dcrat | 8df81f1dd45838d93492643da45db3beecf6e3f37bc3a6f5644f94f89d2d7d11

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ed351e42a16628f6ed3c2d8c7b46d9f.exe
Size

1.6MB
MD5

8ed351e42a16628f6ed3c2d8c7b46d9f
SHA1

91812e5337d42ace0794b5d85b84205ba460ef22
SHA256

8df81f1dd45838d93492643da45db3beecf6e3f37bc3a6f5644f94f89d2d7d11
SHA512

1b25ad4ea4011d72c6982069e651a5e460c36f562f9af8be395a7f0d2a180a07815e3d20a42e953f7082228c93b34e01c88f54af39cec2aa4bbfae1e7d2e7a39
SSDEEP

49152:utv5FSXcj3BwQI0PKr3OJPiin3qcaif7M4avroP:upSMjRwQIa2ORJ3HaieoP

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2404-1-0x0000000000CE0000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/2404-18-0x0000000000CE0000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/2584-24-0x0000000002440000-0x0000000002880000-memory.dmp	dcrat
behavioral1/memory/2104-26-0x00000000002C0000-0x0000000000700000-memory.dmp	dcrat
behavioral1/memory/2104-30-0x00000000002C0000-0x0000000000700000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2104	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2584	cmd.exe
2584	cmd.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mmci\smss.exe	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
File created	C:\Windows\SysWOW64\mmci\69ddcba757bf72f7d36c464c71f42baab150b2b9	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
File created	C:\Windows\SysWOW64\jscript9\winlogon.exe	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
File created	C:\Windows\SysWOW64\jscript9\cc11b995f2a76da408ea6a601e682e64743153ad	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
File created	C:\Windows\SysWOW64\adprovider\services.exe	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
File created	C:\Windows\SysWOW64\wbem\wscenter\WmiPrvSE.exe	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
File opened for modification	C:\Windows\SysWOW64\mmci\smss.exe	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
File created	C:\Windows\SysWOW64\adprovider\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
File created	C:\Windows\SysWOW64\wbem\wscenter\24dbde2999530ef5fd907494bc374d663924116c	8ed351e42a16628f6ed3c2d8c7b46d9f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
2104	WmiPrvSE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2648	schtasks.exe
2260	schtasks.exe
2664	schtasks.exe
2836	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2608	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
2104	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
Token: SeDebugPrivilege	2104	WmiPrvSE.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe
2104	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2260	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	30
PID 2404 wrote to memory of 2260	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	30
PID 2404 wrote to memory of 2260	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	30
PID 2404 wrote to memory of 2260	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	30
PID 2404 wrote to memory of 2664	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	31
PID 2404 wrote to memory of 2664	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	31
PID 2404 wrote to memory of 2664	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	31
PID 2404 wrote to memory of 2664	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	31
PID 2404 wrote to memory of 2648	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	40
PID 2404 wrote to memory of 2648	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	40
PID 2404 wrote to memory of 2648	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	40
PID 2404 wrote to memory of 2648	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	40
PID 2404 wrote to memory of 2836	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	34
PID 2404 wrote to memory of 2836	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	34
PID 2404 wrote to memory of 2836	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	34
PID 2404 wrote to memory of 2836	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	34
PID 2404 wrote to memory of 2584	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	39
PID 2404 wrote to memory of 2584	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	39
PID 2404 wrote to memory of 2584	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	39
PID 2404 wrote to memory of 2584	2404	8ed351e42a16628f6ed3c2d8c7b46d9f.exe	39
PID 2584 wrote to memory of 2576	2584	cmd.exe	38
PID 2584 wrote to memory of 2576	2584	cmd.exe	38
PID 2584 wrote to memory of 2576	2584	cmd.exe	38
PID 2584 wrote to memory of 2576	2584	cmd.exe	38
PID 2584 wrote to memory of 2608	2584	cmd.exe	37
PID 2584 wrote to memory of 2608	2584	cmd.exe	37
PID 2584 wrote to memory of 2608	2584	cmd.exe	37
PID 2584 wrote to memory of 2608	2584	cmd.exe	37
PID 2584 wrote to memory of 2104	2584	cmd.exe	41
PID 2584 wrote to memory of 2104	2584	cmd.exe	41
PID 2584 wrote to memory of 2104	2584	cmd.exe	41
PID 2584 wrote to memory of 2104	2584	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\8ed351e42a16628f6ed3c2d8c7b46d9f.exe
"C:\Users\Admin\AppData\Local\Temp\8ed351e42a16628f6ed3c2d8c7b46d9f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\mmci\smss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2260
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\jscript9\winlogon.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2664
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wscenter\WmiPrvSE.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZST3fM1Kr4.bat"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\wbem\wscenter\WmiPrvSE.exe
    "C:\Windows\System32\wbem\wscenter\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2104
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\adprovider\services.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2648

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
1⤵
- Runs ping.exe
PID:2608

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZST3fM1Kr4.bat

Filesize
212B

MD5
d56f6759ae2b00ce648dcb4f91420435

SHA1
3333c49ccc18f72c7c9c5521472aceb32cc8e417

SHA256
98607acf1a480a715818f516fb74d07d42b5ba04d359247251959390bf9e645f

SHA512
570cda85cea642184e00ae84f716abbe8d5696af527f43a476d9263e66cb1bb86fadf9424e849975b613823f5e37e26cc71e48deae99236d76b7d70243604f3d

Download Submit
C:\Windows\SysWOW64\wbem\wscenter\WmiPrvSE.exe

Filesize
185KB

MD5
6b587f5f482a42a4a55b86fb4842f03e

SHA1
f3d319687a4bc869f1170b95c71c4074ce3e02d6

SHA256
01eb3d927cbfd35765151c2cfc14350262ebc675786451a571c537421d3b9955

SHA512
84f1f406326121e575fb7a47b57f5460a65072b2b9fba9e9aeb7b9561bafe9e0eb271f97118866c9380c5255dfa04bcd15cce6ba213e1587814deceaaf9241dd

Download Submit
C:\Windows\SysWOW64\wbem\wscenter\WmiPrvSE.exe

Filesize
210KB

MD5
1b25a3ae0909e56c16a044412e41a95b

SHA1
8e4e8b47b373223e1ed11467a9fa44a8951eab73

SHA256
f46611c92bd31c04cdb02f1fbc5d1485e13f8d35f6c792a25b7dace61fefbfba

SHA512
96865f3e5b98838bf35bcb6fd845edd70736404d2a749b4dc7ade85360b3d78de1fd0df684a716c2c82af6c6419a9ae6c4bfb366decec105e56f0fd0e438c5ce

Download Submit
\Windows\SysWOW64\wbem\wscenter\WmiPrvSE.exe

Filesize
265KB

MD5
40fb2b7b096cabac7b435b0d397ff8d3

SHA1
f7841d199b672cfaee582ece623cefb7f1737f19

SHA256
050f2bd809868166c85b7a7d2529d0db2be3dd18ac12bd06864a780545f782e6

SHA512
2fba052e29398ea364f4f29483188ea89c9f70bf1fb87400696d7b2a8a07480f23dfadb74dbcbd76e273d34e7533d59a9e786038cd4b147040c41c88148ad01f

Download Submit
\Windows\SysWOW64\wbem\wscenter\WmiPrvSE.exe

Filesize
223KB

MD5
bb676cfe8e4fe978f611dd8ee41e7641

SHA1
8a8ad5e627128fc086412125968dbde11df131c2

SHA256
669e1c59aa0bffd46390ec87624c7401b362d47fbccf23d1980e5a2b66aaa32b

SHA512
d322b33df3a31e320275b98667cbede209fb2799b6aa28c1868da4de56ad874daad8aab4338af59e3c17db1ce1c556ebe77d19909557dd11802b1057daa30812

Download Submit
memory/2104-25-0x00000000002C0000-0x0000000000700000-memory.dmp

Filesize
4.2MB

Download
memory/2104-27-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-26-0x00000000002C0000-0x0000000000700000-memory.dmp

Filesize
4.2MB

Download
memory/2104-28-0x0000000003400000-0x0000000003440000-memory.dmp

Filesize
256KB

Download
memory/2104-31-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-30-0x00000000002C0000-0x0000000000700000-memory.dmp

Filesize
4.2MB

Download
memory/2404-19-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2404-18-0x0000000000CE0000-0x0000000001120000-memory.dmp

Filesize
4.2MB

Download
memory/2404-0-0x0000000000CE0000-0x0000000001120000-memory.dmp

Filesize
4.2MB

Download
memory/2404-3-0x0000000005BD0000-0x0000000005C10000-memory.dmp

Filesize
256KB

Download
memory/2404-1-0x0000000000CE0000-0x0000000001120000-memory.dmp

Filesize
4.2MB

Download
memory/2404-2-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-24-0x0000000002440000-0x0000000002880000-memory.dmp

Filesize
4.2MB

Download