Analysis
-
max time kernel
121s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 12:22
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
DCRatBuild.exe
Resource
win10v2004-20240508-en
General
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
MD5
69119a27d94728deb85e51c343ca0173
-
SHA1
f93da03f3678056d611196d1c837146277fc68dc
-
SHA256
f54df54335eb1edb832f6a501d095b0d2011c32a81f061397e04908efab35b3e
-
SHA512
ce7887a1abaac570a45344efa9793650c39134b89a1aaad5e1cbe8e71985e6515871622334b5da4cad520e865a4c7605e0587bb4174d54fbf129035eb5cd1e6c
-
SSDEEP
24576:U2G/nvxW3Ww0tzm2QaiULPxZWv7q6cZIrDgVmAk:UbA30BQaVZrmH
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 1500 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 1500 schtasks.exe -
Processes:
resource yara_rule \PortserverWin\serverwin.exe dcrat behavioral1/memory/2780-13-0x00000000008B0000-0x0000000000986000-memory.dmp dcrat behavioral1/memory/1628-35-0x0000000000850000-0x0000000000926000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
serverwin.execsrss.exepid process 2780 serverwin.exe 1628 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2704 cmd.exe 2704 cmd.exe -
Drops file in Program Files directory 8 IoCs
Processes:
serverwin.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe serverwin.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\c5b4cb5e9653cc serverwin.exe File created C:\Program Files (x86)\Windows Sidebar\lsm.exe serverwin.exe File created C:\Program Files (x86)\Windows Sidebar\101b941d020240 serverwin.exe File created C:\Program Files\Windows Portable Devices\System.exe serverwin.exe File created C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0 serverwin.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\taskhost.exe serverwin.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\b75386f1303e64 serverwin.exe -
Drops file in Windows directory 2 IoCs
Processes:
serverwin.exedescription ioc process File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe serverwin.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\886983d96e3d3e serverwin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2760 schtasks.exe 2844 schtasks.exe 2196 schtasks.exe 2056 schtasks.exe 2684 schtasks.exe 2508 schtasks.exe 1356 schtasks.exe 1000 schtasks.exe 2556 schtasks.exe 2552 schtasks.exe 576 schtasks.exe 1116 schtasks.exe 2968 schtasks.exe 2852 schtasks.exe 1088 schtasks.exe 2568 schtasks.exe 2044 schtasks.exe 1632 schtasks.exe 1912 schtasks.exe 1984 schtasks.exe 1744 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1352 vlc.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
serverwin.execsrss.exepid process 2780 serverwin.exe 2780 serverwin.exe 2780 serverwin.exe 2780 serverwin.exe 2780 serverwin.exe 1628 csrss.exe 1628 csrss.exe 1628 csrss.exe 1628 csrss.exe 1628 csrss.exe 1628 csrss.exe 1628 csrss.exe 1628 csrss.exe 1628 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 1352 vlc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
serverwin.execsrss.exedescription pid process Token: SeDebugPrivilege 2780 serverwin.exe Token: SeDebugPrivilege 1628 csrss.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
vlc.exepid process 1352 vlc.exe 1352 vlc.exe 1352 vlc.exe 1352 vlc.exe 1352 vlc.exe 1352 vlc.exe 1352 vlc.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
vlc.exepid process 1352 vlc.exe 1352 vlc.exe 1352 vlc.exe 1352 vlc.exe 1352 vlc.exe 1352 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 1352 vlc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
DCRatBuild.exeWScript.execmd.exeserverwin.execmd.exedescription pid process target process PID 836 wrote to memory of 2016 836 DCRatBuild.exe WScript.exe PID 836 wrote to memory of 2016 836 DCRatBuild.exe WScript.exe PID 836 wrote to memory of 2016 836 DCRatBuild.exe WScript.exe PID 836 wrote to memory of 2016 836 DCRatBuild.exe WScript.exe PID 2016 wrote to memory of 2704 2016 WScript.exe cmd.exe PID 2016 wrote to memory of 2704 2016 WScript.exe cmd.exe PID 2016 wrote to memory of 2704 2016 WScript.exe cmd.exe PID 2016 wrote to memory of 2704 2016 WScript.exe cmd.exe PID 2704 wrote to memory of 2780 2704 cmd.exe serverwin.exe PID 2704 wrote to memory of 2780 2704 cmd.exe serverwin.exe PID 2704 wrote to memory of 2780 2704 cmd.exe serverwin.exe PID 2704 wrote to memory of 2780 2704 cmd.exe serverwin.exe PID 2780 wrote to memory of 1568 2780 serverwin.exe cmd.exe PID 2780 wrote to memory of 1568 2780 serverwin.exe cmd.exe PID 2780 wrote to memory of 1568 2780 serverwin.exe cmd.exe PID 1568 wrote to memory of 452 1568 cmd.exe w32tm.exe PID 1568 wrote to memory of 452 1568 cmd.exe w32tm.exe PID 1568 wrote to memory of 452 1568 cmd.exe w32tm.exe PID 1568 wrote to memory of 1628 1568 cmd.exe csrss.exe PID 1568 wrote to memory of 1628 1568 cmd.exe csrss.exe PID 1568 wrote to memory of 1628 1568 cmd.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortserverWin\hbvALF5ANwO637LJ.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortserverWin\XYXAwlDcaTvxZITkmh1OkrpHr.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\PortserverWin\serverwin.exe"C:\PortserverWin\serverwin.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtBXlDZwLn.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:452
-
C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe"C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\PortserverWin\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\PortserverWin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\PortserverWin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SubmitGrant.asx"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1352
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SubmitGrant.asx"1⤵PID:2144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PortserverWin\XYXAwlDcaTvxZITkmh1OkrpHr.batFilesize
32B
MD5f97003508c4a7da05b8dd7ec2eb5d19d
SHA157c69807156d660c0394caf53af6d7edb10419ae
SHA2560065d6587056351f930803b1030b2d1b210e41a4a731f3d0e4f55d903a0b80e0
SHA51286c8a7697d0593dc48bd1343af8c114e85fa422380ae7cfcbd549d4b740e7aff4faf23d0ff06d1c7e4b6a1b0f3eafe15ddfbc451d42815ec23b4ee7e6437124d
-
C:\PortserverWin\hbvALF5ANwO637LJ.vbeFilesize
215B
MD5ac7f40d86252e33f7eaa68237c8ef92e
SHA13cca1a9e29e8ab5a3a72ac9c8eac2c482a0da30b
SHA25690cd9a07fcbef6f39445d04035adbdcde5f1cc91e7f7f084516efbc5ba95c3ca
SHA5121d66fedbc2b1d882b007d4b36c3ffef1c5d550c60ceb14c7517b48e08deb2f7e868fdd419d6545e07fe4a859ff088746f8a6892b9e99a8d2216f7c3a4bc2c694
-
C:\Users\Admin\AppData\Local\Temp\QtBXlDZwLn.batFilesize
234B
MD5cf051f4087ff2c850f4a53b0cdf8c3d6
SHA1eb3e686cd47065c0a76f4d45dff7e2d9813bfed9
SHA256d1887a3a689af7e6235a3fbe1f71caaca25354abf7e90016e905e8113d556e47
SHA5127b20b7d27c0d55975f59bd0b8040f46738ba2d76d9a3dedf626633a2092e3b6a37901f2b3e6462cdc67e3ab159aafe7e7ba933e032a7567142890d645e4f8641
-
\PortserverWin\serverwin.exeFilesize
828KB
MD5eee8aebed57ea1fb9fb307a967e6892a
SHA1047a0c84eeba395bf99e99872ad56bb35416bb2b
SHA2561d5d6374bc49780c31381696ad42a24369b398a2a85580196c031067f97e621d
SHA512411d5d02d40de7ec4eb4679cc1047df0987060676bbd721efe099c6babbaead2dccdd68a394afe930c96bb34f40c0512ae4ca224c152f02721072cc14c04004d
-
memory/1352-54-0x000000013F750000-0x000000013F848000-memory.dmpFilesize
992KB
-
memory/1352-56-0x000007FEF23C0000-0x000007FEF2676000-memory.dmpFilesize
2.7MB
-
memory/1352-55-0x000007FEFB760000-0x000007FEFB794000-memory.dmpFilesize
208KB
-
memory/1352-57-0x000007FEECA40000-0x000007FEEDAF0000-memory.dmpFilesize
16.7MB
-
memory/1628-35-0x0000000000850000-0x0000000000926000-memory.dmpFilesize
856KB
-
memory/2144-36-0x000000013F750000-0x000000013F848000-memory.dmpFilesize
992KB
-
memory/2144-37-0x000007FEFB760000-0x000007FEFB794000-memory.dmpFilesize
208KB
-
memory/2144-39-0x000007FEF7EB0000-0x000007FEF7EC8000-memory.dmpFilesize
96KB
-
memory/2144-40-0x000007FEF7E30000-0x000007FEF7E47000-memory.dmpFilesize
92KB
-
memory/2144-38-0x000007FEF23C0000-0x000007FEF2676000-memory.dmpFilesize
2.7MB
-
memory/2144-41-0x000007FEF7D50000-0x000007FEF7D61000-memory.dmpFilesize
68KB
-
memory/2780-13-0x00000000008B0000-0x0000000000986000-memory.dmpFilesize
856KB