dcrat | bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe
Size

2.8MB
MD5

d1e1ae8dced915651e8f1db114c073ea
SHA1

ae0f6cd564fd95889eb166c54bee37567f27add4
SHA256

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e
SHA512

e0ff5e949117808d631680a27d27483679f174a6cedcdf16f0e2c1bb479144c6c59c7754ef7eb8aa65a0562c624ed06864dc8ad9d0e2c53428bbcc0b6cd6c2ad
SSDEEP

49152:qR5omlL3SICIhCj3q4Hdliu/syu/m4cq1Inf6ZkYU6wUd9D9+tho51N009:qR5oiiICy8HTiuPiR1If6iYUMmy51yO

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b85-54.dat	family_dcrat_v2
behavioral2/memory/1804-55-0x0000000000A90000-0x0000000000B5A000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exeInstaller.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Installer.exe

Executes dropped EXE 8 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exeRuntimeBroker.exe

pid	Process
1588	7z.exe
1484	7z.exe
4256	7z.exe
1444	7z.exe
1660	7z.exe
3984	7z.exe
1804	Installer.exe
3736	RuntimeBroker.exe

Loads dropped DLL 6 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	Process
1588	7z.exe
1484	7z.exe
4256	7z.exe
1444	7z.exe
1660	7z.exe
3984	7z.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 6 IoCs

Processes:

Installer.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe	Installer.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\088424020bedd6	Installer.exe
File created	C:\Program Files\Windows Mail\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe	Installer.exe
File created	C:\Program Files\Windows Mail\e1ddd36cfe04f1	Installer.exe
File created	C:\Program Files\Microsoft Office\root\services.exe	Installer.exe
File created	C:\Program Files\Microsoft Office\root\c5b4cb5e9653cc	Installer.exe

Drops file in Windows directory 3 IoCs

Processes:

Installer.exe

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\9e8d7a4ca61bd9	Installer.exe
File created	C:\Windows\SystemResources\Windows.UI.Cred\dllhost.exe	Installer.exe
File created	C:\Windows\Downloaded Program Files\RuntimeBroker.exe	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe

Modifies registry class 1 IoCs

Processes:

Installer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	Installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Installer.exe

pid	Process
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe
1804	Installer.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exeRuntimeBroker.exe

description	pid	Process
Token: SeRestorePrivilege	1588	7z.exe
Token: 35	1588	7z.exe
Token: SeSecurityPrivilege	1588	7z.exe
Token: SeSecurityPrivilege	1588	7z.exe
Token: SeRestorePrivilege	1484	7z.exe
Token: 35	1484	7z.exe
Token: SeSecurityPrivilege	1484	7z.exe
Token: SeSecurityPrivilege	1484	7z.exe
Token: SeRestorePrivilege	4256	7z.exe
Token: 35	4256	7z.exe
Token: SeSecurityPrivilege	4256	7z.exe
Token: SeSecurityPrivilege	4256	7z.exe
Token: SeRestorePrivilege	1444	7z.exe
Token: 35	1444	7z.exe
Token: SeSecurityPrivilege	1444	7z.exe
Token: SeSecurityPrivilege	1444	7z.exe
Token: SeRestorePrivilege	1660	7z.exe
Token: 35	1660	7z.exe
Token: SeSecurityPrivilege	1660	7z.exe
Token: SeSecurityPrivilege	1660	7z.exe
Token: SeRestorePrivilege	3984	7z.exe
Token: 35	3984	7z.exe
Token: SeSecurityPrivilege	3984	7z.exe
Token: SeSecurityPrivilege	3984	7z.exe
Token: SeDebugPrivilege	1804	Installer.exe
Token: SeDebugPrivilege	3736	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.execmd.exeInstaller.execmd.exe

description	pid	Process	procid_target
PID 1672 wrote to memory of 2064	1672	bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe	87
PID 1672 wrote to memory of 2064	1672	bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe	87
PID 2064 wrote to memory of 1436	2064	cmd.exe	89
PID 2064 wrote to memory of 1436	2064	cmd.exe	89
PID 2064 wrote to memory of 1588	2064	cmd.exe	90
PID 2064 wrote to memory of 1588	2064	cmd.exe	90
PID 2064 wrote to memory of 1484	2064	cmd.exe	91
PID 2064 wrote to memory of 1484	2064	cmd.exe	91
PID 2064 wrote to memory of 4256	2064	cmd.exe	92
PID 2064 wrote to memory of 4256	2064	cmd.exe	92
PID 2064 wrote to memory of 1444	2064	cmd.exe	93
PID 2064 wrote to memory of 1444	2064	cmd.exe	93
PID 2064 wrote to memory of 1660	2064	cmd.exe	94
PID 2064 wrote to memory of 1660	2064	cmd.exe	94
PID 2064 wrote to memory of 3984	2064	cmd.exe	95
PID 2064 wrote to memory of 3984	2064	cmd.exe	95
PID 2064 wrote to memory of 3264	2064	cmd.exe	96
PID 2064 wrote to memory of 3264	2064	cmd.exe	96
PID 2064 wrote to memory of 1804	2064	cmd.exe	97
PID 2064 wrote to memory of 1804	2064	cmd.exe	97
PID 1804 wrote to memory of 1616	1804	Installer.exe	100
PID 1804 wrote to memory of 1616	1804	Installer.exe	100
PID 1616 wrote to memory of 3640	1616	cmd.exe	102
PID 1616 wrote to memory of 3640	1616	cmd.exe	102
PID 1616 wrote to memory of 4828	1616	cmd.exe	103
PID 1616 wrote to memory of 4828	1616	cmd.exe	103
PID 1616 wrote to memory of 3736	1616	cmd.exe	108
PID 1616 wrote to memory of 3736	1616	cmd.exe	108

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
3264	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe
"C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p237578392143213652313078912 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4256
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:3264
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aLLFk8KoU9.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3640
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4828
    - - C:\Windows\Downloaded Program Files\RuntimeBroker.exe
        
        "C:\Windows\Downloaded Program Files\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aLLFk8KoU9.bat

Filesize
229B

MD5
21307b7eedcb427252781252a1bb51d5

SHA1
efd47cce8ec1382cbeb4b1e67fe7ced032908168

SHA256
8b1eb13cfe06362daf5de096b51a8eb518d4286e98c9094db12e1be635308593

SHA512
20f0b6d7b6c214414673c3b6b8f9b7f5da4b2f407a5d14226ab713ee1efc6d7070db2b97aa2622969eca28715d31d836051e7026cfb5019ebf19c0184c661c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

Filesize
785KB

MD5
acdd5f8a230ebcf456977ac3d1ea6eca

SHA1
e0a985b5c9e99d3b1e1141938afeecdc02811946

SHA256
45fc98c0fe74f360e57e80e42142c4d5745652c198b298ca7f8ecf4dba560c21

SHA512
5372fc4ed4ff8cb54f2139e552c7710f2ad8b4f59bc5743d02a1830a98f2c45553bf807545bf6c93952ae786bc1bd9eb480b98ddf5c924dcc0f5aef9abee2f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
7e703968b4e13722892cf227f37b392d

SHA1
4eba1cbed7b31cdb2ffc9ee7c200bd977af068b0

SHA256
965d0ba59eb90d3b89212ab5d7d02ecd5712feb91eee7bf9e82303d872341953

SHA512
74099ed995ce1b92a95243cebfefbcb32e660468032d12c65437e412ebfb2d23efdf6a6ea7158e06e2574775258862307143efd9ff662b1587e97383f87e299b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
315KB

MD5
55a752087f41b97f460d16cd084c1e5d

SHA1
9b1379a8d2fba0322e4ca6274b609d032d703efc

SHA256
47b472974b1d440f6754b09fb0f053d11deb10734cb60a69d2c7bcbdb9ddd4f6

SHA512
22d00f24358854bb79dfe244e9033e14969fe1181a9adff9f4be56864af401da821b2087ef0e9c03419f097d4d21451b290bc5243a015f95844094c6bcb913e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
315KB

MD5
99941e921b39fbdbbad43c87f518488a

SHA1
6413ddd612ba05a330761c6d0ecec67e6f08b557

SHA256
d521a8feb747997745848003e56981246828cc02f2534c7620442886c38d30a3

SHA512
502b30672bc20713e3a0e8d28c1d649b24301f067367fd41e086deb55daf90da86665771ca0fedb07ed637deb10f789717c3377261ec96d6f6d4c4d88ce504a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
315KB

MD5
6a9bd1c18b86241e8752bd9d1a9fcdc5

SHA1
77cc56608cc38c8e1295299af82eb661ae8b41bf

SHA256
0285293c2c4829281fdc81ce4e1755425ed884364883008b608dca0d0421914b

SHA512
a1f2ed6c9e63ddfc8897b494593f8188a91b217e92509caca8f92f47184b1212bc1ec5e8885aa8f4e8076e081ff85278107101b45d476fbc3d12494082735807

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
316KB

MD5
45b44488f58e268aee145714065d01b1

SHA1
57d788efaa8e83d909a2bfd54fe735925818c574

SHA256
fae5dc0c1e2965b4e1f156e27ebfae84a5a392a9c1d238c023f4635c520815e0

SHA512
54c2144629f75d4e1d563270cc206ec568bf844ff66634626153797c1ea47224928301defc13823b2d79de861302e2b69b753e88b99b7c852fbb85f736cdbc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
1.9MB

MD5
1b7169f7136811025acefcbd57c4c3aa

SHA1
6b0ce940277dc6573248ee817a17101d0c8e8d82

SHA256
b02e6aa68ee324b379a371f1f28960fabad6a7d3aef1bb7ca9e47e96f86ee55e

SHA512
aed911a939ea65f2700ecb9493cb53ca2966538ff343c0145961ba5d343f1a94e136d70bac0b25cc21e6c22d51ecd6edd7177c96e751c417c317c3f967488b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.9MB

MD5
3ca63b69b8fecf3105fe03db79fe485e

SHA1
299b02bc2ea3534300304afdc2fcdede1c50aaae

SHA256
143aedd2b9be4342531a716d6c06e57ed02cd3e6fd0e61a5f0b810754b3d8931

SHA512
185f0c807b895da4a46e06f540fbca3d93a38d42d7c5667925ca012cd67852fff5d2de0aa8eb75a29ac8f069fd7d6d7349ac3d81174c2d61495eac99985c5024

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
473B

MD5
888d8edcc3b71e613ea61ea10c012783

SHA1
a5985a3a80b00287e7987262c5d452c4c5e92cfe

SHA256
4a0ebfb38b6023319aee0249a2616a9153db091dcb8abb5189c165c0b3f47c3e

SHA512
5d49219c24df5e88d66e704a9315e2015787a68f085bb6f2cf548abb96137e329ef5d551e9b2417df04392102824e0ac0e024809ed6088d8e429557a43e2b554

Download Submit
memory/1804-55-0x0000000000A90000-0x0000000000B5A000-memory.dmp

Filesize
808KB

Download
memory/1804-57-0x0000000002BC0000-0x0000000002BCE000-memory.dmp

Filesize
56KB

Download
memory/1804-59-0x0000000002C00000-0x0000000002C1C000-memory.dmp

Filesize
112KB

Download
memory/1804-60-0x000000001C230000-0x000000001C280000-memory.dmp

Filesize
320KB

Download
memory/1804-62-0x0000000002C20000-0x0000000002C38000-memory.dmp

Filesize
96KB

Download
memory/1804-64-0x0000000002BD0000-0x0000000002BDE000-memory.dmp

Filesize
56KB

Download
memory/1804-66-0x0000000002BE0000-0x0000000002BEC000-memory.dmp

Filesize
48KB

Download