dcrat | e51f8d90fb3698bd568b693c41927bdee20c799e823bd4630a061454d3264309

Analysis

max time kernel
149s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 22:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

1.1MB
MD5

4c40088e4f1835614a5a1088056699e2
SHA1

4b78a9fad74e75b67cb6626679166f611171a161
SHA256

e51f8d90fb3698bd568b693c41927bdee20c799e823bd4630a061454d3264309
SHA512

2717db3fa71493bfee3acb5b6a40a15ba5f9522be230ac5376f1317b964cc29050d84b9bdd2a84066d9d7b96cbcd7f73faebfad3d21b2a8172c548b4c1a8f685
SSDEEP

24576:U2G/nvxW3Ww0t2onGju9hMij7DTA9LX9GmN6ya4+o:UbA30Vd9aqM9Lbai

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	5020	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	5020	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	5020	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	5020	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	5020	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	5020	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023428-10.dat	dcrat
behavioral2/memory/4580-13-0x0000000000050000-0x0000000000126000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	PortWeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4580	PortWeb.exe
5068	explorer.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe	PortWeb.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\7a0fd90576e088	PortWeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5004	schtasks.exe
3440	schtasks.exe
3736	schtasks.exe
1080	schtasks.exe
2416	schtasks.exe
872	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	PortWeb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4580	PortWeb.exe
4580	PortWeb.exe
4580	PortWeb.exe
4580	PortWeb.exe
4580	PortWeb.exe
5068	explorer.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	PortWeb.exe
Token: SeDebugPrivilege	5068	explorer.exe
Token: SeDebugPrivilege	960	taskmgr.exe
Token: SeSystemProfilePrivilege	960	taskmgr.exe
Token: SeCreateGlobalPrivilege	960	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 224	4804	DCRatBuild.exe	82
PID 4804 wrote to memory of 224	4804	DCRatBuild.exe	82
PID 4804 wrote to memory of 224	4804	DCRatBuild.exe	82
PID 224 wrote to memory of 3528	224	WScript.exe	86
PID 224 wrote to memory of 3528	224	WScript.exe	86
PID 224 wrote to memory of 3528	224	WScript.exe	86
PID 3528 wrote to memory of 4580	3528	cmd.exe	88
PID 3528 wrote to memory of 4580	3528	cmd.exe	88
PID 4580 wrote to memory of 2184	4580	PortWeb.exe	96
PID 4580 wrote to memory of 2184	4580	PortWeb.exe	96
PID 2184 wrote to memory of 4816	2184	cmd.exe	98
PID 2184 wrote to memory of 4816	2184	cmd.exe	98
PID 2184 wrote to memory of 5068	2184	cmd.exe	99
PID 2184 wrote to memory of 5068	2184	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MsReviewsession\yO3BOIbzunvfadK9o.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\MsReviewsession\iOUbd.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\MsReviewsession\PortWeb.exe
      "C:\MsReviewsession\PortWeb.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE8uvMQz6N.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4816
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MsReviewsession\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MsReviewsession\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MsReviewsession\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MsReviewsession\PortWeb.exe

Filesize
829KB

MD5
8b03716cc54bbca6ef5d9a611e57bae8

SHA1
c0853a0fbfde846f94dc9aea05908b745f36cac2

SHA256
9e11fd15f5cd01ef1abc858da09943a4d10646b495b1b2dcefae2ca61ee1741b

SHA512
49961849720f1ee7f2260e1683b046ba26fff6c8ff7abe818d9c158aa3b7f69d83ac9615c8bcffad7512eb900105d2fcea56b1a4fabe527423b332a02c2b3034

Download Submit
C:\MsReviewsession\iOUbd.bat

Filesize
32B

MD5
f2c01fc7f2af46de03aae93540aa68e0

SHA1
914395bb0d9b16f3af93eff925f3b518950bbd35

SHA256
f1265433eed8e39b8969eb0bfdff53079a2fb414c552bc16d2e6b9c2b7ddf467

SHA512
5b6b68db4ecfac92ae6bb6b57b9eb402ae416090c384c88737bcc4280343eebcdc4715627f6cce39965e0ac26147771bc2be329778b1bb3d4c300d75cd1f2fd7

Download Submit
C:\MsReviewsession\yO3BOIbzunvfadK9o.vbe

Filesize
197B

MD5
4c8b86faed61558028921999a343ef68

SHA1
0bffd3004d6421de0a02dc25aaa92bf70f805a90

SHA256
028f593ae44a66648497644d987f5fea9ab3ea946a161ca90208115643f45763

SHA512
21f032a1c36556e5f7c17f0d8d2c07383d45e19404aefef7515258bc4a40b2369c29765824513d4b1fc7ee0b3a7aa8bdd8ae2f200706492a5f774c510badc461

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE8uvMQz6N.bat

Filesize
240B

MD5
08c288f6ddd9d606dd6389242922a0e3

SHA1
36fcef6f536bdd6f4f9dff9fecbec4bcf9149d75

SHA256
0f279d37823debb829988aac0cf8c9b43413534e97acbacd9ef9244521c25648

SHA512
34ce157981c082d94a3d3ab9e4041340fa87bfff5d06f689dac5522d4b8b0854f8ae0eae81b447a6730f434c038d1feab2b83cd4fec87fcf664b45e2688e6832

Download Submit
memory/960-38-0x0000021155EC0000-0x0000021155EC1000-memory.dmp

Filesize
4KB

Download
memory/960-28-0x0000021155EC0000-0x0000021155EC1000-memory.dmp

Filesize
4KB

Download
memory/960-29-0x0000021155EC0000-0x0000021155EC1000-memory.dmp

Filesize
4KB

Download
memory/960-30-0x0000021155EC0000-0x0000021155EC1000-memory.dmp

Filesize
4KB

Download
memory/960-35-0x0000021155EC0000-0x0000021155EC1000-memory.dmp

Filesize
4KB

Download
memory/960-40-0x0000021155EC0000-0x0000021155EC1000-memory.dmp

Filesize
4KB

Download
memory/960-39-0x0000021155EC0000-0x0000021155EC1000-memory.dmp

Filesize
4KB

Download
memory/960-37-0x0000021155EC0000-0x0000021155EC1000-memory.dmp

Filesize
4KB

Download
memory/960-36-0x0000021155EC0000-0x0000021155EC1000-memory.dmp

Filesize
4KB

Download
memory/960-34-0x0000021155EC0000-0x0000021155EC1000-memory.dmp

Filesize
4KB

Download
memory/4580-13-0x0000000000050000-0x0000000000126000-memory.dmp

Filesize
856KB

Download
memory/4580-12-0x00007FFA2AE23000-0x00007FFA2AE25000-memory.dmp

Filesize
8KB

Download