dcrat | bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D1E1AE8DCED915651E8F1DB114C073EA.exe
Size

2.8MB
MD5

d1e1ae8dced915651e8f1db114c073ea
SHA1

ae0f6cd564fd95889eb166c54bee37567f27add4
SHA256

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e
SHA512

e0ff5e949117808d631680a27d27483679f174a6cedcdf16f0e2c1bb479144c6c59c7754ef7eb8aa65a0562c624ed06864dc8ad9d0e2c53428bbcc0b6cd6c2ad
SSDEEP

49152:qR5omlL3SICIhCj3q4Hdliu/syu/m4cq1Inf6ZkYU6wUd9D9+tho51N009:qR5oiiICy8HTiuPiR1If6iYUMmy51yO

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023af4-54.dat	family_dcrat_v2
behavioral2/memory/4480-55-0x0000000000E00000-0x0000000000ECA000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D1E1AE8DCED915651E8F1DB114C073EA.exeInstaller.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	D1E1AE8DCED915651E8F1DB114C073EA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Installer.exe

Executes dropped EXE 8 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exeSppExtComObj.exe

pid	Process
780	7z.exe
5084	7z.exe
1916	7z.exe
1524	7z.exe
2316	7z.exe
2832	7z.exe
4480	Installer.exe
1128	SppExtComObj.exe

Loads dropped DLL 6 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	Process
780	7z.exe
5084	7z.exe
1916	7z.exe
1524	7z.exe
2316	7z.exe
2832	7z.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 8 IoCs

Processes:

Installer.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe	Installer.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\088424020bedd6	Installer.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\backgroundTaskHost.exe	Installer.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\smss.exe	Installer.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\69ddcba757bf72	Installer.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\explorer.exe	Installer.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\explorer.exe	Installer.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\7a0fd90576e088	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

D1E1AE8DCED915651E8F1DB114C073EA.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D1E1AE8DCED915651E8F1DB114C073EA.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
556	PING.EXE

Modifies registry class 1 IoCs

Processes:

Installer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	Installer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
556	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Installer.exe

pid	Process
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe
4480	Installer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SppExtComObj.exe

pid	Process
1128	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exeSppExtComObj.exe

description	pid	Process
Token: SeRestorePrivilege	780	7z.exe
Token: 35	780	7z.exe
Token: SeSecurityPrivilege	780	7z.exe
Token: SeSecurityPrivilege	780	7z.exe
Token: SeRestorePrivilege	5084	7z.exe
Token: 35	5084	7z.exe
Token: SeSecurityPrivilege	5084	7z.exe
Token: SeSecurityPrivilege	5084	7z.exe
Token: SeRestorePrivilege	1916	7z.exe
Token: 35	1916	7z.exe
Token: SeSecurityPrivilege	1916	7z.exe
Token: SeSecurityPrivilege	1916	7z.exe
Token: SeRestorePrivilege	1524	7z.exe
Token: 35	1524	7z.exe
Token: SeSecurityPrivilege	1524	7z.exe
Token: SeSecurityPrivilege	1524	7z.exe
Token: SeRestorePrivilege	2316	7z.exe
Token: 35	2316	7z.exe
Token: SeSecurityPrivilege	2316	7z.exe
Token: SeSecurityPrivilege	2316	7z.exe
Token: SeRestorePrivilege	2832	7z.exe
Token: 35	2832	7z.exe
Token: SeSecurityPrivilege	2832	7z.exe
Token: SeSecurityPrivilege	2832	7z.exe
Token: SeDebugPrivilege	4480	Installer.exe
Token: SeDebugPrivilege	1128	SppExtComObj.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

D1E1AE8DCED915651E8F1DB114C073EA.execmd.exeInstaller.execmd.exe

description	pid	Process	procid_target
PID 1032 wrote to memory of 2968	1032	D1E1AE8DCED915651E8F1DB114C073EA.exe	88
PID 1032 wrote to memory of 2968	1032	D1E1AE8DCED915651E8F1DB114C073EA.exe	88
PID 2968 wrote to memory of 2108	2968	cmd.exe	90
PID 2968 wrote to memory of 2108	2968	cmd.exe	90
PID 2968 wrote to memory of 780	2968	cmd.exe	91
PID 2968 wrote to memory of 780	2968	cmd.exe	91
PID 2968 wrote to memory of 5084	2968	cmd.exe	92
PID 2968 wrote to memory of 5084	2968	cmd.exe	92
PID 2968 wrote to memory of 1916	2968	cmd.exe	93
PID 2968 wrote to memory of 1916	2968	cmd.exe	93
PID 2968 wrote to memory of 1524	2968	cmd.exe	94
PID 2968 wrote to memory of 1524	2968	cmd.exe	94
PID 2968 wrote to memory of 2316	2968	cmd.exe	95
PID 2968 wrote to memory of 2316	2968	cmd.exe	95
PID 2968 wrote to memory of 2832	2968	cmd.exe	96
PID 2968 wrote to memory of 2832	2968	cmd.exe	96
PID 2968 wrote to memory of 536	2968	cmd.exe	97
PID 2968 wrote to memory of 536	2968	cmd.exe	97
PID 2968 wrote to memory of 4480	2968	cmd.exe	98
PID 2968 wrote to memory of 4480	2968	cmd.exe	98
PID 4480 wrote to memory of 4700	4480	Installer.exe	101
PID 4480 wrote to memory of 4700	4480	Installer.exe	101
PID 4700 wrote to memory of 3052	4700	cmd.exe	103
PID 4700 wrote to memory of 3052	4700	cmd.exe	103
PID 4700 wrote to memory of 556	4700	cmd.exe	104
PID 4700 wrote to memory of 556	4700	cmd.exe	104
PID 4700 wrote to memory of 1128	4700	cmd.exe	110
PID 4700 wrote to memory of 1128	4700	cmd.exe	110

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
536	attrib.exe

C:\Users\Admin\AppData\Local\Temp\D1E1AE8DCED915651E8F1DB114C073EA.exe
"C:\Users\Admin\AppData\Local\Temp\D1E1AE8DCED915651E8F1DB114C073EA.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2108
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p237578392143213652313078912 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SYcW1oR8ZU.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3052
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:556
    - - C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SYcW1oR8ZU.bat

Filesize
166B

MD5
3c4a617b1381a8ef88f83e30b58e355d

SHA1
25fde5bb99e5913a48a86fe04c909e7da5b51ac9

SHA256
5a9162b272acf6058885b5696c3db4f55f1187c709e205a278a7029fd92c5d8b

SHA512
7fe651ac19189023897cac5cc68a981d6c40eb88e2de43890d891761c2b97c76ff752a74b356d743dd95d41aa054e5625bcc77eb267c69287c482f86c47ebc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

Filesize
785KB

MD5
acdd5f8a230ebcf456977ac3d1ea6eca

SHA1
e0a985b5c9e99d3b1e1141938afeecdc02811946

SHA256
45fc98c0fe74f360e57e80e42142c4d5745652c198b298ca7f8ecf4dba560c21

SHA512
5372fc4ed4ff8cb54f2139e552c7710f2ad8b4f59bc5743d02a1830a98f2c45553bf807545bf6c93952ae786bc1bd9eb480b98ddf5c924dcc0f5aef9abee2f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
7e703968b4e13722892cf227f37b392d

SHA1
4eba1cbed7b31cdb2ffc9ee7c200bd977af068b0

SHA256
965d0ba59eb90d3b89212ab5d7d02ecd5712feb91eee7bf9e82303d872341953

SHA512
74099ed995ce1b92a95243cebfefbcb32e660468032d12c65437e412ebfb2d23efdf6a6ea7158e06e2574775258862307143efd9ff662b1587e97383f87e299b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
315KB

MD5
55a752087f41b97f460d16cd084c1e5d

SHA1
9b1379a8d2fba0322e4ca6274b609d032d703efc

SHA256
47b472974b1d440f6754b09fb0f053d11deb10734cb60a69d2c7bcbdb9ddd4f6

SHA512
22d00f24358854bb79dfe244e9033e14969fe1181a9adff9f4be56864af401da821b2087ef0e9c03419f097d4d21451b290bc5243a015f95844094c6bcb913e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
315KB

MD5
99941e921b39fbdbbad43c87f518488a

SHA1
6413ddd612ba05a330761c6d0ecec67e6f08b557

SHA256
d521a8feb747997745848003e56981246828cc02f2534c7620442886c38d30a3

SHA512
502b30672bc20713e3a0e8d28c1d649b24301f067367fd41e086deb55daf90da86665771ca0fedb07ed637deb10f789717c3377261ec96d6f6d4c4d88ce504a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
315KB

MD5
6a9bd1c18b86241e8752bd9d1a9fcdc5

SHA1
77cc56608cc38c8e1295299af82eb661ae8b41bf

SHA256
0285293c2c4829281fdc81ce4e1755425ed884364883008b608dca0d0421914b

SHA512
a1f2ed6c9e63ddfc8897b494593f8188a91b217e92509caca8f92f47184b1212bc1ec5e8885aa8f4e8076e081ff85278107101b45d476fbc3d12494082735807

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
316KB

MD5
45b44488f58e268aee145714065d01b1

SHA1
57d788efaa8e83d909a2bfd54fe735925818c574

SHA256
fae5dc0c1e2965b4e1f156e27ebfae84a5a392a9c1d238c023f4635c520815e0

SHA512
54c2144629f75d4e1d563270cc206ec568bf844ff66634626153797c1ea47224928301defc13823b2d79de861302e2b69b753e88b99b7c852fbb85f736cdbc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
1.9MB

MD5
1b7169f7136811025acefcbd57c4c3aa

SHA1
6b0ce940277dc6573248ee817a17101d0c8e8d82

SHA256
b02e6aa68ee324b379a371f1f28960fabad6a7d3aef1bb7ca9e47e96f86ee55e

SHA512
aed911a939ea65f2700ecb9493cb53ca2966538ff343c0145961ba5d343f1a94e136d70bac0b25cc21e6c22d51ecd6edd7177c96e751c417c317c3f967488b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.9MB

MD5
3ca63b69b8fecf3105fe03db79fe485e

SHA1
299b02bc2ea3534300304afdc2fcdede1c50aaae

SHA256
143aedd2b9be4342531a716d6c06e57ed02cd3e6fd0e61a5f0b810754b3d8931

SHA512
185f0c807b895da4a46e06f540fbca3d93a38d42d7c5667925ca012cd67852fff5d2de0aa8eb75a29ac8f069fd7d6d7349ac3d81174c2d61495eac99985c5024

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
473B

MD5
888d8edcc3b71e613ea61ea10c012783

SHA1
a5985a3a80b00287e7987262c5d452c4c5e92cfe

SHA256
4a0ebfb38b6023319aee0249a2616a9153db091dcb8abb5189c165c0b3f47c3e

SHA512
5d49219c24df5e88d66e704a9315e2015787a68f085bb6f2cf548abb96137e329ef5d551e9b2417df04392102824e0ac0e024809ed6088d8e429557a43e2b554

Download Submit
memory/4480-55-0x0000000000E00000-0x0000000000ECA000-memory.dmp

Filesize
808KB

Download
memory/4480-57-0x0000000002F40000-0x0000000002F4E000-memory.dmp

Filesize
56KB

Download
memory/4480-59-0x0000000002F70000-0x0000000002F8C000-memory.dmp

Filesize
112KB

Download
memory/4480-60-0x000000001C540000-0x000000001C590000-memory.dmp

Filesize
320KB

Download
memory/4480-62-0x000000001C4F0000-0x000000001C508000-memory.dmp

Filesize
96KB

Download
memory/4480-64-0x0000000002F50000-0x0000000002F5E000-memory.dmp

Filesize
56KB

Download
memory/4480-66-0x0000000002F60000-0x0000000002F6C000-memory.dmp

Filesize
48KB

Download