Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-05-2024 01:12
Behavioral task
behavioral1
Sample
DCRat.exe
Resource
win11-20240426-en
General
-
Target
DCRat.exe
-
Size
6.9MB
-
MD5
00d9d8efbbc40085276b347014d676cb
-
SHA1
2f170d5a165cb799ae6abca04995ac7a5f2db3ac
-
SHA256
dec093070d245723af3d5a631e72b6ff1303b4e1a862b6edc95915cf8f863f9d
-
SHA512
780cf48eeaafb2533ae49dc9515e33530b1a0c194da80275436ce5fd642b927e7e101c3fad9c4e0cc23ea30def9bd5c706252bff48d5c03e0a19e2d2aad80a89
-
SSDEEP
196608:aUI3ljBj/NBM6I059onJ5hrZEnyiU8AdZYJERurTb:qVjBj1iw9c5hlEXAdZYygr/
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\DCRat.exe dcrat C:\Users\Admin\AppData\Roaming\Serverfontwininto\SavesMonitor.exe dcrat behavioral1/memory/3916-62-0x0000000000880000-0x0000000000A96000-memory.dmp dcrat -
Executes dropped EXE 3 IoCs
Processes:
DCRat.exeDCRat1.exeSavesMonitor.exepid process 3280 DCRat.exe 3100 DCRat1.exe 3916 SavesMonitor.exe -
Loads dropped DLL 4 IoCs
Processes:
DCRat.exepid process 2500 DCRat.exe 2500 DCRat.exe 2500 DCRat.exe 2500 DCRat.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
DCRat.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings DCRat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SavesMonitor.exedescription pid process Token: SeDebugPrivilege 3916 SavesMonitor.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
DCRat.exeDCRat.execmd.exeDCRat.execmd.exeDCRat1.exejavaw.exeWScript.execmd.exedescription pid process target process PID 3564 wrote to memory of 2500 3564 DCRat.exe DCRat.exe PID 3564 wrote to memory of 2500 3564 DCRat.exe DCRat.exe PID 2500 wrote to memory of 1376 2500 DCRat.exe cmd.exe PID 2500 wrote to memory of 1376 2500 DCRat.exe cmd.exe PID 1376 wrote to memory of 3280 1376 cmd.exe DCRat.exe PID 1376 wrote to memory of 3280 1376 cmd.exe DCRat.exe PID 1376 wrote to memory of 3280 1376 cmd.exe DCRat.exe PID 3280 wrote to memory of 2400 3280 DCRat.exe WScript.exe PID 3280 wrote to memory of 2400 3280 DCRat.exe WScript.exe PID 3280 wrote to memory of 2400 3280 DCRat.exe WScript.exe PID 2500 wrote to memory of 5032 2500 DCRat.exe cmd.exe PID 2500 wrote to memory of 5032 2500 DCRat.exe cmd.exe PID 5032 wrote to memory of 3100 5032 cmd.exe DCRat1.exe PID 5032 wrote to memory of 3100 5032 cmd.exe DCRat1.exe PID 5032 wrote to memory of 3100 5032 cmd.exe DCRat1.exe PID 3100 wrote to memory of 436 3100 DCRat1.exe javaw.exe PID 3100 wrote to memory of 436 3100 DCRat1.exe javaw.exe PID 436 wrote to memory of 1892 436 javaw.exe icacls.exe PID 436 wrote to memory of 1892 436 javaw.exe icacls.exe PID 2400 wrote to memory of 2264 2400 WScript.exe cmd.exe PID 2400 wrote to memory of 2264 2400 WScript.exe cmd.exe PID 2400 wrote to memory of 2264 2400 WScript.exe cmd.exe PID 2264 wrote to memory of 3916 2264 cmd.exe SavesMonitor.exe PID 2264 wrote to memory of 3916 2264 cmd.exe SavesMonitor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRat.exe"C:\Users\Admin\AppData\Local\Temp\DCRat.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DCRat.exe"C:\Users\Admin\AppData\Local\Temp\DCRat.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\\DCRat.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\DCRat.exeC:\\DCRat.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Serverfontwininto\oYDSY0JCnrsd7g.vbe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Serverfontwininto\jJZf28BLIdI.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Serverfontwininto\SavesMonitor.exe"C:\Users\Admin\AppData\Roaming\Serverfontwininto\SavesMonitor.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\\DCRat1.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\DCRat1.exeC:\\DCRat1.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M6⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\DCRat.exeFilesize
2.4MB
MD55d02471f99d435bd5f26e0d2a7eb0c09
SHA1aa1a74f0fea0a14fc1b0f57d60d62d69c3011c51
SHA256114fbc3713a4e5793955d39e818aaf83f007a3065c3b268e4c123f1884b5f4d1
SHA512ca60f4ddcb7841bf79e78d5d9b37e174109fb74c4881cd684e025988ed0798af60bced6aed6728390547e3f2bc1299744c850cddd03babcbabaf9fadea9ccbd5
-
C:\DCRat1.exeFilesize
72KB
MD52c7d37e90dd8ab57d06dad5bc7956885
SHA1da789c107c4c68b8250b6589e45e5a3cf7a9a143
SHA2565ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939
SHA512e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD52bee3f9785c4c646d7ee0c0338300aeb
SHA12343d0ba8ff3d112ba10081d31cb7d44098ae083
SHA25663a78a789957aab1a65307349e5cd76ddb2f30f5620924f971c26d47e98329bc
SHA5123ef3318e1df9cd13638145d019767554f16ce910175b19c90681f7133e5f60218a5a6e4892e77fb081c2b27c93196a178e4b0664ffeb5f5469171aca38520006
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\VCRUNTIME140.dllFilesize
99KB
MD58697c106593e93c11adc34faa483c4a0
SHA1cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_bz2.pydFilesize
83KB
MD56c7565c1efffe44cb0616f5b34faa628
SHA188dd24807da6b6918945201c74467ca75e155b99
SHA256fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a
SHA512822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_decimal.pydFilesize
264KB
MD5ce4df4dfe65ab8dc7ae6fcdebae46112
SHA1cdbbfda68030394ac90f6d6249d6dd57c81bc747
SHA256ffbe84f0a1eab363ca9cf73efb7518f2abd52c0893c7cc63266613c930855e96
SHA512fc8e39942e46e4494356d4a45257b657495cbfa20e9d67850627e188f70b149e22603ae4801b4ba7b9a04d201b3787899d2aee21565237d18e0afce9bae33ee9
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_hashlib.pydFilesize
63KB
MD5f377a418addeeb02f223f45f6f168fe6
SHA15d8d42dec5d08111e020614600bbf45091c06c0b
SHA2569551431425e9680660c6baf7b67a262040fd2efceb241e4c9430560c3c1fafac
SHA5126f60bfac34ed55ff5d6ae10c6ec5511906c983e0650e5d47dac7b8a97a2e0739266cae009449cced8dff59037e2dbfc92065fbbdfde2636d13679e1629650280
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_lzma.pydFilesize
157KB
MD5b5355dd319fb3c122bb7bf4598ad7570
SHA1d7688576eceadc584388a179eed3155716c26ef5
SHA256b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5
SHA5120e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_socket.pydFilesize
77KB
MD5f5dd9c5922a362321978c197d3713046
SHA14fbc2d3e15f8bb21ecc1bf492f451475204426cd
SHA2564494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626
SHA512ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\base_library.zipFilesize
822KB
MD5077f614c0d45a14b87aa769da7277165
SHA1edd2f5a6bfffc3b5b7705fa179054ee4c46617f1
SHA2561888bebd2e4d139168e11ce69b9100e4f6d6fa038436155adbdcd2bede8419a3
SHA512d46896f4a1a50ca660c5b1b2825e39883535dc6bafb3c64da5b185e05197f1b1d319c26fb9d875d70ead73ea2d7dcc02fa5bc3e22187bf65278493dcc951ad1e
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\dist.zipFilesize
1.8MB
MD56818b5581ade91261f4cee9790de4f4f
SHA1bd1a37be5c061c0fdabb89d816e67878c682b82d
SHA25641913157869046fb079d615d9235bbc50e067c8b9224a33140daca839bf8a12b
SHA512f1382bc2280abfa432d1a8e8175065a7fe87ae0e5c0dc5bb4e1a3165fcfc47c1bfb51297cf627e616cf0693cfa203b415cad0f7707c4c6c506fbe77f349ee67c
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\libcrypto-1_1.dllFilesize
3.2MB
MD5cc4cbf715966cdcad95a1e6c95592b3d
SHA1d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA5123b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\python39.dllFilesize
4.3MB
MD511c051f93c922d6b6b4829772f27a5be
SHA142fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA2560eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA5121cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\select.pydFilesize
26KB
MD57a442bbcc4b7aa02c762321f39487ba9
SHA10fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83
SHA2561dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad
SHA5123433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c
-
C:\Users\Admin\AppData\Local\Temp\_MEI35642\unicodedata.pydFilesize
1.1MB
MD58320c54418d77eba5d4553a5d6ec27f9
SHA1e5123cf166229aebb076b469459856a56fb16d7f
SHA2567e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae
SHA512b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34
-
C:\Users\Admin\AppData\Roaming\Serverfontwininto\SavesMonitor.exeFilesize
2.1MB
MD52f3aa0e8b1045c3497539519fb7e36be
SHA140f4f50408fcaaa2de71fd57da0c6cc5ae2ef8ef
SHA256210257769a3c1ca4c1591fd8db921131acf7278d17363b90f59b388721c38d09
SHA51234d5f5d863251cc89eb2789fbe0d3a69f70aa1cdcab3c020e1fef3896e5f83bef9e80f25073d9eedeec401e6a0720c5b3259f8e865e29937beaa12d7f071f8e6
-
C:\Users\Admin\AppData\Roaming\Serverfontwininto\jJZf28BLIdI.batFilesize
46B
MD5aeba5d7e0c5a6f04b45bc8383004531d
SHA12f91e08d1632a383dd6762ffa75a6aa0bff4e9ec
SHA2564d53b4a240c985f76aa022697b58b4e8d0244a59790cb9663f910b69b67de901
SHA5128a2b1e764602d67e4a53fc28d38c121d6abcad3ff22300a9763c54d87991368b318f0911ab5b3212bc3f476bfb83e64596aba6ad20421fbfc897b2af284b38f0
-
C:\Users\Admin\AppData\Roaming\Serverfontwininto\oYDSY0JCnrsd7g.vbeFilesize
212B
MD5455cb37291d6d11e8838fb81cd7f972a
SHA1078474190138ac8ee686a023d6dee78d00fa7cb1
SHA2562f6af207af3395136c1d11d871c10cef47d8f51f152600dbeaef54a5c48a6582
SHA51232a37258c47e9367d421dc3d90cd86d53338b21f0479184f41d559e14a028bbe5321c76812d80583f0933de8bd6488b2f716cdc77ea59b28a781081f806561c0
-
memory/436-57-0x00000181EF830000-0x00000181EF831000-memory.dmpFilesize
4KB
-
memory/3100-44-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3916-62-0x0000000000880000-0x0000000000A96000-memory.dmpFilesize
2.1MB
-
memory/3916-63-0x0000000002C10000-0x0000000002C1E000-memory.dmpFilesize
56KB