Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 14:07
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
DCRatBuild.exe
Resource
win10v2004-20240426-en
General
-
Target
DCRatBuild.exe
-
Size
1.7MB
-
MD5
2b8c0e5a38a065f3dadb659cf1e71bc8
-
SHA1
314cc5b791911185d67c6bc558fe8e376f2b83f4
-
SHA256
5da69a712a8b80d139165692c4fa4c002370e609bb1b5a4a22e2abb55f7571ca
-
SHA512
fd20f911e02122f9d8b1b15688455799d66377be4dccfde6b7e6fb41748bc3342b889984697d96086c9ccd35c945f5089ed5ce3fb18e3808da61e261b09298d4
-
SSDEEP
24576:U2G/nvxW3Ww0tBm1k+lGhdCg0MWe0dZ1roO+Lftnln/DQhwdReG8+wnoSHIPlr:UbA30BGkPQgqdLYFsAReGUhol
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2444 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2444 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2444 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2444 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2444 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2444 schtasks.exe 32 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" surrogatebrowserRuntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" surrogatebrowserRuntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" surrogatebrowserRuntime.exe -
resource yara_rule behavioral1/files/0x0007000000016c42-9.dat dcrat behavioral1/memory/2652-13-0x0000000000EE0000-0x0000000001056000-memory.dmp dcrat behavioral1/memory/2820-32-0x00000000002A0000-0x0000000000416000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
pid Process 2652 surrogatebrowserRuntime.exe 2820 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2620 cmd.exe 2620 cmd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" surrogatebrowserRuntime.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA surrogatebrowserRuntime.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe surrogatebrowserRuntime.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe surrogatebrowserRuntime.exe File created C:\Windows\PolicyDefinitions\ja-JP\0a1fd5f707cd16 surrogatebrowserRuntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2476 schtasks.exe 2432 schtasks.exe 2472 schtasks.exe 2952 schtasks.exe 3000 schtasks.exe 1676 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2652 surrogatebrowserRuntime.exe 2820 taskhost.exe 2820 taskhost.exe 2820 taskhost.exe 2820 taskhost.exe 2820 taskhost.exe 2820 taskhost.exe 2820 taskhost.exe 2820 taskhost.exe 2820 taskhost.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2820 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2652 surrogatebrowserRuntime.exe Token: SeDebugPrivilege 2820 taskhost.exe Token: SeDebugPrivilege 2168 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2504 2920 DCRatBuild.exe 28 PID 2920 wrote to memory of 2504 2920 DCRatBuild.exe 28 PID 2920 wrote to memory of 2504 2920 DCRatBuild.exe 28 PID 2920 wrote to memory of 2504 2920 DCRatBuild.exe 28 PID 2504 wrote to memory of 2620 2504 WScript.exe 29 PID 2504 wrote to memory of 2620 2504 WScript.exe 29 PID 2504 wrote to memory of 2620 2504 WScript.exe 29 PID 2504 wrote to memory of 2620 2504 WScript.exe 29 PID 2620 wrote to memory of 2652 2620 cmd.exe 31 PID 2620 wrote to memory of 2652 2620 cmd.exe 31 PID 2620 wrote to memory of 2652 2620 cmd.exe 31 PID 2620 wrote to memory of 2652 2620 cmd.exe 31 PID 2652 wrote to memory of 2820 2652 surrogatebrowserRuntime.exe 39 PID 2652 wrote to memory of 2820 2652 surrogatebrowserRuntime.exe 39 PID 2652 wrote to memory of 2820 2652 surrogatebrowserRuntime.exe 39 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" surrogatebrowserRuntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" surrogatebrowserRuntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" surrogatebrowserRuntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portSurrogateDhcp\yq8opXrx.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portSurrogateDhcp\I8GW14sKhzW7q6q04x1rFcYIygVpL.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\portSurrogateDhcp\surrogatebrowserRuntime.exe"C:\portSurrogateDhcp\surrogatebrowserRuntime.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652 -
C:\portSurrogateDhcp\taskhost.exe"C:\portSurrogateDhcp\taskhost.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2820
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\portSurrogateDhcp\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\portSurrogateDhcp\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\portSurrogateDhcp\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2168
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5ece322b75c5e4383a93614451a790b69
SHA164349dff64838975d5e8f43aca2fc58cdc2d23a4
SHA256ea8a87c2f391ea31733f8940f08438c1c37fe24c48436b2b42172782cf0e80e7
SHA512ecfda4c643834f5afce94eacb2913395ca16979b48934263c0a32f181eac03daea0b469cbefd8bc7808bdd40d3c0c6203251bf2b9afe503dd8d42194f4efbe03
-
Filesize
223B
MD5632ed12534a63933a54e87794bdcbde9
SHA1767f1a7d754d9567d6ec9bfd0645c4f02e3bd34c
SHA2567e28ef3bfe89e42a7ffffc01778d85b5d78f7838353b4e21a28652d619f2aadf
SHA512720d93474abb4046ee46c230154341bec17d78bdd35d9dcaf550aff533edd492d76448eaf3959d456e310573d88eb0fd77d2895b6b8d716f07ae1ea9a3121f3a
-
Filesize
1.4MB
MD5571ab5b678016f479ea48c5270bd6174
SHA19e92df1fe28497858acba7d0289ff9024a7384c1
SHA2569eb21f43a0f1b4abd717d18aa802239ea37bb179af72136dcc892bd54f46547a
SHA512e70d1d40cca84d4cb7aa991e0cbdde8ac21b02dd0a8291fcbbab3039d64998107ce581c8b5dc31d1144971775b89b5b5e1ebc686c95438f51c7bbc40ef4935c7