Analysis

  • max time kernel
    600s
  • max time network
    600s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 01:07

General

  • Target

    DCRatBuild.exe

  • Size

    2.8MB

  • MD5

    0a6cd0aed40de98cb0086c11454fc7f5

  • SHA1

    364a210567fbff8b8095a09f6d4c8745f44bd82c

  • SHA256

    d07d79bfaecfaad730b473aedbedd0b1c49b5361f74aab3a79c7a37c623527eb

  • SHA512

    1e90fc51509290d94e96a10c57f681e85a1bb4a28b5e090b20f41567d31123b117a68cff7dead979f3119bc3f2a64cc43fab3194036939c4ec3daf070f6a958a

  • SSDEEP

    49152:UbA30Mx6mbB202bRTk7puPi9bOdL/+AmU0FwGkxKYFC19Jm/PKhd:UbYUmbB20sRSuPi9bQL/+AmU0F7LSk

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\PortFontMonitornetcommon\l8BmlyiJVw1zyyh.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\PortFontMonitornetcommon\WdaIp4pfENVLh3Iemy6UjaXhu.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\PortFontMonitornetcommon\BrokerSvc.exe
          "C:\PortFontMonitornetcommon\BrokerSvc.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2700
          • C:\Windows\es-ES\explorer.exe
            "C:\Windows\es-ES\explorer.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:796
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:2568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2968
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2280
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2484
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1084
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1724
  • C:\Windows\system32\resmon.exe
    "C:\Windows\system32\resmon.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\System32\perfmon.exe
      "C:\Windows\System32\perfmon.exe" /res
      2⤵
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x594
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:108
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {E2411835-5D54-4D74-9591-D65514FE3259} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe
      C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe
      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PortFontMonitornetcommon\BrokerSvc.exe
    Filesize

    2.5MB

    MD5

    fc27116ce1b57a71d7d201e9aae86b01

    SHA1

    ff047b7c918d9ff388b5c4928bfad5dcc818f1d4

    SHA256

    121d462ca9f33798e076d069ec6b84c5ae0573bbaac8df8dd78efbb7041bd30b

    SHA512

    25747516de2d99e6193fc920435ececf1b7ddb8990487d26d03cf6179b7dab0f5172c0dfa5d4db4a29028c00c12a9fb266bc14d6920e864d6a3934af7748618b

  • C:\PortFontMonitornetcommon\WdaIp4pfENVLh3Iemy6UjaXhu.bat
    Filesize

    166B

    MD5

    e09688b8cdb47414e341937de481c43d

    SHA1

    e799a6166c872f085d62a5ea580b0798be36835d

    SHA256

    949721b3bf385d01afc6b13e3c3ad7f37d87d29c49f243e2d59d4152925ee31b

    SHA512

    c6a2aa753e0feaf0549cd22ace526a81c219b1b5513bb8a83154d6adeeb3db0536a4c0f0a9cb14373934ce400f8ed4681046e53bd175da5be10c0b7548690017

  • C:\PortFontMonitornetcommon\l8BmlyiJVw1zyyh.vbe
    Filesize

    237B

    MD5

    e2723c4480fd7a7a5d8c46cb7bd7010e

    SHA1

    8ece7fa1a4cc39d5d439c13c8670c416ce4da987

    SHA256

    8064029eab99ac1caed8414e03b5e7c981de56a6fcb7bdce3aa3b3438f430a2b

    SHA512

    8ad0e2d16feaf91c9fc016b048721819d0b0ee5b4802371e5317b1b27ff7368fddd8ad6179de024c478d61fba3273727a3d94a59faef36a3b1cd2cdab32f6c51

  • memory/796-41-0x0000000000E90000-0x000000000110A000-memory.dmp
    Filesize

    2.5MB

  • memory/2392-71-0x0000000000200000-0x000000000047A000-memory.dmp
    Filesize

    2.5MB

  • memory/2396-67-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

  • memory/2396-66-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

  • memory/2396-65-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

  • memory/2600-74-0x0000000000970000-0x0000000000BEA000-memory.dmp
    Filesize

    2.5MB

  • memory/2700-20-0x00000000004F0000-0x00000000004F8000-memory.dmp
    Filesize

    32KB

  • memory/2700-26-0x0000000000B00000-0x0000000000B0C000-memory.dmp
    Filesize

    48KB

  • memory/2700-21-0x0000000000510000-0x000000000051C000-memory.dmp
    Filesize

    48KB

  • memory/2700-22-0x0000000000520000-0x000000000052C000-memory.dmp
    Filesize

    48KB

  • memory/2700-23-0x0000000000AD0000-0x0000000000ADC000-memory.dmp
    Filesize

    48KB

  • memory/2700-24-0x0000000000AE0000-0x0000000000AEE000-memory.dmp
    Filesize

    56KB

  • memory/2700-25-0x0000000000AF0000-0x0000000000AFC000-memory.dmp
    Filesize

    48KB

  • memory/2700-19-0x00000000004E0000-0x00000000004EC000-memory.dmp
    Filesize

    48KB

  • memory/2700-18-0x0000000000490000-0x00000000004E6000-memory.dmp
    Filesize

    344KB

  • memory/2700-17-0x0000000000480000-0x000000000048A000-memory.dmp
    Filesize

    40KB

  • memory/2700-16-0x0000000000460000-0x0000000000468000-memory.dmp
    Filesize

    32KB

  • memory/2700-15-0x00000000001D0000-0x00000000001EC000-memory.dmp
    Filesize

    112KB

  • memory/2700-14-0x00000000001C0000-0x00000000001CE000-memory.dmp
    Filesize

    56KB

  • memory/2700-13-0x0000000000CE0000-0x0000000000F5A000-memory.dmp
    Filesize

    2.5MB