dcrat | 28811102826496a523a7d4a1ad7e172cdc9cc9e68475e2022884c06daf99fed4

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

2.7MB
MD5

a6216891da5db0b3fc6a0b45df02109d
SHA1

fb31e60c08195e8587e9bd8de5ce13832832b7f3
SHA256

28811102826496a523a7d4a1ad7e172cdc9cc9e68475e2022884c06daf99fed4
SHA512

e00276c11a89ded1c29f0629e1735c6aa9c52a80b96d051c9a3e1e5a8d3b595be3653957abb6f5c60c361379c6d387891924237c1d0bcab6013cfee6021b2cae
SSDEEP

49152:UbA30juPXAT7byyJGjvN/WXOTE2xNAJ3CMKplFYhb4k:Ub2PXATvGB/DIoN0hKMH

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\surrogateBrowser\componentperf.exe	dcrat
behavioral1/memory/1652-13-0x0000000000ED0000-0x0000000001140000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

componentperf.exe

pid process

1652 componentperf.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

3052 cmd.exe
3052 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1652	componentperf.exe

pid	process
3052	cmd.exe
3052	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DCRatBuild.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

componentperf.exe

description pid process

Token: SeDebugPrivilege 1652 componentperf.exe

description	pid	process
Token: SeDebugPrivilege	1652	componentperf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DCRatBuild.exeWScript.execmd.exe

description	pid	process	target process
PID 2976 wrote to memory of 1916	2976	DCRatBuild.exe	WScript.exe
PID 2976 wrote to memory of 1916	2976	DCRatBuild.exe	WScript.exe
PID 2976 wrote to memory of 1916	2976	DCRatBuild.exe	WScript.exe
PID 2976 wrote to memory of 1916	2976	DCRatBuild.exe	WScript.exe
PID 1916 wrote to memory of 3052	1916	WScript.exe	cmd.exe
PID 1916 wrote to memory of 3052	1916	WScript.exe	cmd.exe
PID 1916 wrote to memory of 3052	1916	WScript.exe	cmd.exe
PID 1916 wrote to memory of 3052	1916	WScript.exe	cmd.exe
PID 3052 wrote to memory of 1652	3052	cmd.exe	componentperf.exe
PID 3052 wrote to memory of 1652	3052	cmd.exe	componentperf.exe
PID 3052 wrote to memory of 1652	3052	cmd.exe	componentperf.exe
PID 3052 wrote to memory of 1652	3052	cmd.exe	componentperf.exe

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogateBrowser\X0ZR9XyVuCivKGwPlccHfjYM.vbe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\surrogateBrowser\9fi0JvYhY1MK2Tx.bat" "
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052

C:\surrogateBrowser\componentperf.exe
"C:\surrogateBrowser\componentperf.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\surrogateBrowser\9fi0JvYhY1MK2Tx.bat

Filesize
39B

MD5
cc69ff276bc01cf713869de612989b6e

SHA1
68bf9bcbd1b73b192291e35cb5fc1398362c97b1

SHA256
bc399373baab928a60d2b9e99ef09c1bf87d6978ed27b80aedb83d355d38aa67

SHA512
f6e304dbec4185ff84309d2138f8823c02e8690074fdbfd560d7559b05916d6ab5c820344a5a5006d55236fa19d3338b2ee6d01cbe831ed170fd4bed22772a1c

Download Submit
C:\surrogateBrowser\X0ZR9XyVuCivKGwPlccHfjYM.vbe

Filesize
208B

MD5
0f9b26eeecba44fedf3fe1b2c0b0ff4a

SHA1
d6358f84dafbaa9adf6f341795e9bfaf8fa261cf

SHA256
ed0fa5bb902eb434235ea76cf6204c60632a4cdfd131b2110fed576f1bf7ce39

SHA512
319e5f8ca0341714504b86f878049091e4e6968c5b6a17cb80d54e2763e589c89fb94dff9b3215abf6178733ad6e4e485c51d992950a40bf9ebfa7ef134dad3d

Download Submit
\surrogateBrowser\componentperf.exe

Filesize
2.4MB

MD5
63bd7eb2d20f013248a886ef716416ba

SHA1
fdf7730ecbd60b20f351591a99feba678e8d2936

SHA256
d8b8dd9728ceaef91c2308f5897e2d2d0c375875499c310d425fcef51865bdd0

SHA512
a65c7133caec54e77e0e38a1252b3e6575fc6e6742aba42772d6529fc7a25c4b558cec98d466e7e7eabc0fa4b94c8004042e26ac246f24415c7b98fbede6d5cb

Download Submit
memory/1652-13-0x0000000000ED0000-0x0000000001140000-memory.dmp

Filesize
2.4MB

Download
memory/1652-14-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download