dcrat | 0e6fc77a72dd0b4c8f8fe7607c92eac7cf5b0d607c9904e09d9fb1b2128a2e51

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start-main/jythjadthawed.exe
Size

855KB
MD5

fda06a638ce0756950f40dff83a675e8
SHA1

7d121e94b2c4885f8838a2a18ffaa4a25afd96d0
SHA256

6b986293d3057fb2ffb8759b53182756595f68aa95c584d73b9e1e9e3997826d
SHA512

26d033f6d3e490a1773622072674001c1c962214a19b38d9a0a63383cde9fbfadf6658359895f19c9a68890d5c8a21a047beb578134d35ecd18f733dd002d1e0
SSDEEP

12288:OWTns93nQb1f13TH3XmaZ4JJMA+zpW3Ari4VVyZC0+1cp9rcDNpTWDTQGFZ6:OWTnbb1f1bmaZKJMA+z3iE0nTr/6

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

jythjadthawed.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\sysmon.exe\""	jythjadthawed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\sysmon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\jythjadthawed.exe\""	jythjadthawed.exe

DCRat payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral17/memory/2068-1-0x0000000000B10000-0x0000000000BEC000-memory.dmp	family_dcrat_v2
C:\Users\Admin\AppData\Local\sysmon.exe	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jythjadthawed.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	jythjadthawed.exe

Executes dropped EXE 1 IoCs

Processes:

sysmon.exe

pid process

3204 sysmon.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
3204	sysmon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jythjadthawed.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Admin\\AppData\\Local\\sysmon.exe\""	jythjadthawed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Admin\\AppData\\Local\\sysmon.exe\""	jythjadthawed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jythjadthawed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\jythjadthawed.exe\""	jythjadthawed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jythjadthawed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\jythjadthawed.exe\""	jythjadthawed.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ipinfo.io
11 ipinfo.io
51 ipinfo.io
52 ipinfo.io

flow	ioc
10	ipinfo.io
11	ipinfo.io
51	ipinfo.io
52	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC30909912ADFE4CAFB1354AED8BDFFB5.TMP	csc.exe
File created	\??\c:\Windows\System32\-63gkj.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

4024 PING.EXE
Modifies registry class 1 IoCs

Processes:

jythjadthawed.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings jythjadthawed.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4024 PING.EXE

pid	process
4024	PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	jythjadthawed.exe

pid	process
4024	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jythjadthawed.exe

pid	process
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe
2068	jythjadthawed.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sysmon.exe

pid process

3204 sysmon.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jythjadthawed.exesysmon.exe

description pid process

Token: SeDebugPrivilege 2068 jythjadthawed.exe
Token: SeDebugPrivilege 3204 sysmon.exe

pid	process
3204	sysmon.exe

description	pid	process
Token: SeDebugPrivilege	2068	jythjadthawed.exe
Token: SeDebugPrivilege	3204	sysmon.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

jythjadthawed.execsc.execmd.exe

description	pid	process	target process
PID 2068 wrote to memory of 2164	2068	jythjadthawed.exe	csc.exe
PID 2068 wrote to memory of 2164	2068	jythjadthawed.exe	csc.exe
PID 2164 wrote to memory of 1176	2164	csc.exe	cvtres.exe
PID 2164 wrote to memory of 1176	2164	csc.exe	cvtres.exe
PID 2068 wrote to memory of 1868	2068	jythjadthawed.exe	cmd.exe
PID 2068 wrote to memory of 1868	2068	jythjadthawed.exe	cmd.exe
PID 1868 wrote to memory of 2872	1868	cmd.exe	chcp.com
PID 1868 wrote to memory of 2872	1868	cmd.exe	chcp.com
PID 1868 wrote to memory of 4024	1868	cmd.exe	PING.EXE
PID 1868 wrote to memory of 4024	1868	cmd.exe	PING.EXE
PID 1868 wrote to memory of 3204	1868	cmd.exe	sysmon.exe
PID 1868 wrote to memory of 3204	1868	cmd.exe	sysmon.exe

C:\Users\Admin\AppData\Local\Temp\start-main\jythjadthawed.exe
"C:\Users\Admin\AppData\Local\Temp\start-main\jythjadthawed.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fm53achw\fm53achw.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D5B.tmp" "c:\Windows\System32\CSC30909912ADFE4CAFB1354AED8BDFFB5.TMP"
3⤵
PID:1176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qcUpJGnph9.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2872

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4024

C:\Users\Admin\AppData\Local\sysmon.exe
"C:\Users\Admin\AppData\Local\sysmon.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8D5B.tmp

Filesize
1KB

MD5
93e6dd54f7f6d9a146da0725625f74b9

SHA1
3d7994c19edfc626170bb48ab350977a783330ff

SHA256
70ee32505cbf4b99526fadc4f8cfa9ea4e30967068e3ec221758e14b806820dc

SHA512
14f40daa5fa4d3c0c87009211fe27e333d53249e4db2841800367f787f4580831d42613fa242877a361206499881d2369ae2bf305ffa5b7e09457aeedf9ec669

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcUpJGnph9.bat

Filesize
167B

MD5
c4ba811cf1be0ffff45638283c14f5ea

SHA1
a13d6e8a02cab6b231353fe718305fdc110d1665

SHA256
bd37c079cfe931e1f81027f5418758a79213c8b1555affeead19f6dab8f8a6b1

SHA512
099770241f9398d91858ec4a83067f2d4fc8f6f44878acf689e6cb4c2a049077c5bd7f5e46a305d1756d3b6022c33c9d39ac15c1c867ba3d2e6bbf909785f503

Download Submit
C:\Users\Admin\AppData\Local\sysmon.exe

Filesize
855KB

MD5
fda06a638ce0756950f40dff83a675e8

SHA1
7d121e94b2c4885f8838a2a18ffaa4a25afd96d0

SHA256
6b986293d3057fb2ffb8759b53182756595f68aa95c584d73b9e1e9e3997826d

SHA512
26d033f6d3e490a1773622072674001c1c962214a19b38d9a0a63383cde9fbfadf6658359895f19c9a68890d5c8a21a047beb578134d35ecd18f733dd002d1e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fm53achw\fm53achw.0.cs

Filesize
371B

MD5
6a34fcf8510c0ee86cf4fe9fb98afd33

SHA1
837dbd74166a38fc6b33c62f805ab4eac1ab3d3d

SHA256
721d75079e542d2f761bf916749a88512f24c09d009d1fe2dbbee913942b3c21

SHA512
d261b727c742d8474464575e95bb8e2bd1027158e254378fe790fe812be75a74842a724496fba4159e84ebcd2db9ca4a163a63380e391064839ce25128e7b9b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fm53achw\fm53achw.cmdline

Filesize
235B

MD5
0c4d5ffc2356d86758980f4b168e6417

SHA1
bbe347bffb1c04f44e36d43891281b1ec2d70d03

SHA256
76e13a272bae08832850ad44de194022d104cde0ce9ce13a836974d4a538f716

SHA512
c628c4241ef1833c02993d5e8d23f2d80136280a5d1dfdc1b8020e38a857dd45a283bfb0cbfe8f63cb764c7ea65e2acd6c54f8fda9995e447013c4d884a40a1e

Download Submit
\??\c:\Windows\System32\CSC30909912ADFE4CAFB1354AED8BDFFB5.TMP

Filesize
1KB

MD5
82a7b8ef3bc275711e3b27c6df93c7ff

SHA1
bdac909f26475c94c74145576bcf22adb0f8203c

SHA256
582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124

SHA512
f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248

Download Submit
memory/2068-8-0x000000001BA80000-0x000000001BAD0000-memory.dmp

Filesize
320KB

Download
memory/2068-25-0x00007FFD6EDE0000-0x00007FFD6F8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-11-0x00007FFD6EDE0000-0x00007FFD6F8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-13-0x0000000002C70000-0x0000000002C7C000-memory.dmp

Filesize
48KB

Download
memory/2068-15-0x0000000002C80000-0x0000000002C8E000-memory.dmp

Filesize
56KB

Download
memory/2068-17-0x0000000002CD0000-0x0000000002CD8000-memory.dmp

Filesize
32KB

Download
memory/2068-18-0x00007FFD6EDE0000-0x00007FFD6F8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-20-0x0000000002CE0000-0x0000000002CEC000-memory.dmp

Filesize
48KB

Download
memory/2068-22-0x00007FFD6EDE0000-0x00007FFD6F8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-10-0x0000000002CB0000-0x0000000002CC8000-memory.dmp

Filesize
96KB

Download
memory/2068-29-0x00007FFD6EDE0000-0x00007FFD6F8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-30-0x00007FFD6EDE0000-0x00007FFD6F8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-0-0x00007FFD6EDE3000-0x00007FFD6EDE5000-memory.dmp

Filesize
8KB

Download
memory/2068-7-0x0000000002C90000-0x0000000002CAC000-memory.dmp

Filesize
112KB

Download
memory/2068-5-0x00007FFD6EDE0000-0x00007FFD6F8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-4-0x0000000002C50000-0x0000000002C5E000-memory.dmp

Filesize
56KB

Download
memory/2068-40-0x00007FFD6EDE0000-0x00007FFD6F8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-2-0x00007FFD6EDE0000-0x00007FFD6F8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-47-0x00007FFD6EDE0000-0x00007FFD6F8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-1-0x0000000000B10000-0x0000000000BEC000-memory.dmp

Filesize
880KB

Download