45
PID 2192 wrote to memory of 632	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	47
PID 2192 wrote to memory of 632	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	47
PID 2192 wrote to memory of 632	2192	88d152d4ca2aad8c3aec5567cf9d6962.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88d152d4ca2aad8c3aec5567cf9d6962.exe
"C:\Users\Admin\AppData\Local\Temp\88d152d4ca2aad8c3aec5567cf9d6962.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2704
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2892
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\Admin\sppsvc.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2796
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Help\mui\0C0A\dwm.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2792
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\audiodg.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1808
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Libraries\services.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2560
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2628
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2600
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\services.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1648
- C:\ProgramData\Microsoft Help\services.exe
  "C:\ProgramData\Microsoft Help\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\audiodg.exe

Filesize
365KB

MD5
88d152d4ca2aad8c3aec5567cf9d6962

SHA1
d98c4fdccbe6e012803e889a712919c94b279b78

SHA256
94009d1129caa3d7c53557e6f0bc10c546b70389242959cf710ec19b64d66d7a

SHA512
bbf281515abe55d6b4853368dc74d030b62709976ba413b7b8d5c05105d99980eb19a2b1bf128d09c2e77c3331ad83e590a206f840a6afb9d60ec52d606102fb

Download Submit
memory/632-24-0x0000000001030000-0x0000000001092000-memory.dmp

Filesize
392KB

Download
memory/632-25-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/632-27-0x000000001B1C0000-0x000000001B240000-memory.dmp

Filesize
512KB

Download
memory/632-28-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2192-0-0x0000000000AC0000-0x0000000000B22000-memory.dmp

Filesize
392KB

Download
memory/2192-1-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2192-2-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/2192-26-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download