dcrat | 326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88

Analysis

max time kernel
122s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2059b153136de16e58e27a8549dac1b5.exe
Size

1.1MB
MD5

2059b153136de16e58e27a8549dac1b5
SHA1

47f7fdbee2c963e63b52cac18bc5b9bed9b7c10c
SHA256

326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88
SHA512

4c2fea8436618c98cae0de3f1cc99dd26de6f84472eba496e49328f9354d3d10adbbb58b6867e35a1047deadd2bf4a9622c7328b7ffc7d1a280bc590015fa50e
SSDEEP

12288:URZ+IoG/n9IQxW3OBseUUT+tcYbDEq7n2lBvR0dWfExtTWmOfcziDi+CUF9q:u2G/nvxW3WieCDHWBvNCtbskUF9q

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2724	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2724	schtasks.exe	32

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x002d0000000142b4-12.dat	dcrat
behavioral1/files/0x002d0000000142b4-11.dat	dcrat
behavioral1/files/0x002d0000000142b4-10.dat	dcrat
behavioral1/files/0x002d0000000142b4-9.dat	dcrat
behavioral1/memory/2868-13-0x0000000000F00000-0x0000000000FD6000-memory.dmp	dcrat
behavioral1/files/0x0006000000016426-20.dat	dcrat
behavioral1/files/0x00060000000165c9-33.dat	dcrat
behavioral1/memory/540-37-0x000000001B240000-0x000000001B2C0000-memory.dmp	dcrat
behavioral1/memory/540-34-0x00000000011F0000-0x00000000012C6000-memory.dmp	dcrat
behavioral1/files/0x00060000000165c9-32.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2868	runtimesvc.exe
540	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	cmd.exe
2736	cmd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\runtimesvc.exe	runtimesvc.exe
File created	C:\Program Files\Windows Sidebar\97e9b57c6296f0	runtimesvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe	runtimesvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\c5b4cb5e9653cc	runtimesvc.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\spoolsv.exe	runtimesvc.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\f3b6ecef712a24	runtimesvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2472	schtasks.exe
3000	schtasks.exe
2996	schtasks.exe
2936	schtasks.exe
1976	schtasks.exe
2948	schtasks.exe
2532	schtasks.exe
952	schtasks.exe
2564	schtasks.exe
2656	schtasks.exe
2176	schtasks.exe
1688	schtasks.exe
1388	schtasks.exe
936	schtasks.exe
2620	schtasks.exe
2584	schtasks.exe
2572	schtasks.exe
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2868	runtimesvc.exe
540	lsm.exe
540	lsm.exe
540	lsm.exe
540	lsm.exe
540	lsm.exe
540	lsm.exe
540	lsm.exe
540	lsm.exe
540	lsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
540	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	runtimesvc.exe
Token: SeDebugPrivilege	540	lsm.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2728	848	2059b153136de16e58e27a8549dac1b5.exe	21
PID 848 wrote to memory of 2728	848	2059b153136de16e58e27a8549dac1b5.exe	21
PID 848 wrote to memory of 2728	848	2059b153136de16e58e27a8549dac1b5.exe	21
PID 848 wrote to memory of 2728	848	2059b153136de16e58e27a8549dac1b5.exe	21
PID 2728 wrote to memory of 2736	2728	WScript.exe	30
PID 2728 wrote to memory of 2736	2728	WScript.exe	30
PID 2728 wrote to memory of 2736	2728	WScript.exe	30
PID 2728 wrote to memory of 2736	2728	WScript.exe	30
PID 2736 wrote to memory of 2868	2736	cmd.exe	31
PID 2736 wrote to memory of 2868	2736	cmd.exe	31
PID 2736 wrote to memory of 2868	2736	cmd.exe	31
PID 2736 wrote to memory of 2868	2736	cmd.exe	31
PID 2868 wrote to memory of 540	2868	runtimesvc.exe	49
PID 2868 wrote to memory of 540	2868	runtimesvc.exe	49
PID 2868 wrote to memory of 540	2868	runtimesvc.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2059b153136de16e58e27a8549dac1b5.exe
"C:\Users\Admin\AppData\Local\Temp\2059b153136de16e58e27a8549dac1b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hypersurrogatesavesIntonet\nNwgCkzp4Tu.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\hypersurrogatesavesIntonet\XzEJPxdTk.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\hypersurrogatesavesIntonet\runtimesvc.exe
      "C:\hypersurrogatesavesIntonet\runtimesvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\hypersurrogatesavesIntonet\lsm.exe
        
        "C:\hypersurrogatesavesIntonet\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\hypersurrogatesavesIntonet\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\hypersurrogatesavesIntonet\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\hypersurrogatesavesIntonet\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\runtimesvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Minesweeper\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Minesweeper\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\System.exe

Filesize
132KB

MD5
1b32dc617ecac21f4f6b1f4f993851d6

SHA1
a19e157212d4a2600e1ff912cf30b7efdbdd341c

SHA256
11a97a3034f9e5d637e1e7eb3e4a78d151800d68aa05f96be7166a600e60a47f

SHA512
4b59c17d784802a6588478e8f3b85853d8ac287945689cf275ad6874a7c0ebc49faee992c0d499a31ac3014c2eccc6248b2b97385b6ffae626c03ca7cc0a5f9c

Download Submit
C:\hypersurrogatesavesIntonet\XzEJPxdTk.bat

Filesize
46B

MD5
ccbd5a0fde012049bf4e8b28566ca30e

SHA1
8df48a4a6319201e65fcc50925d0eb9f505fa949

SHA256
dd75a7f5f37127d0dfbfb6fac014b6345e318ec09197b42a32930fe902a38bcd

SHA512
ee34c5e259c8593eee2730d5f2e263fde14f70c47404b7743fea15ced052817f98daea57e1bd46f6fd2a98f4a12f02a85f39402d112d46053d77692732510baf

Download Submit
C:\hypersurrogatesavesIntonet\lsm.exe

Filesize
330KB

MD5
29bc30c95c16362a2015c34731773223

SHA1
21bbfae3d801b79fd26585f5816192173efbe1af

SHA256
acdb9565b84f4500bb225c32a840d93e441ffcae753844ef2cd4f93785ea2eab

SHA512
138e81dac6ec1cf8e4efaddc188ff5a89eebd45992dad198f0a6ced0d491925fcde90816d9717a9b5c527cbc05e89593c357b394cb19cf87d7bd9506d0e913b2

Download Submit
C:\hypersurrogatesavesIntonet\lsm.exe

Filesize
32KB

MD5
d6fb11d9141b3e923423b489fab30cb6

SHA1
588b45b6b13a6b33a05948e5547893809b8ef802

SHA256
380dc89230eee0f7c3b0e189c3c72db3951980452680ae4924b223e6353a5e1e

SHA512
02053f0dc58845d7ee50868336cd0a0e750317e7b5099a3bbe2a1b7cdef4abd864499dc472b94a927fca9d6b350b5c94337c05cc399bd53b3c2b84c78ce6e145

Download Submit
C:\hypersurrogatesavesIntonet\nNwgCkzp4Tu.vbe

Filesize
212B

MD5
8671b76c7387f72afcf00a18a32c3cbd

SHA1
6e4d2251cfca5b7673e0419703aaef91c4329210

SHA256
b5d7aa554ff2815f7b664ec2b777944acef1438987876cb55183378059e18a32

SHA512
0c096f044ce9bc7f75a691ce5b51f30ed8fbf1d559ae5ce5c30a08d9f1a9060cefd56029829c82fbc7c0a296dddb41f02dd912aae3e38e0615e273bf601a3b48

Download Submit
C:\hypersurrogatesavesIntonet\runtimesvc.exe

Filesize
301KB

MD5
ee66b148b5888a115fdda557789bafb1

SHA1
87ae47e4b3aa7545adaabf7cf67c9ae8be4cf214

SHA256
979fbec9035cdb3f3839707b6b08110ff39cd8c1df200ea9f036140aa67fa126

SHA512
e79a10f0a86431340121643305d58d6aa85da38a394c67489ed00520c4d66902af2f384cea8a38d97daba7786f369ec224bb439057318d62be54e03d35648c1b

Download Submit
C:\hypersurrogatesavesIntonet\runtimesvc.exe

Filesize
354KB

MD5
ee72bca361ebbcd04f4eb89ee4e2d773

SHA1
8a88b6a5b1227d10703a2d075725ee6ac2c9cc85

SHA256
188947ae653839cdf712e965346f37983dcdb7a498131821faf8968908be2555

SHA512
d60d296e5abf1b635007142e578bc9c15a81bcb94d48f5ce6db594acff1a18e5530e3d3e943055a406966e851e5c688e9e89ff2c6f294d1b6cc6eed410ec71d3

Download Submit
\hypersurrogatesavesIntonet\runtimesvc.exe

Filesize
379KB

MD5
1fe7161ed5cac438a5b8a12ff7b51aaf

SHA1
a36bba4611a9b89d5a74cc4bb6ef90773940aa3e

SHA256
3625fe0ac03fcd8707004f9ca072ed06df57b8dceda94328ce06b8f3599aaf9c

SHA512
bbd93b911ce7e9b5c281b6aeb1968cb0bb27b6e9ddecb8186db13b2378146542b66fbf7d3eef6cfe1fb9a86786cb6a570991275bcb0e11069abb241fb0eea1d3

Download Submit
\hypersurrogatesavesIntonet\runtimesvc.exe

Filesize
532KB

MD5
40b748665e910599b1c6d76af1316ce8

SHA1
ad75960791c2a3f2ca7daec3fcd314159de34a26

SHA256
82d19876e5e39b4bf63d7f81016577be6587b0c982bb4c1ae4827dd3814493b4

SHA512
c41d2aec14566c3ee800602c9a36ca6ec37d010568311cbe38ea4383b426eb24e32cbcd99ca27bd0af196bcc55ae5cdcec4419277d485adc1221daf3c83c3c07

Download Submit
memory/540-37-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/540-35-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

Filesize
9.9MB

Download
memory/540-34-0x00000000011F0000-0x00000000012C6000-memory.dmp

Filesize
856KB

Download
memory/540-38-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

Filesize
9.9MB

Download
memory/540-39-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/2868-15-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/2868-14-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-36-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-13-0x0000000000F00000-0x0000000000FD6000-memory.dmp

Filesize
856KB

Download