Analysis
-
max time kernel
125s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 10:36
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
DCRatBuild.exe
Resource
win10v2004-20240709-en
General
-
Target
DCRatBuild.exe
-
Size
1.6MB
-
MD5
01d84e6b9068bb3e5be23ead859dad8e
-
SHA1
4942abe76919a4eb917336dc6ab2fa446c76acae
-
SHA256
6a0ee90b6f1dd76a6269315104c2de7a060efc8001cda6339f29096daf59b61d
-
SHA512
d7e72c2fb6df83f54eae57a2da350f9e5e3e38d3c9fc659d3e3c275a87374b2697eb130877f0e73dd9e4f29c88122206da5ab3ee45861582429c88d588633e7b
-
SSDEEP
24576:U2G/nvxW3Ww0thQZoR7lLU0J5/PFiTVfHkOXYsFn2NGPxSRPl2NCd:UbA30hQZoQ0HFmYsB2x
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2616 schtasks.exe -
Processes:
resource yara_rule C:\Bridgecrt\RefdhcpSvc.exe dcrat behavioral1/memory/2848-13-0x0000000000EB0000-0x0000000000FFA000-memory.dmp dcrat behavioral1/memory/748-31-0x0000000000C50000-0x0000000000D9A000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
RefdhcpSvc.exedllhost.exepid process 2848 RefdhcpSvc.exe 748 dllhost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2864 cmd.exe 2864 cmd.exe -
Drops file in Program Files directory 3 IoCs
Processes:
RefdhcpSvc.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows NT\taskhost.exe RefdhcpSvc.exe File created C:\Program Files (x86)\Windows NT\b75386f1303e64 RefdhcpSvc.exe File created C:\Program Files (x86)\Windows NT\taskhost.exe RefdhcpSvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3004 schtasks.exe 2992 schtasks.exe 2108 schtasks.exe 1964 schtasks.exe 3008 schtasks.exe 2636 schtasks.exe 372 schtasks.exe 2880 schtasks.exe 2132 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
RefdhcpSvc.exedllhost.exepid process 2848 RefdhcpSvc.exe 748 dllhost.exe 748 dllhost.exe 748 dllhost.exe 748 dllhost.exe 748 dllhost.exe 748 dllhost.exe 748 dllhost.exe 748 dllhost.exe 748 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 748 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RefdhcpSvc.exedllhost.exedescription pid process Token: SeDebugPrivilege 2848 RefdhcpSvc.exe Token: SeDebugPrivilege 748 dllhost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
DCRatBuild.exeWScript.execmd.exeRefdhcpSvc.execmd.exedescription pid process target process PID 2680 wrote to memory of 2692 2680 DCRatBuild.exe WScript.exe PID 2680 wrote to memory of 2692 2680 DCRatBuild.exe WScript.exe PID 2680 wrote to memory of 2692 2680 DCRatBuild.exe WScript.exe PID 2680 wrote to memory of 2692 2680 DCRatBuild.exe WScript.exe PID 2692 wrote to memory of 2864 2692 WScript.exe cmd.exe PID 2692 wrote to memory of 2864 2692 WScript.exe cmd.exe PID 2692 wrote to memory of 2864 2692 WScript.exe cmd.exe PID 2692 wrote to memory of 2864 2692 WScript.exe cmd.exe PID 2864 wrote to memory of 2848 2864 cmd.exe RefdhcpSvc.exe PID 2864 wrote to memory of 2848 2864 cmd.exe RefdhcpSvc.exe PID 2864 wrote to memory of 2848 2864 cmd.exe RefdhcpSvc.exe PID 2864 wrote to memory of 2848 2864 cmd.exe RefdhcpSvc.exe PID 2848 wrote to memory of 2336 2848 RefdhcpSvc.exe cmd.exe PID 2848 wrote to memory of 2336 2848 RefdhcpSvc.exe cmd.exe PID 2848 wrote to memory of 2336 2848 RefdhcpSvc.exe cmd.exe PID 2336 wrote to memory of 1392 2336 cmd.exe w32tm.exe PID 2336 wrote to memory of 1392 2336 cmd.exe w32tm.exe PID 2336 wrote to memory of 1392 2336 cmd.exe w32tm.exe PID 2336 wrote to memory of 748 2336 cmd.exe dllhost.exe PID 2336 wrote to memory of 748 2336 cmd.exe dllhost.exe PID 2336 wrote to memory of 748 2336 cmd.exe dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgecrt\sZWlDJX899JKJ.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Bridgecrt\HCQUFaJMLZKomKKlWK1JJBtaf0zX.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Bridgecrt\RefdhcpSvc.exe"C:\Bridgecrt\RefdhcpSvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1392
-
-
C:\Bridgecrt\dllhost.exe"C:\Bridgecrt\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Bridgecrt\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Bridgecrt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Bridgecrt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1744
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD5f8f274a07f5224a3f69091f043af146c
SHA12513dccda5f12624dbb9a13052a2e629936bbab6
SHA2568a6e165c22056fc26e710ade51ec3f299e8aca3c4e43b53cc77b9be60bb3cb24
SHA5120c559ea5231d80976bb21b6ba1f8d788112cf89a8c7c32bb268557711a4d945f718616f9324997b5e59980956b736a1c59fb93ec17280cc7b8ccf3cf81ac298f
-
Filesize
1.3MB
MD5a343cf9f611cf1f2ef2a2d373cbdfd2f
SHA1f8ede9731b42eeeaabd25860daf7a15191a7110d
SHA256c4673884aade477ec758af7be2636fac36cf2d41d5e4993968923c01c50f35ba
SHA512c2a1eb1aa23444862c97a3d36761e1d88dd209ddc97d40ca48198492521d56101658603fca769262bbb8bf69b464a29c32f21993566750670d723d531a1acfb9
-
Filesize
214B
MD5285bb3888130afca5f0d63c7a7ddb141
SHA100c513275ea59c5a70cd1918d3338e307d976e2c
SHA25602eebeb58e57999fcff710e124688a73e0cbd54fbe7d1e8a8ec52c14388944f8
SHA5129b2bd6b921bc0a286a6ad691b64109406e2f2a3bcd8ace294e5b095cb373bd8df463c133cb470674d9bba8db15efabfb7310aa67a93ba89aff010bbddbf5c5d2
-
Filesize
189B
MD50a14d11ea08bc41955c872c66a5a3510
SHA1fcd110b3e0316a648791c2438311fb6b5b40f5a7
SHA256574d721e71e775dfafbad30513d52deef9bf84a84818ce24dd37abe6cfc67217
SHA512ab52a265047729217f994fe4316e97e0f329aaa132a42d18ba4e3922324b1a91cf978a82dc541b850b842956895a8dac344b3eb2282633f5a612dfddd019a84d