dcrat | e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

Analysis

max time kernel
1363s
max time network
1426s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-10-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput(1).exe
Size

607KB
MD5

19d31479381cfda2c9878b427f51a0c2
SHA1

5b8774c60b71dd32e7325d0fbceb3434975ca7cc
SHA256

e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
SHA512

14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
SSDEEP

12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

StartMenuExperienceHost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	StartMenuExperienceHost.exe

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	5088	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	5088	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	5088	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	5088	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	5088	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	5088	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	2116	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2116	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2116	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	2116	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	2116	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	2116	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	2116	schtasks.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2116	schtasks.exe	99

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral3/files/0x00290000000450c0-7.dat	dcrat
behavioral3/files/0x00280000000450c7-29.dat	dcrat
behavioral3/memory/4180-31-0x0000000000C70000-0x0000000000D46000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XBinderOutput(1).exekendalcp.exeWScript.exereviewDll.exeStartMenuExperienceHost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	XBinderOutput(1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	kendalcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	reviewDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 4 IoCs

Processes:

kendalcp.exereviewDll.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

pid	Process
1148	kendalcp.exe
4180	reviewDll.exe
1144	StartMenuExperienceHost.exe
580	StartMenuExperienceHost.exe

Drops file in Program Files directory 2 IoCs

Processes:

reviewDll.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe	reviewDll.exe
File created	C:\Program Files (x86)\Windows Media Player\55b276f4edf653	reviewDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kendalcp.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kendalcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

Processes:

kendalcp.exereviewDll.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	kendalcp.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	reviewDll.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2236	schtasks.exe
4196	schtasks.exe
1708	schtasks.exe
1328	schtasks.exe
3144	schtasks.exe
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

reviewDll.exeStartMenuExperienceHost.exe

pid	Process
4180	reviewDll.exe
1144	StartMenuExperienceHost.exe
1144	StartMenuExperienceHost.exe
1144	StartMenuExperienceHost.exe
1144	StartMenuExperienceHost.exe
1144	StartMenuExperienceHost.exe
1144	StartMenuExperienceHost.exe
1144	StartMenuExperienceHost.exe
1144	StartMenuExperienceHost.exe
1144	StartMenuExperienceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid	Process
1144	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

reviewDll.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

description	pid	Process
Token: SeDebugPrivilege	4180	reviewDll.exe
Token: SeDebugPrivilege	1144	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	580	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

XBinderOutput(1).exekendalcp.exeWScript.execmd.exereviewDll.execmd.exeStartMenuExperienceHost.execmd.exe

description	pid	Process	procid_target
PID 4220 wrote to memory of 1148	4220	XBinderOutput(1).exe	81
PID 4220 wrote to memory of 1148	4220	XBinderOutput(1).exe	81
PID 4220 wrote to memory of 1148	4220	XBinderOutput(1).exe	81
PID 1148 wrote to memory of 4520	1148	kendalcp.exe	82
PID 1148 wrote to memory of 4520	1148	kendalcp.exe	82
PID 1148 wrote to memory of 4520	1148	kendalcp.exe	82
PID 4520 wrote to memory of 976	4520	WScript.exe	83
PID 4520 wrote to memory of 976	4520	WScript.exe	83
PID 4520 wrote to memory of 976	4520	WScript.exe	83
PID 976 wrote to memory of 4180	976	cmd.exe	85
PID 976 wrote to memory of 4180	976	cmd.exe	85
PID 4180 wrote to memory of 3768	4180	reviewDll.exe	93
PID 4180 wrote to memory of 3768	4180	reviewDll.exe	93
PID 3768 wrote to memory of 4932	3768	cmd.exe	95
PID 3768 wrote to memory of 4932	3768	cmd.exe	95
PID 3768 wrote to memory of 1144	3768	cmd.exe	96
PID 3768 wrote to memory of 1144	3768	cmd.exe	96
PID 1144 wrote to memory of 1308	1144	StartMenuExperienceHost.exe	108
PID 1144 wrote to memory of 1308	1144	StartMenuExperienceHost.exe	108
PID 1308 wrote to memory of 2596	1308	cmd.exe	110
PID 1308 wrote to memory of 2596	1308	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
  "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4932
        
        C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe
"C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDll" /f
1⤵
- Process spawned unexpected child process
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDllr" /f
1⤵
- Process spawned unexpected child process
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
- Process spawned unexpected child process
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
- Process spawned unexpected child process
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "StartMenuExperienceHost" /f
1⤵
- Process spawned unexpected child process
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "StartMenuExperienceHostS" /f
1⤵
- Process spawned unexpected child process
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "StartMenuExperienceHost" /f
1⤵
- Process spawned unexpected child process
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "StartMenuExperienceHostS" /f
1⤵
- Process spawned unexpected child process
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\55b276f4edf653

Filesize
454B

MD5
68a4151acd6a226e67f3fde27598d7c5

SHA1
04ad64cd9d6c763bea841560cd11bce8120a63f3

SHA256
7f854129cbbdda8037b2fccfe3442c1474dc37af3de01ce83ef44db7a9141b40

SHA512
036c29754464dc8f3897c10441427de3f892dcc55bf4c448b79931a3dac7eba9839f370864e18a6454a3e31200d5665c270c948dc41474439e402ff29066f083

Download Submit
C:\Recovery\WindowsRE\6ccacd8608530f

Filesize
767B

MD5
9b8fbe96795b2e6b2bf8d78084227ab4

SHA1
65784b3e619d73d217466c09e96fd0e096fb0b34

SHA256
bf28d75a0088a5ff20ba9c3e9b61d778395a1bc5090869dfc0401049d7fc621d

SHA512
8a112dbb772ba143b021790738e2230d10756bac792f272efe324b37f6968c7de537da5c0d21c1d9ed3ab38ce2d764adf6e241e45324d19b948a8e645d7f20a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat

Filesize
236B

MD5
cb85e6014b7dc93e36912f4442ffcd60

SHA1
c36319ca5cdab6527d621c8e5a27a020bfb9b58a

SHA256
0fde4df1b7d18bbb9f8d6de1762937b30455960abb9ba4ac18b5fffa0211bbd4

SHA512
7e7d6e8ae2e808843d0ad5c001b02dd96a13fa2fb593b0531cc9352d97db400c6dfd865ab2a5a7d60a593422caa785930598ae654edd456adb916b63172667d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
315B

MD5
a2ce97d9fcb95f3e5b6e7d7e4176b340

SHA1
88fb55ddfce433a2534fb22b983656c2beefcd09

SHA256
7fc73835f394f365076a83bc951532b27cb16bc79f0b5716951da17bf13e9b48

SHA512
5d63e98b75195e5ccccac17a9c90bdc451ad78fded426039681bab91a8531f71b97cf366354bf4b678a6659cca922a77dfce9163758c7ef0d188e9d988855e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe

Filesize
1.1MB

MD5
0d015cc111d53a019e680b0bed11fcad

SHA1
3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

SHA256
2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

SHA512
c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

Download Submit
C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe

Filesize
222B

MD5
a6f295a2e58c722b5935cc905e81fd8b

SHA1
a2a30408197320a639e3e2f18a57fc8578c97b58

SHA256
8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

SHA512
839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

Download Submit
C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat

Filesize
43B

MD5
7c582abd8874b9cc60df72d62bd86440

SHA1
564e7b01338d08f657f2c02fa8fc5b8dadb92331

SHA256
c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

SHA512
444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

Download Submit
C:\blocksavesperfMonitorDll\reviewDll.exe

Filesize
828KB

MD5
d9dac9e1d95e84e6aec084cf2ddb3f3a

SHA1
a231a41c7ad994879b15116dcea41fdc09bb5879

SHA256
0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

SHA512
c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

Download Submit
memory/4180-31-0x0000000000C70000-0x0000000000D46000-memory.dmp

Filesize
856KB

Download
memory/4220-0-0x00007FFACEAB3000-0x00007FFACEAB5000-memory.dmp

Filesize
8KB

Download
memory/4220-14-0x00007FFACEAB0000-0x00007FFACF572000-memory.dmp

Filesize
10.8MB

Download
memory/4220-10-0x00007FFACEAB0000-0x00007FFACF572000-memory.dmp

Filesize
10.8MB

Download
memory/4220-1-0x0000000000D10000-0x0000000000DAE000-memory.dmp

Filesize
632KB

Download