dcrat | bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e

Analysis

max time kernel
131s
max time network
154s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D1E1AE8DCED915651E8F1DB114C073EA.exe
Size

2.8MB
MD5

d1e1ae8dced915651e8f1db114c073ea
SHA1

ae0f6cd564fd95889eb166c54bee37567f27add4
SHA256

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e
SHA512

e0ff5e949117808d631680a27d27483679f174a6cedcdf16f0e2c1bb479144c6c59c7754ef7eb8aa65a0562c624ed06864dc8ad9d0e2c53428bbcc0b6cd6c2ad
SSDEEP

49152:qR5omlL3SICIhCj3q4Hdliu/syu/m4cq1Inf6ZkYU6wUd9D9+tho51N009:qR5oiiICy8HTiuPiR1If6iYUMmy51yO

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x000600000001755b-63.dat	family_dcrat_v2
behavioral1/memory/1048-66-0x0000000000300000-0x00000000003CA000-memory.dmp	family_dcrat_v2
behavioral1/memory/1660-94-0x00000000001B0000-0x000000000027A000-memory.dmp	family_dcrat_v2

Executes dropped EXE 8 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exeaudiodg.exe

pid	Process
2860	7z.exe
2976	7z.exe
2712	7z.exe
2980	7z.exe
2420	7z.exe
2704	7z.exe
1048	Installer.exe
1660	audiodg.exe

Loads dropped DLL 12 IoCs

Processes:

cmd.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	Process
2664	cmd.exe
2860	7z.exe
2664	cmd.exe
2976	7z.exe
2664	cmd.exe
2712	7z.exe
2664	cmd.exe
2980	7z.exe
2664	cmd.exe
2420	7z.exe
2664	cmd.exe
2704	7z.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

D1E1AE8DCED915651E8F1DB114C073EA.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D1E1AE8DCED915651E8F1DB114C073EA.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Installer.exe

pid	Process
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe
1048	Installer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

audiodg.exe

pid	Process
1660	audiodg.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exeaudiodg.exe

description	pid	Process
Token: SeRestorePrivilege	2860	7z.exe
Token: 35	2860	7z.exe
Token: SeSecurityPrivilege	2860	7z.exe
Token: SeSecurityPrivilege	2860	7z.exe
Token: SeRestorePrivilege	2976	7z.exe
Token: 35	2976	7z.exe
Token: SeSecurityPrivilege	2976	7z.exe
Token: SeSecurityPrivilege	2976	7z.exe
Token: SeRestorePrivilege	2712	7z.exe
Token: 35	2712	7z.exe
Token: SeSecurityPrivilege	2712	7z.exe
Token: SeSecurityPrivilege	2712	7z.exe
Token: SeRestorePrivilege	2980	7z.exe
Token: 35	2980	7z.exe
Token: SeSecurityPrivilege	2980	7z.exe
Token: SeSecurityPrivilege	2980	7z.exe
Token: SeRestorePrivilege	2420	7z.exe
Token: 35	2420	7z.exe
Token: SeSecurityPrivilege	2420	7z.exe
Token: SeSecurityPrivilege	2420	7z.exe
Token: SeRestorePrivilege	2704	7z.exe
Token: 35	2704	7z.exe
Token: SeSecurityPrivilege	2704	7z.exe
Token: SeSecurityPrivilege	2704	7z.exe
Token: SeDebugPrivilege	1048	Installer.exe
Token: SeDebugPrivilege	1660	audiodg.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

D1E1AE8DCED915651E8F1DB114C073EA.execmd.exeInstaller.execmd.exe

description	pid	Process	procid_target
PID 2672 wrote to memory of 2664	2672	D1E1AE8DCED915651E8F1DB114C073EA.exe	31
PID 2672 wrote to memory of 2664	2672	D1E1AE8DCED915651E8F1DB114C073EA.exe	31
PID 2672 wrote to memory of 2664	2672	D1E1AE8DCED915651E8F1DB114C073EA.exe	31
PID 2672 wrote to memory of 2664	2672	D1E1AE8DCED915651E8F1DB114C073EA.exe	31
PID 2664 wrote to memory of 1580	2664	cmd.exe	33
PID 2664 wrote to memory of 1580	2664	cmd.exe	33
PID 2664 wrote to memory of 1580	2664	cmd.exe	33
PID 2664 wrote to memory of 2860	2664	cmd.exe	34
PID 2664 wrote to memory of 2860	2664	cmd.exe	34
PID 2664 wrote to memory of 2860	2664	cmd.exe	34
PID 2664 wrote to memory of 2976	2664	cmd.exe	35
PID 2664 wrote to memory of 2976	2664	cmd.exe	35
PID 2664 wrote to memory of 2976	2664	cmd.exe	35
PID 2664 wrote to memory of 2712	2664	cmd.exe	36
PID 2664 wrote to memory of 2712	2664	cmd.exe	36
PID 2664 wrote to memory of 2712	2664	cmd.exe	36
PID 2664 wrote to memory of 2980	2664	cmd.exe	37
PID 2664 wrote to memory of 2980	2664	cmd.exe	37
PID 2664 wrote to memory of 2980	2664	cmd.exe	37
PID 2664 wrote to memory of 2420	2664	cmd.exe	38
PID 2664 wrote to memory of 2420	2664	cmd.exe	38
PID 2664 wrote to memory of 2420	2664	cmd.exe	38
PID 2664 wrote to memory of 2704	2664	cmd.exe	39
PID 2664 wrote to memory of 2704	2664	cmd.exe	39
PID 2664 wrote to memory of 2704	2664	cmd.exe	39
PID 2664 wrote to memory of 2784	2664	cmd.exe	40
PID 2664 wrote to memory of 2784	2664	cmd.exe	40
PID 2664 wrote to memory of 2784	2664	cmd.exe	40
PID 2664 wrote to memory of 1048	2664	cmd.exe	41
PID 2664 wrote to memory of 1048	2664	cmd.exe	41
PID 2664 wrote to memory of 1048	2664	cmd.exe	41
PID 1048 wrote to memory of 2060	1048	Installer.exe	42
PID 1048 wrote to memory of 2060	1048	Installer.exe	42
PID 1048 wrote to memory of 2060	1048	Installer.exe	42
PID 2060 wrote to memory of 1996	2060	cmd.exe	44
PID 2060 wrote to memory of 1996	2060	cmd.exe	44
PID 2060 wrote to memory of 1996	2060	cmd.exe	44
PID 2060 wrote to memory of 2376	2060	cmd.exe	45
PID 2060 wrote to memory of 2376	2060	cmd.exe	45
PID 2060 wrote to memory of 2376	2060	cmd.exe	45
PID 2060 wrote to memory of 1660	2060	cmd.exe	46
PID 2060 wrote to memory of 1660	2060	cmd.exe	46
PID 2060 wrote to memory of 1660	2060	cmd.exe	46

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\D1E1AE8DCED915651E8F1DB114C073EA.exe
"C:\Users\Admin\AppData\Local\Temp\D1E1AE8DCED915651E8F1DB114C073EA.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p237578392143213652313078912 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:2784
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJvuNRsFW8.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1996
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2376
    - - C:\MSOCache\All Users\audiodg.exe
        
        "C:\MSOCache\All Users\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
7e703968b4e13722892cf227f37b392d

SHA1
4eba1cbed7b31cdb2ffc9ee7c200bd977af068b0

SHA256
965d0ba59eb90d3b89212ab5d7d02ecd5712feb91eee7bf9e82303d872341953

SHA512
74099ed995ce1b92a95243cebfefbcb32e660468032d12c65437e412ebfb2d23efdf6a6ea7158e06e2574775258862307143efd9ff662b1587e97383f87e299b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
785KB

MD5
acdd5f8a230ebcf456977ac3d1ea6eca

SHA1
e0a985b5c9e99d3b1e1141938afeecdc02811946

SHA256
45fc98c0fe74f360e57e80e42142c4d5745652c198b298ca7f8ecf4dba560c21

SHA512
5372fc4ed4ff8cb54f2139e552c7710f2ad8b4f59bc5743d02a1830a98f2c45553bf807545bf6c93952ae786bc1bd9eb480b98ddf5c924dcc0f5aef9abee2f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
315KB

MD5
55a752087f41b97f460d16cd084c1e5d

SHA1
9b1379a8d2fba0322e4ca6274b609d032d703efc

SHA256
47b472974b1d440f6754b09fb0f053d11deb10734cb60a69d2c7bcbdb9ddd4f6

SHA512
22d00f24358854bb79dfe244e9033e14969fe1181a9adff9f4be56864af401da821b2087ef0e9c03419f097d4d21451b290bc5243a015f95844094c6bcb913e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
315KB

MD5
99941e921b39fbdbbad43c87f518488a

SHA1
6413ddd612ba05a330761c6d0ecec67e6f08b557

SHA256
d521a8feb747997745848003e56981246828cc02f2534c7620442886c38d30a3

SHA512
502b30672bc20713e3a0e8d28c1d649b24301f067367fd41e086deb55daf90da86665771ca0fedb07ed637deb10f789717c3377261ec96d6f6d4c4d88ce504a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
315KB

MD5
6a9bd1c18b86241e8752bd9d1a9fcdc5

SHA1
77cc56608cc38c8e1295299af82eb661ae8b41bf

SHA256
0285293c2c4829281fdc81ce4e1755425ed884364883008b608dca0d0421914b

SHA512
a1f2ed6c9e63ddfc8897b494593f8188a91b217e92509caca8f92f47184b1212bc1ec5e8885aa8f4e8076e081ff85278107101b45d476fbc3d12494082735807

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
316KB

MD5
45b44488f58e268aee145714065d01b1

SHA1
57d788efaa8e83d909a2bfd54fe735925818c574

SHA256
fae5dc0c1e2965b4e1f156e27ebfae84a5a392a9c1d238c023f4635c520815e0

SHA512
54c2144629f75d4e1d563270cc206ec568bf844ff66634626153797c1ea47224928301defc13823b2d79de861302e2b69b753e88b99b7c852fbb85f736cdbc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
1.9MB

MD5
1b7169f7136811025acefcbd57c4c3aa

SHA1
6b0ce940277dc6573248ee817a17101d0c8e8d82

SHA256
b02e6aa68ee324b379a371f1f28960fabad6a7d3aef1bb7ca9e47e96f86ee55e

SHA512
aed911a939ea65f2700ecb9493cb53ca2966538ff343c0145961ba5d343f1a94e136d70bac0b25cc21e6c22d51ecd6edd7177c96e751c417c317c3f967488b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.9MB

MD5
3ca63b69b8fecf3105fe03db79fe485e

SHA1
299b02bc2ea3534300304afdc2fcdede1c50aaae

SHA256
143aedd2b9be4342531a716d6c06e57ed02cd3e6fd0e61a5f0b810754b3d8931

SHA512
185f0c807b895da4a46e06f540fbca3d93a38d42d7c5667925ca012cd67852fff5d2de0aa8eb75a29ac8f069fd7d6d7349ac3d81174c2d61495eac99985c5024

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
473B

MD5
888d8edcc3b71e613ea61ea10c012783

SHA1
a5985a3a80b00287e7987262c5d452c4c5e92cfe

SHA256
4a0ebfb38b6023319aee0249a2616a9153db091dcb8abb5189c165c0b3f47c3e

SHA512
5d49219c24df5e88d66e704a9315e2015787a68f085bb6f2cf548abb96137e329ef5d551e9b2417df04392102824e0ac0e024809ed6088d8e429557a43e2b554

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJvuNRsFW8.bat

Filesize
209B

MD5
9d0b0827e4fa5e1d2e4f71126233e4f1

SHA1
334d26f1a6d13fdd1a2904769bfdb1308c1b3358

SHA256
fcf16ca9610fe9ed4b89f7d3f93327c3cb71327682289a2ce2e7aeaa1a55218b

SHA512
f1771666c2cdde32547b2c4a25844fc7ef8b0eec9f5684e978b727f166e78d50c37e96959018198d66455a76db7eabe7913ef1f9c3246599b7c59d39f5c41970

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1048-66-0x0000000000300000-0x00000000003CA000-memory.dmp

Filesize
808KB

Download
memory/1048-68-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/1048-70-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/1048-72-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

Filesize
96KB

Download
memory/1048-74-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/1048-76-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1660-94-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download