dcrat | 7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a

Analysis

max time kernel
119s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/10/2024, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe
Size

3.8MB
MD5

c9e9ee7477dd04ce2017fc1402f5461c
SHA1

22154f137d253bfe5e135859c9a26778a64391fc
SHA256

7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a
SHA512

67339aea037be21b8f043d0ff84bbb6013de59bd435a9945837a983001d44a804ae864fbf68695d52829681634d4a903debc5ebbb8b8e6f7770ee6ab923616b8
SSDEEP

98304:ytU7z9qNUzrsxu3CFZZK8USGlV8ajG1SN6QSi:y0zgQyFavJlQ1ScQf

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 2 IoCs

pid	Process
2780	BridgeproviderComponentFontcrt.exe
2000	BridgeproviderComponentFontcrt.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	cmd.exe
2604	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
620	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
620	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe
2780	BridgeproviderComponentFontcrt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	BridgeproviderComponentFontcrt.exe
Token: SeDebugPrivilege	2000	BridgeproviderComponentFontcrt.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1676	1048	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	28
PID 1048 wrote to memory of 1676	1048	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	28
PID 1048 wrote to memory of 1676	1048	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	28
PID 1048 wrote to memory of 1676	1048	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	28
PID 1676 wrote to memory of 2604	1676	WScript.exe	31
PID 1676 wrote to memory of 2604	1676	WScript.exe	31
PID 1676 wrote to memory of 2604	1676	WScript.exe	31
PID 1676 wrote to memory of 2604	1676	WScript.exe	31
PID 2604 wrote to memory of 2780	2604	cmd.exe	33
PID 2604 wrote to memory of 2780	2604	cmd.exe	33
PID 2604 wrote to memory of 2780	2604	cmd.exe	33
PID 2604 wrote to memory of 2780	2604	cmd.exe	33
PID 2780 wrote to memory of 2248	2780	BridgeproviderComponentFontcrt.exe	34
PID 2780 wrote to memory of 2248	2780	BridgeproviderComponentFontcrt.exe	34
PID 2780 wrote to memory of 2248	2780	BridgeproviderComponentFontcrt.exe	34
PID 2248 wrote to memory of 1424	2248	cmd.exe	36
PID 2248 wrote to memory of 1424	2248	cmd.exe	36
PID 2248 wrote to memory of 1424	2248	cmd.exe	36
PID 2248 wrote to memory of 620	2248	cmd.exe	37
PID 2248 wrote to memory of 620	2248	cmd.exe	37
PID 2248 wrote to memory of 620	2248	cmd.exe	37
PID 2248 wrote to memory of 2000	2248	cmd.exe	38
PID 2248 wrote to memory of 2000	2248	cmd.exe	38
PID 2248 wrote to memory of 2000	2248	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe
"C:\Users\Admin\AppData\Local\Temp\7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mscomContaineragent\1ggcrtMDOIpDj6NMU6zi0PNdec8GZE6fRcycTIRnqa8yg5np31k.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\mscomContaineragent\K4TsmH6x0L8c7gsd2xa978PfuccU.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\mscomContaineragent\BridgeproviderComponentFontcrt.exe
      "C:\mscomContaineragent/BridgeproviderComponentFontcrt.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fEQF0Yjcf1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1424
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:620
      - C:\Users\Default User\BridgeproviderComponentFontcrt.exe
        
        "C:\Users\Default User\BridgeproviderComponentFontcrt.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fEQF0Yjcf1.bat

Filesize
184B

MD5
9d2f0a75f3e5a1e088d434be187f8b78

SHA1
0e2bb75105768055715fd9f2f4a1bd95e25f3e1d

SHA256
485b4cc2c2eb759ce4446ecea6278395420f053b3d61d4bbd43c706709fb94b1

SHA512
a84d08372ff49b205dca78818574f424500c5c1941e6be3f79c48356e757ea8882a3d5698a463c380023b68872bb661ff2fd833e5d986f3eaece824bb6581053

Download Submit
C:\mscomContaineragent\1ggcrtMDOIpDj6NMU6zi0PNdec8GZE6fRcycTIRnqa8yg5np31k.vbe

Filesize
226B

MD5
b2082877b156a0ca794cffb107e5ecc7

SHA1
4bb42e5b58e22dcfca31a5472b7b37c8e65aa10e

SHA256
ae25630353f248e39628b3907ac7c04963d8845b91b89407220a43c937b9940e

SHA512
921d0d0a86fddedddc808d0857d93865f945c8223bf383488b448d4c8a16458115f4cba79458200b869e7509a4b479884b5737a43dbe7ac4e5d78c6122a37e29

Download Submit
C:\mscomContaineragent\K4TsmH6x0L8c7gsd2xa978PfuccU.bat

Filesize
96B

MD5
35ba19fb2b11c866b8d4773346a37893

SHA1
615381c6049330cf8f95ca448aa2392975e6fd7a

SHA256
a346464ac38f295ad906b30b7580d3327ae07177d9adf69d526d1cca86a12d74

SHA512
dbd66630d9c40c0cb4aa366c9dc2f2b414eb4de06a703ff1c597d71aa30bdc17070ebca68d560833c87463f1324e2e384f25ed1ea4ea18ce0fee4a0c18286365

Download Submit
\mscomContaineragent\BridgeproviderComponentFontcrt.exe

Filesize
3.5MB

MD5
929a6474e168c22b27c44a6c5bafb212

SHA1
5dc664e00f4cee7846f32452c7d0dbbca928b827

SHA256
5526fe46db69e08ceee75db8b8890f584dd44416586e13f57c57995407e74430

SHA512
0edd7b848d664fa99c16ea4b549460eca75c43602c73eef07efa8169b68451e1b68cd7c1c3dce3bab12adda555184d1e24e13b7961f6f08fbbb42b1b84e55dfe

Download Submit
memory/2000-76-0x00000000002F0000-0x000000000067E000-memory.dmp

Filesize
3.6MB

Download
memory/2780-35-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/2780-39-0x0000000000660000-0x000000000066E000-memory.dmp

Filesize
56KB

Download
memory/2780-21-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2780-23-0x00000000004A0000-0x00000000004B8000-memory.dmp

Filesize
96KB

Download
memory/2780-25-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2780-27-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/2780-29-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/2780-31-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2780-33-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2780-17-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2780-37-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2780-19-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2780-41-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2780-43-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/2780-45-0x0000000002510000-0x000000000256A000-memory.dmp

Filesize
360KB

Download
memory/2780-47-0x0000000000B20000-0x0000000000B2E000-memory.dmp

Filesize
56KB

Download
memory/2780-49-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/2780-51-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/2780-53-0x0000000000BF0000-0x0000000000C08000-memory.dmp

Filesize
96KB

Download
memory/2780-55-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2780-57-0x000000001AAC0000-0x000000001AB0E000-memory.dmp

Filesize
312KB

Download
memory/2780-15-0x0000000000450000-0x0000000000476000-memory.dmp

Filesize
152KB

Download
memory/2780-13-0x0000000000C80000-0x000000000100E000-memory.dmp

Filesize
3.6MB

Download