dcrat | bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e

Analysis

max time kernel
133s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D1E1AE8DCED915651E8F1DB114C073EA.exe
Size

2.8MB
MD5

d1e1ae8dced915651e8f1db114c073ea
SHA1

ae0f6cd564fd95889eb166c54bee37567f27add4
SHA256

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e
SHA512

e0ff5e949117808d631680a27d27483679f174a6cedcdf16f0e2c1bb479144c6c59c7754ef7eb8aa65a0562c624ed06864dc8ad9d0e2c53428bbcc0b6cd6c2ad
SSDEEP

49152:qR5omlL3SICIhCj3q4Hdliu/syu/m4cq1Inf6ZkYU6wUd9D9+tho51N009:qR5oiiICy8HTiuPiR1If6iYUMmy51yO

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x000500000001878c-63.dat	family_dcrat_v2
behavioral1/memory/2172-66-0x0000000000290000-0x000000000035A000-memory.dmp	family_dcrat_v2
behavioral1/memory/1952-94-0x0000000001140000-0x000000000120A000-memory.dmp	family_dcrat_v2

Executes dropped EXE 8 IoCs

pid	Process
2284	7z.exe
2816	7z.exe
2736	7z.exe
1920	7z.exe
2640	7z.exe
2656	7z.exe
2172	Installer.exe
1952	lsass.exe

Loads dropped DLL 12 IoCs

pid	Process
2120	cmd.exe
2284	7z.exe
2120	cmd.exe
2816	7z.exe
2120	cmd.exe
2736	7z.exe
2120	cmd.exe
1920	7z.exe
2120	cmd.exe
2640	7z.exe
2120	cmd.exe
2656	7z.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\wininit.exe	Installer.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\56085415360792	Installer.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Installer.exe	Installer.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\d963b2d1f922ee	Installer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ja-JP\services.exe	Installer.exe
File created	C:\Windows\ja-JP\c5b4cb5e9653cc	Installer.exe
File created	C:\Windows\ja-JP\services.exe	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D1E1AE8DCED915651E8F1DB114C073EA.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe
2172	Installer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1952	lsass.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeRestorePrivilege	2284	7z.exe
Token: 35	2284	7z.exe
Token: SeSecurityPrivilege	2284	7z.exe
Token: SeSecurityPrivilege	2284	7z.exe
Token: SeRestorePrivilege	2816	7z.exe
Token: 35	2816	7z.exe
Token: SeSecurityPrivilege	2816	7z.exe
Token: SeSecurityPrivilege	2816	7z.exe
Token: SeRestorePrivilege	2736	7z.exe
Token: 35	2736	7z.exe
Token: SeSecurityPrivilege	2736	7z.exe
Token: SeSecurityPrivilege	2736	7z.exe
Token: SeRestorePrivilege	1920	7z.exe
Token: 35	1920	7z.exe
Token: SeSecurityPrivilege	1920	7z.exe
Token: SeSecurityPrivilege	1920	7z.exe
Token: SeRestorePrivilege	2640	7z.exe
Token: 35	2640	7z.exe
Token: SeSecurityPrivilege	2640	7z.exe
Token: SeSecurityPrivilege	2640	7z.exe
Token: SeRestorePrivilege	2656	7z.exe
Token: 35	2656	7z.exe
Token: SeSecurityPrivilege	2656	7z.exe
Token: SeSecurityPrivilege	2656	7z.exe
Token: SeDebugPrivilege	2172	Installer.exe
Token: SeDebugPrivilege	1952	lsass.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2120	2360	D1E1AE8DCED915651E8F1DB114C073EA.exe	30
PID 2360 wrote to memory of 2120	2360	D1E1AE8DCED915651E8F1DB114C073EA.exe	30
PID 2360 wrote to memory of 2120	2360	D1E1AE8DCED915651E8F1DB114C073EA.exe	30
PID 2360 wrote to memory of 2120	2360	D1E1AE8DCED915651E8F1DB114C073EA.exe	30
PID 2120 wrote to memory of 2752	2120	cmd.exe	32
PID 2120 wrote to memory of 2752	2120	cmd.exe	32
PID 2120 wrote to memory of 2752	2120	cmd.exe	32
PID 2120 wrote to memory of 2284	2120	cmd.exe	33
PID 2120 wrote to memory of 2284	2120	cmd.exe	33
PID 2120 wrote to memory of 2284	2120	cmd.exe	33
PID 2120 wrote to memory of 2816	2120	cmd.exe	34
PID 2120 wrote to memory of 2816	2120	cmd.exe	34
PID 2120 wrote to memory of 2816	2120	cmd.exe	34
PID 2120 wrote to memory of 2736	2120	cmd.exe	35
PID 2120 wrote to memory of 2736	2120	cmd.exe	35
PID 2120 wrote to memory of 2736	2120	cmd.exe	35
PID 2120 wrote to memory of 1920	2120	cmd.exe	36
PID 2120 wrote to memory of 1920	2120	cmd.exe	36
PID 2120 wrote to memory of 1920	2120	cmd.exe	36
PID 2120 wrote to memory of 2640	2120	cmd.exe	37
PID 2120 wrote to memory of 2640	2120	cmd.exe	37
PID 2120 wrote to memory of 2640	2120	cmd.exe	37
PID 2120 wrote to memory of 2656	2120	cmd.exe	38
PID 2120 wrote to memory of 2656	2120	cmd.exe	38
PID 2120 wrote to memory of 2656	2120	cmd.exe	38
PID 2120 wrote to memory of 2732	2120	cmd.exe	39
PID 2120 wrote to memory of 2732	2120	cmd.exe	39
PID 2120 wrote to memory of 2732	2120	cmd.exe	39
PID 2120 wrote to memory of 2172	2120	cmd.exe	40
PID 2120 wrote to memory of 2172	2120	cmd.exe	40
PID 2120 wrote to memory of 2172	2120	cmd.exe	40
PID 2172 wrote to memory of 1992	2172	Installer.exe	41
PID 2172 wrote to memory of 1992	2172	Installer.exe	41
PID 2172 wrote to memory of 1992	2172	Installer.exe	41
PID 1992 wrote to memory of 536	1992	cmd.exe	43
PID 1992 wrote to memory of 536	1992	cmd.exe	43
PID 1992 wrote to memory of 536	1992	cmd.exe	43
PID 1992 wrote to memory of 596	1992	cmd.exe	44
PID 1992 wrote to memory of 596	1992	cmd.exe	44
PID 1992 wrote to memory of 596	1992	cmd.exe	44
PID 1992 wrote to memory of 1952	1992	cmd.exe	45
PID 1992 wrote to memory of 1952	1992	cmd.exe	45
PID 1992 wrote to memory of 1952	1992	cmd.exe	45

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\D1E1AE8DCED915651E8F1DB114C073EA.exe
"C:\Users\Admin\AppData\Local\Temp\D1E1AE8DCED915651E8F1DB114C073EA.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p237578392143213652313078912 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HSOpHse4vt.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:536
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:596
    - - C:\Users\Default User\lsass.exe
        
        "C:\Users\Default User\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HSOpHse4vt.bat

Filesize
207B

MD5
74ffffd7b1fb0e87b98e51d83ea8f0b9

SHA1
0d3a1d0636c00c1423499c09938d73ec61ce6411

SHA256
9cb751ccff40061a3d735c54bbe875ce0314b0785c0c767db59580ab4f86d724

SHA512
1f66b469730c971fb45374e74d9cf5ed57becdfc9c760be66c90f03a5905ac1643155cbaa512ea8ea88fa4ca61e48cfb6fbde7af764eb527c6802952a055b509

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
7e703968b4e13722892cf227f37b392d

SHA1
4eba1cbed7b31cdb2ffc9ee7c200bd977af068b0

SHA256
965d0ba59eb90d3b89212ab5d7d02ecd5712feb91eee7bf9e82303d872341953

SHA512
74099ed995ce1b92a95243cebfefbcb32e660468032d12c65437e412ebfb2d23efdf6a6ea7158e06e2574775258862307143efd9ff662b1587e97383f87e299b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
785KB

MD5
acdd5f8a230ebcf456977ac3d1ea6eca

SHA1
e0a985b5c9e99d3b1e1141938afeecdc02811946

SHA256
45fc98c0fe74f360e57e80e42142c4d5745652c198b298ca7f8ecf4dba560c21

SHA512
5372fc4ed4ff8cb54f2139e552c7710f2ad8b4f59bc5743d02a1830a98f2c45553bf807545bf6c93952ae786bc1bd9eb480b98ddf5c924dcc0f5aef9abee2f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
315KB

MD5
55a752087f41b97f460d16cd084c1e5d

SHA1
9b1379a8d2fba0322e4ca6274b609d032d703efc

SHA256
47b472974b1d440f6754b09fb0f053d11deb10734cb60a69d2c7bcbdb9ddd4f6

SHA512
22d00f24358854bb79dfe244e9033e14969fe1181a9adff9f4be56864af401da821b2087ef0e9c03419f097d4d21451b290bc5243a015f95844094c6bcb913e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
315KB

MD5
99941e921b39fbdbbad43c87f518488a

SHA1
6413ddd612ba05a330761c6d0ecec67e6f08b557

SHA256
d521a8feb747997745848003e56981246828cc02f2534c7620442886c38d30a3

SHA512
502b30672bc20713e3a0e8d28c1d649b24301f067367fd41e086deb55daf90da86665771ca0fedb07ed637deb10f789717c3377261ec96d6f6d4c4d88ce504a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
315KB

MD5
6a9bd1c18b86241e8752bd9d1a9fcdc5

SHA1
77cc56608cc38c8e1295299af82eb661ae8b41bf

SHA256
0285293c2c4829281fdc81ce4e1755425ed884364883008b608dca0d0421914b

SHA512
a1f2ed6c9e63ddfc8897b494593f8188a91b217e92509caca8f92f47184b1212bc1ec5e8885aa8f4e8076e081ff85278107101b45d476fbc3d12494082735807

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
316KB

MD5
45b44488f58e268aee145714065d01b1

SHA1
57d788efaa8e83d909a2bfd54fe735925818c574

SHA256
fae5dc0c1e2965b4e1f156e27ebfae84a5a392a9c1d238c023f4635c520815e0

SHA512
54c2144629f75d4e1d563270cc206ec568bf844ff66634626153797c1ea47224928301defc13823b2d79de861302e2b69b753e88b99b7c852fbb85f736cdbc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
1.9MB

MD5
1b7169f7136811025acefcbd57c4c3aa

SHA1
6b0ce940277dc6573248ee817a17101d0c8e8d82

SHA256
b02e6aa68ee324b379a371f1f28960fabad6a7d3aef1bb7ca9e47e96f86ee55e

SHA512
aed911a939ea65f2700ecb9493cb53ca2966538ff343c0145961ba5d343f1a94e136d70bac0b25cc21e6c22d51ecd6edd7177c96e751c417c317c3f967488b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.9MB

MD5
3ca63b69b8fecf3105fe03db79fe485e

SHA1
299b02bc2ea3534300304afdc2fcdede1c50aaae

SHA256
143aedd2b9be4342531a716d6c06e57ed02cd3e6fd0e61a5f0b810754b3d8931

SHA512
185f0c807b895da4a46e06f540fbca3d93a38d42d7c5667925ca012cd67852fff5d2de0aa8eb75a29ac8f069fd7d6d7349ac3d81174c2d61495eac99985c5024

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
473B

MD5
888d8edcc3b71e613ea61ea10c012783

SHA1
a5985a3a80b00287e7987262c5d452c4c5e92cfe

SHA256
4a0ebfb38b6023319aee0249a2616a9153db091dcb8abb5189c165c0b3f47c3e

SHA512
5d49219c24df5e88d66e704a9315e2015787a68f085bb6f2cf548abb96137e329ef5d551e9b2417df04392102824e0ac0e024809ed6088d8e429557a43e2b554

Download Submit
memory/1952-94-0x0000000001140000-0x000000000120A000-memory.dmp

Filesize
808KB

Download
memory/2172-66-0x0000000000290000-0x000000000035A000-memory.dmp

Filesize
808KB

Download
memory/2172-68-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2172-70-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2172-72-0x0000000000530000-0x0000000000548000-memory.dmp

Filesize
96KB

Download
memory/2172-74-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2172-76-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download