Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 22:34
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win10v2004-20240709-en
General
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
MD5
e9bc068017ce93f26711bc6cee5baaf5
-
SHA1
397be9a2d6a68e4c49beaa694e12c338253216df
-
SHA256
066802e184c05d76cc3657b71f4e8572f694d59bb2a7baa8fed3a6605476a709
-
SHA512
e93f62eb34d3a3010d1b5ff250de512c81134e58ca0f9a9eb91acecd73c7abc0c5396c93640390608af9d06b196148949be32c63417acea51ece1595b909a14c
-
SSDEEP
24576:U2G/nvxW3Ww0tWq4f28wBUVIL8FGstUPtekz2N:UbA30WDf6QEa
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3256 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2392 schtasks.exe -
Processes:
resource yara_rule C:\dllDhcp\chainblockhost.exe dcrat behavioral1/memory/640-13-0x0000000000250000-0x0000000000326000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DCRatBuild.exeWScript.exechainblockhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation chainblockhost.exe -
Executes dropped EXE 2 IoCs
Processes:
chainblockhost.exedllhost.exepid process 640 chainblockhost.exe 852 dllhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
chainblockhost.exedescription ioc process File created C:\Program Files\Internet Explorer\es-ES\csrss.exe chainblockhost.exe File created C:\Program Files\Internet Explorer\es-ES\886983d96e3d3e chainblockhost.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe chainblockhost.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\ea9f0e6c9e2dcd chainblockhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
chainblockhost.exedescription ioc process File created C:\Windows\PrintDialog\pris\unsecapp.exe chainblockhost.exe File opened for modification C:\Windows\PrintDialog\pris\unsecapp.exe chainblockhost.exe File created C:\Windows\PrintDialog\pris\29c1c3cc0f7685 chainblockhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
DCRatBuild.exechainblockhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings DCRatBuild.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings chainblockhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2192 schtasks.exe 2820 schtasks.exe 4060 schtasks.exe 2856 schtasks.exe 2592 schtasks.exe 2080 schtasks.exe 2108 schtasks.exe 4872 schtasks.exe 4932 schtasks.exe 3256 schtasks.exe 1808 schtasks.exe 2860 schtasks.exe 4868 schtasks.exe 4916 schtasks.exe 2316 schtasks.exe 804 schtasks.exe 3480 schtasks.exe 2716 schtasks.exe 1596 schtasks.exe 3028 schtasks.exe 3984 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
chainblockhost.exedllhost.exepid process 640 chainblockhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 852 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
chainblockhost.exedllhost.exedescription pid process Token: SeDebugPrivilege 640 chainblockhost.exe Token: SeDebugPrivilege 852 dllhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
DCRatBuild.exeWScript.execmd.exechainblockhost.execmd.exedescription pid process target process PID 1848 wrote to memory of 5084 1848 DCRatBuild.exe WScript.exe PID 1848 wrote to memory of 5084 1848 DCRatBuild.exe WScript.exe PID 1848 wrote to memory of 5084 1848 DCRatBuild.exe WScript.exe PID 5084 wrote to memory of 4992 5084 WScript.exe cmd.exe PID 5084 wrote to memory of 4992 5084 WScript.exe cmd.exe PID 5084 wrote to memory of 4992 5084 WScript.exe cmd.exe PID 4992 wrote to memory of 640 4992 cmd.exe chainblockhost.exe PID 4992 wrote to memory of 640 4992 cmd.exe chainblockhost.exe PID 640 wrote to memory of 1232 640 chainblockhost.exe cmd.exe PID 640 wrote to memory of 1232 640 chainblockhost.exe cmd.exe PID 1232 wrote to memory of 3740 1232 cmd.exe w32tm.exe PID 1232 wrote to memory of 3740 1232 cmd.exe w32tm.exe PID 1232 wrote to memory of 852 1232 cmd.exe dllhost.exe PID 1232 wrote to memory of 852 1232 cmd.exe dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\dllDhcp\OJCWB0R.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\dllDhcp\L7EPwMogY.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\dllDhcp\chainblockhost.exe"C:\dllDhcp\chainblockhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RyEOv3RD96.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3740
-
C:\Users\Default\Cookies\dllhost.exe"C:\Users\Default\Cookies\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\pris\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\pris\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD576805f836d0ddf546c2abe3341ee1da2
SHA1c6cb878b71a7535828041076903f90f381344dca
SHA2561d7d7554d480e0a08ac6ecf701b3ec19a3750e72045c20c020388d0be5cc90f9
SHA5126a63362ef92cec78f4260ac9886f93b0839b68498591d33789e2628fe1786b0d8db844768d06b3e5e010e9734fe98d84294a3f438016286771cceada77d666c9
-
Filesize
31B
MD5342aa8d31ebbd9cd7138d5b76e077e0c
SHA14717d1c8fe768b1bd8af60099f290f68bce904c1
SHA256ecc4afd63c9149e78c18eefe4fef6b157f5aed8041ba8c7bf1e08be0cd443f0d
SHA5123d3ada3221594875106309e4f0679d902b3dbed7dae70da5bb48d7a310b19d0a3d590b7fefad6ab4da9bfbca0b17922aac670026d1e3b87aff3bccb618e6f770
-
Filesize
193B
MD5a0e0d2de250b26d29469010e1fabb24c
SHA1c4c97777a9ee20e5bc9474e30f5b886588fae262
SHA256e5a0781bc13be642252b811ace31e5c6c843dd53e5c18c8f2d36fdb00e36d55c
SHA51254775b96140357ad7892571051e1415ac3793915ac5e2c4bf25d1dd36ad6707af50ac73d27dbc086b400de320b556d771a3b65bed32094c224394dbde1b7b3ef
-
Filesize
828KB
MD5a36cfffc11e9c9d311ed2d7b77d41b54
SHA1acdb06c05f53a0d255204c39f5cd798f28b912bb
SHA2567b4bdb74d53d18952294ada597261217d380dc0931c9dae040df9e401e62bea3
SHA5127a82ba48731e08f0151820681ec4cbd8f9fc2ee221588add6ba045d47e08324855e3cf519312810748e1797a885b50f8653e69fe3fdb847fa5b5ee9bf78696e9