dcrat | 72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
Size

1.5MB
MD5

8ebfb00f97e5120227605496dee1ba2d
SHA1

3c225ff088d0fde20c4f2908363909dcc8efdc8c
SHA256

72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e
SHA512

d9e566c6ca2db028dce7a7ee068bddd86ad2def9a8fe222af4be72e8618f08423b8bd81a9f709bc86c161b63fc9bade35138386d8cc3411a8fe23c5a84ce9328
SSDEEP

24576:U+varIF+BiWM5bL6kxfV1dEX2GEOQpQcHZbEmdOpt6FLW3q9:U4arIcqJLhK2GEFScHD8OA3

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2604	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2604	schtasks.exe	28

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000180000-0x0000000000310000-memory.dmp	dcrat
behavioral1/files/0x00060000000147f1-19.dat	dcrat
behavioral1/memory/2940-35-0x0000000000870000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/2940-38-0x000000001AD90000-0x000000001AE10000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2940	lsm.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\fr-FR\winlogon.exe	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
File created	C:\Program Files\Windows Mail\fr-FR\cc11b995f2a76d	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\0a1fd5f707cd16	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\wininit.exe	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
File created	C:\Windows\ShellNew\56085415360792	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2776	schtasks.exe
2828	schtasks.exe
1632	schtasks.exe
2736	schtasks.exe
1236	schtasks.exe
2256	schtasks.exe
2576	schtasks.exe
1844	schtasks.exe
1544	schtasks.exe
2712	schtasks.exe
1452	schtasks.exe
2808	schtasks.exe
2752	schtasks.exe
3048	schtasks.exe
2624	schtasks.exe
2492	schtasks.exe
1532	schtasks.exe
1668	schtasks.exe
1436	schtasks.exe
2672	schtasks.exe
2464	schtasks.exe
2496	schtasks.exe
2968	schtasks.exe
1636	schtasks.exe
2416	schtasks.exe
1764	schtasks.exe
2452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2936	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
2940	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
Token: SeDebugPrivilege	2940	lsm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2940	2936	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe	56
PID 2936 wrote to memory of 2940	2936	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe	56
PID 2936 wrote to memory of 2940	2936	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
"C:\Users\Admin\AppData\Local\Temp\72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\lsm.exe
  "C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\fr-FR\winlogon.exe

Filesize
1.5MB

MD5
8ebfb00f97e5120227605496dee1ba2d

SHA1
3c225ff088d0fde20c4f2908363909dcc8efdc8c

SHA256
72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e

SHA512
d9e566c6ca2db028dce7a7ee068bddd86ad2def9a8fe222af4be72e8618f08423b8bd81a9f709bc86c161b63fc9bade35138386d8cc3411a8fe23c5a84ce9328

Download Submit
memory/2936-8-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/2936-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-3-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2936-4-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2936-5-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2936-6-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/2936-7-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/2936-0-0x0000000000180000-0x0000000000310000-memory.dmp

Filesize
1.6MB

Download
memory/2936-2-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2936-9-0x00000000009F0000-0x00000000009FE000-memory.dmp

Filesize
56KB

Download
memory/2936-10-0x0000000002220000-0x000000000222E000-memory.dmp

Filesize
56KB

Download
memory/2936-36-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-37-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-35-0x0000000000870000-0x0000000000A00000-memory.dmp

Filesize
1.6MB

Download
memory/2940-38-0x000000001AD90000-0x000000001AE10000-memory.dmp

Filesize
512KB

Download
memory/2940-39-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-40-0x000000001AD90000-0x000000001AE10000-memory.dmp

Filesize
512KB

Download
memory/2940-41-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download