Overview

overview

10

Static

static

10

DCRatBuild442.exe

windows7-x64

10

DCRatBuild442.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2024 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild442.exe

  • Size

    2.9MB

  • MD5

    292f58a4935298fb74af4fc833a79ad3

  • SHA1

    94b7a21cc7b35fc5eb2000e4b52368d678694159

  • SHA256

    59aad546a2a32c7e540e7067d41fd51046f275ce8ca021dfe06f0dd2c1063779

  • SHA512

    e85fefb15b1baa98a5174fee07c44863edaee8fd70f0dc5eddbde6d9e6150f47cfbb1588ecad03937e110efc391204e003481cbaf9d62e3b1f7930459499df90

  • SSDEEP

    49152:ubA3j226JdATMCAhwaYFlxivisjKAjoGuBFhJDgGYWVmt:ubTJdXpYFlI7jKAjoGgTtsX

Score
10/10
dcratcredential_accessdiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat 22 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 7 IoCs
    persistence
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild442.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild442.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\j01KoBqau4T1mDZA7pWtHlrYnnCAl.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\tab5JuwN9kJgOdDnrNFIynFDGX.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\SurrogatewinDrivernetsvc\portproviderperf.exe
          "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
          4⤵
          • Modifies WinLogon for persistence
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:312
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OydnWI9JLM.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1896
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1716
              • C:\SurrogatewinDrivernetsvc\sysmon.exe
                "C:\SurrogatewinDrivernetsvc\sysmon.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:3040
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2a7f087-a05f-43a6-9df4-01b4076429c9.vbs"
                  7⤵
                    PID:2988
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76629452-1600-4789-a245-b5f30a37f4a1.vbs"
                    7⤵
                      PID:4540
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                4⤵
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:4428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1080
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1308
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2196
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1340
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\SurrogatewinDrivernetsvc\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:212
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\SurrogatewinDrivernetsvc\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3352
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\SurrogatewinDrivernetsvc\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3288
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3764
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\SurrogatewinDrivernetsvc\sysmon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1960
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\SurrogatewinDrivernetsvc\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\SurrogatewinDrivernetsvc\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:940
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\images\RuntimeBroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1316
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1396
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\images\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2356
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4980
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1968
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:1168

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          5
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          Query Registry

          2
          T1012

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\SurrogatewinDrivernetsvc\j01KoBqau4T1mDZA7pWtHlrYnnCAl.vbe
            Filesize

            227B

            MD5

            a82f66b5957fa12988bacfc2a146e74f

            SHA1

            7bb80c16cf4a3c41bfaf26b96a995e15d8f36dc8

            SHA256

            82051126fa338d6116f68371cbf5f928e5beb28336cfefb2f86bc26ac373b725

            SHA512

            b65b81a2c85acf22105ef3e1a35a2069459fbd6c1f3ebae09e5b2cb35f8850bcb9277144d6719dde0814e68a45cc91253f0c5499581bfd63f4ef632467f66e33

            Download Submit

          • C:\SurrogatewinDrivernetsvc\portproviderperf.exe
            Filesize

            2.6MB

            MD5

            7ac6ca71bcba7ca47d157cc70f22c28c

            SHA1

            302ebe2f1f8232c85ab3e0a3fc699de9939ca4f4

            SHA256

            8c2b202bd9eb70b96e26932928ab468f37f2081b0d97ff0f0cc529d60a012a4f

            SHA512

            42c9c6a2518a756bc24691dad6263011bb3d723870bbf97194a087bb3c5a8bd485e0b313511bdc3b70f2c2adda77c419581864c7fbec28bac92498ee3c9aa9a1

            Download Submit

          • C:\SurrogatewinDrivernetsvc\tab5JuwN9kJgOdDnrNFIynFDGX.bat
            Filesize

            162B

            MD5

            e01ef91219b266b14d1ae415d30256d5

            SHA1

            cad006a2efee48fcad1166e7ce3bc118ff139808

            SHA256

            db58b3dde8508ecbe59d938545246355b52d9cdec29f76657b66638c4d7aeeb2

            SHA512

            7826ca4bda02431bff87c7c72bd1ea53bc769b8574302a37445318360326e5a89e309c35dbc8f9981ec35c5067b4a459195b78d0289f5d93f6ec54be4c3f1e7b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\76629452-1600-4789-a245-b5f30a37f4a1.vbs
            Filesize

            490B

            MD5

            e069b7f61c2b64b9f4907b8a2517740f

            SHA1

            ec2697ac693d14f767017f4faac9fd5069b7f91d

            SHA256

            7703387de6be80ee40262315f1efe3bb726c01d7d13ab9fe1263188f1663e62e

            SHA512

            5c15f97e6be7ec32273b2caf2cc06a686b32f1f23971d2279c5de8e0d221c69e55274d6f08d84a827c2a6b448294d5f4e5d5481de20800dd7b35f08f33740cba

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\OydnWI9JLM.bat
            Filesize

            203B

            MD5

            81d8f17e39bd96aabb5808719b14829d

            SHA1

            e85fb6e9dd4bf1cf26612878d77d7ea8dd8f73b3

            SHA256

            ca93a6e835a4cf7d64a3457d03aa1ac840e9b2b2865cb863190be0e496733cee

            SHA512

            1364af1673bb2f7ed6c8c7559f191d97bd59d0e85f7b4a37b2c78b4330a1c8f394d80be4a193337a8b0207af515c01594e3cb5951013a092468bb49cbb516e87

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d2a7f087-a05f-43a6-9df4-01b4076429c9.vbs
            Filesize

            714B

            MD5

            a7fe3e107bbaedc9ca3a8a5162746736

            SHA1

            7a98941b01d62c5d57d164f18dda62ce2c1c6fd0

            SHA256

            89b194170fb560eed60353d2a4067beda0b793a2ce9ddd69e2b110aa3b004ca9

            SHA512

            341160f9c9a2000cf2c4e1e50de83ce5c05bc46ccf67c64f3e22111ce904baeff38bef316cf2424652000ccba0fe7169951cb084eb1c3603c017df71f2f11d66

            Download Submit

          • memory/312-21-0x000000001BC70000-0x000000001BCC6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/312-26-0x000000001BF70000-0x000000001BF78000-memory.dmp

            Filesize

            32KB

            Download

          • memory/312-17-0x000000001BBD0000-0x000000001BBE6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/312-18-0x0000000002CE0000-0x0000000002CE8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/312-19-0x000000001BC00000-0x000000001BC0C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/312-20-0x000000001BBF0000-0x000000001BBFA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/312-15-0x000000001BC20000-0x000000001BC70000-memory.dmp

            Filesize

            320KB

            Download

          • memory/312-22-0x000000001BC10000-0x000000001BC22000-memory.dmp

            Filesize

            72KB

            Download

          • memory/312-23-0x000000001C5F0000-0x000000001CB18000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/312-25-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/312-24-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/312-16-0x00000000013D0000-0x00000000013D8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/312-30-0x000000001BF20000-0x000000001BF2A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/312-31-0x000000001BF30000-0x000000001BF3C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/312-29-0x000000001BF10000-0x000000001BF18000-memory.dmp

            Filesize

            32KB

            Download

          • memory/312-28-0x000000001BE00000-0x000000001BE0E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/312-27-0x000000001BF80000-0x000000001BF8A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/312-14-0x00000000013B0000-0x00000000013CC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/312-12-0x00007FFCD2D83000-0x00007FFCD2D85000-memory.dmp

            Filesize

            8KB

            Download

          • memory/312-13-0x00000000007D0000-0x0000000000A76000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/3040-55-0x000000001B110000-0x000000001B122000-memory.dmp

            Filesize

            72KB

            Download