dcrat | 0e6fc77a72dd0b4c8f8fe7607c92eac7cf5b0d607c9904e09d9fb1b2128a2e51

Analysis

max time kernel
131s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start-main/ksfawtyha.exe
Size

855KB
MD5

fda06a638ce0756950f40dff83a675e8
SHA1

7d121e94b2c4885f8838a2a18ffaa4a25afd96d0
SHA256

6b986293d3057fb2ffb8759b53182756595f68aa95c584d73b9e1e9e3997826d
SHA512

26d033f6d3e490a1773622072674001c1c962214a19b38d9a0a63383cde9fbfadf6658359895f19c9a68890d5c8a21a047beb578134d35ecd18f733dd002d1e0
SSDEEP

12288:OWTns93nQb1f13TH3XmaZ4JJMA+zpW3Ari4VVyZC0+1cp9rcDNpTWDTQGFZ6:OWTnbb1f1bmaZKJMA+z3iE0nTr/6

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ksfawtyha.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\""	ksfawtyha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\ksfawtyha.exe\""	ksfawtyha.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	212	schtasks.exe

DCRat payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral20/memory/1084-1-0x0000000000B30000-0x0000000000C0C000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ksfawtyha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ksfawtyha.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ksfawtyha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\""	ksfawtyha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\""	ksfawtyha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksfawtyha = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\ksfawtyha.exe\""	ksfawtyha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksfawtyha = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\ksfawtyha.exe\""	ksfawtyha.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ipinfo.io
51 ipinfo.io
52 ipinfo.io
9 ipinfo.io

flow	ioc
12	ipinfo.io
51	ipinfo.io
52	ipinfo.io
9	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCDCC71A6DB17D4DF29ABC23D74CF7E2D1.TMP	csc.exe
File created	\??\c:\Windows\System32\hnaorh.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

ksfawtyha.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings ksfawtyha.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2648 schtasks.exe
3360 schtasks.exe
1556 schtasks.exe
2804 schtasks.exe
3340 schtasks.exe
2488 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	ksfawtyha.exe

pid	process
2648	schtasks.exe
3360	schtasks.exe
1556	schtasks.exe
2804	schtasks.exe
3340	schtasks.exe
2488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ksfawtyha.exe

pid	process
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe
1084	ksfawtyha.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ksfawtyha.exeksfawtyha.exe

description pid process

Token: SeDebugPrivilege 1084 ksfawtyha.exe
Token: SeDebugPrivilege 4412 ksfawtyha.exe

description	pid	process
Token: SeDebugPrivilege	1084	ksfawtyha.exe
Token: SeDebugPrivilege	4412	ksfawtyha.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ksfawtyha.execsc.execmd.exe

description	pid	process	target process
PID 1084 wrote to memory of 1888	1084	ksfawtyha.exe	csc.exe
PID 1084 wrote to memory of 1888	1084	ksfawtyha.exe	csc.exe
PID 1888 wrote to memory of 4860	1888	csc.exe	cvtres.exe
PID 1888 wrote to memory of 4860	1888	csc.exe	cvtres.exe
PID 1084 wrote to memory of 380	1084	ksfawtyha.exe	cmd.exe
PID 1084 wrote to memory of 380	1084	ksfawtyha.exe	cmd.exe
PID 380 wrote to memory of 4268	380	cmd.exe	chcp.com
PID 380 wrote to memory of 4268	380	cmd.exe	chcp.com
PID 380 wrote to memory of 4604	380	cmd.exe	w32tm.exe
PID 380 wrote to memory of 4604	380	cmd.exe	w32tm.exe
PID 380 wrote to memory of 4412	380	cmd.exe	ksfawtyha.exe
PID 380 wrote to memory of 4412	380	cmd.exe	ksfawtyha.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe
"C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fuvpqbve\fuvpqbve.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC62E.tmp" "c:\Windows\System32\CSCDCC71A6DB17D4DF29ABC23D74CF7E2D1.TMP"
3⤵
PID:4860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wfCcJpotGA.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:4268

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe
"C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ksfawtyhak" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ksfawtyha" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ksfawtyhak" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\ksfawtyha.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ksfawtyha.exe.log

Filesize
1KB

MD5
34ff77a14aec2a0e3fff7660e7506da8

SHA1
168cdfbdc68f6a56d0fb35bb7605aab83a2c1837

SHA256
a14bc9f57c725c55f9e5281f6cfee0bd5fcd262df65b5fca9883137aa2fa0c66

SHA512
1c430fd847c40dba7820d93c5db0cab90a6666e06fd9dc5349173af4991432f6eec6c8e79ff25834d6e218cc02868f6f82d1feea61e2b9d5dfdbcb9c45bd760a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC62E.tmp

Filesize
1KB

MD5
b595c9403ccf73aac4c35e343f7c9a29

SHA1
46158858d3cf55cf615dc9ac53ba2195f2e06888

SHA256
93ba612b18d5654e016791f1672666161a35572fdbd3308cd53fa5b0ae46a2d6

SHA512
e714c55774921aea76dafbfd3a1767ece445ac09cf8db4801a02d25d73a4522d5fbbb7e98ff49e12640b057a4353b634c0d0bee47fb1d15190ca3869a6ded73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfCcJpotGA.bat

Filesize
234B

MD5
0b0e1cede18d58d5a5d38298b9c4a26f

SHA1
f6512843ac155f5878d31b58494949d7d743a8c0

SHA256
71d07654d475bb8f1c534568c9e8306e0a3cebc0b6727ea9ab495f6690f81ac1

SHA512
9213f15652a65864cbc5a7d961067ab6cb56c783f3013335ca5bc1428cf290e1bec2dbe5069f38b45742a072103659a6bfa686a5360b1c0242b26ac54c480f6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fuvpqbve\fuvpqbve.0.cs

Filesize
372B

MD5
ffaf8924eca8bff4ffe86e26a5f1c063

SHA1
6ac8afffe3ce2dc5e35503dcb7acad798f3a624c

SHA256
74386e105780fd97570c67a82aa7937853db3f0009ebf608391db8138dc56ff1

SHA512
b546abe3f62cc0ef2ee952cb3610a16128efa83bb51cdf186879d32bde7fd59dd8b74ed6a45fd2819cea9a3b06c25d2c273ea3e4a8e004aaf7185725c2281822

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fuvpqbve\fuvpqbve.cmdline

Filesize
235B

MD5
57ce1fe729fad74ca08d905fb74d401d

SHA1
ce0d6ae4b703717f33736859d1278a14cef53fba

SHA256
6b1d922522710b797a104539a8f55abf8bc9d47250595ae440262e173c0da3e0

SHA512
18c1519725792b2959d22105d98d8a6e794bf210b8ef9c3204ba0c59d0449cbd2d5f0ddfa3aa1c90a6f5c7d96a06ba8a1400e6a48304b6aaae9f499af6fdfa21

Download Submit
\??\c:\Windows\System32\CSCDCC71A6DB17D4DF29ABC23D74CF7E2D1.TMP

Filesize
1KB

MD5
65d5babddb4bd68783c40f9e3678613f

SHA1
71e76abb44dbea735b9faaccb8c0fad345b514f4

SHA256
d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f

SHA512
21223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf

Download Submit
memory/1084-8-0x000000001C330000-0x000000001C380000-memory.dmp

Filesize
320KB

Download
memory/1084-27-0x00007FFF2B1E0000-0x00007FFF2BCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-10-0x000000001B6C0000-0x000000001B6D8000-memory.dmp

Filesize
96KB

Download
memory/1084-14-0x0000000002C80000-0x0000000002C8C000-memory.dmp

Filesize
48KB

Download
memory/1084-12-0x00007FFF2B1E0000-0x00007FFF2BCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-16-0x0000000002C90000-0x0000000002C9E000-memory.dmp

Filesize
56KB

Download
memory/1084-18-0x0000000002CA0000-0x0000000002CA8000-memory.dmp

Filesize
32KB

Download
memory/1084-19-0x00007FFF2B1E0000-0x00007FFF2BCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-21-0x000000001B7F0000-0x000000001B7FC000-memory.dmp

Filesize
48KB

Download
memory/1084-25-0x00007FFF2B1E0000-0x00007FFF2BCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-26-0x00007FFF2B1E0000-0x00007FFF2BCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-11-0x00007FFF2B1E0000-0x00007FFF2BCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-0-0x00007FFF2B1E3000-0x00007FFF2B1E5000-memory.dmp

Filesize
8KB

Download
memory/1084-7-0x000000001B6A0000-0x000000001B6BC000-memory.dmp

Filesize
112KB

Download
memory/1084-5-0x00007FFF2B1E0000-0x00007FFF2BCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-4-0x0000000002C70000-0x0000000002C7E000-memory.dmp

Filesize
56KB

Download
memory/1084-40-0x00007FFF2B1E0000-0x00007FFF2BCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-41-0x00007FFF2B1E3000-0x00007FFF2B1E5000-memory.dmp

Filesize
8KB

Download
memory/1084-2-0x00007FFF2B1E0000-0x00007FFF2BCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-48-0x00007FFF2B1E0000-0x00007FFF2BCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-1-0x0000000000B30000-0x0000000000C0C000-memory.dmp

Filesize
880KB

Download