Overview

overview

10

Static

static

10

DCRatBuild.exe

windows7-x64

10

DCRatBuild.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.7MB

  • MD5

    2b8c0e5a38a065f3dadb659cf1e71bc8

  • SHA1

    314cc5b791911185d67c6bc558fe8e376f2b83f4

  • SHA256

    5da69a712a8b80d139165692c4fa4c002370e609bb1b5a4a22e2abb55f7571ca

  • SHA512

    fd20f911e02122f9d8b1b15688455799d66377be4dccfde6b7e6fb41748bc3342b889984697d96086c9ccd35c945f5089ed5ce3fb18e3808da61e261b09298d4

  • SSDEEP

    24576:U2G/nvxW3Ww0tBm1k+lGhdCg0MWe0dZ1roO+Lftnln/DQhwdReG8+wnoSHIPlr:UbA30BGkPQgqdLYFsAReGUhol

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portSurrogateDhcp\yq8opXrx.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\portSurrogateDhcp\I8GW14sKhzW7q6q04x1rFcYIygVpL.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\portSurrogateDhcp\surrogatebrowserRuntime.exe
          "C:\portSurrogateDhcp\surrogatebrowserRuntime.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2652
          • C:\portSurrogateDhcp\taskhost.exe
            "C:\portSurrogateDhcp\taskhost.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:2820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2432
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\portSurrogateDhcp\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\portSurrogateDhcp\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\portSurrogateDhcp\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1676
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\portSurrogateDhcp\I8GW14sKhzW7q6q04x1rFcYIygVpL.bat
    Filesize

    50B

    MD5

    ece322b75c5e4383a93614451a790b69

    SHA1

    64349dff64838975d5e8f43aca2fc58cdc2d23a4

    SHA256

    ea8a87c2f391ea31733f8940f08438c1c37fe24c48436b2b42172782cf0e80e7

    SHA512

    ecfda4c643834f5afce94eacb2913395ca16979b48934263c0a32f181eac03daea0b469cbefd8bc7808bdd40d3c0c6203251bf2b9afe503dd8d42194f4efbe03

    Download Submit

  • C:\portSurrogateDhcp\yq8opXrx.vbe
    Filesize

    223B

    MD5

    632ed12534a63933a54e87794bdcbde9

    SHA1

    767f1a7d754d9567d6ec9bfd0645c4f02e3bd34c

    SHA256

    7e28ef3bfe89e42a7ffffc01778d85b5d78f7838353b4e21a28652d619f2aadf

    SHA512

    720d93474abb4046ee46c230154341bec17d78bdd35d9dcaf550aff533edd492d76448eaf3959d456e310573d88eb0fd77d2895b6b8d716f07ae1ea9a3121f3a

    Download Submit

  • \portSurrogateDhcp\surrogatebrowserRuntime.exe
    Filesize

    1.4MB

    MD5

    571ab5b678016f479ea48c5270bd6174

    SHA1

    9e92df1fe28497858acba7d0289ff9024a7384c1

    SHA256

    9eb21f43a0f1b4abd717d18aa802239ea37bb179af72136dcc892bd54f46547a

    SHA512

    e70d1d40cca84d4cb7aa991e0cbdde8ac21b02dd0a8291fcbbab3039d64998107ce581c8b5dc31d1144971775b89b5b5e1ebc686c95438f51c7bbc40ef4935c7

    Download Submit

  • memory/2168-34-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2168-33-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2652-16-0x0000000000790000-0x00000000007A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2652-15-0x00000000003D0000-0x00000000003EC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2652-17-0x0000000000570000-0x000000000057A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2652-18-0x00000000007B0000-0x00000000007BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2652-19-0x00000000007C0000-0x00000000007D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2652-20-0x0000000000A90000-0x0000000000A98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2652-21-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2652-14-0x00000000001C0000-0x00000000001CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2652-13-0x0000000000EE0000-0x0000000001056000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2820-32-0x00000000002A0000-0x0000000000416000-memory.dmp

    Filesize

    1.5MB

    Download