dcrat | 0e6fc77a72dd0b4c8f8fe7607c92eac7cf5b0d607c9904e09d9fb1b2128a2e51

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start-main/odrsfgawd.exe
Size

526KB
MD5

29f1c1d7a651b39f96ec5cef9cd4071d
SHA1

ce27d36c953fe12c733c920ca9aee4199ee4dbb7
SHA256

bdf890b78dc6fd33cec86be7fe593714ae1b713f0644402819cabd5bba5f1bbd
SHA512

24149490810f23f2b08fde9e7ab4c8702784bf26d5b72c76b0eab9dce5881fb3412faa6ec1f7c5e183a015fe4e7a3dc332d94782fbd21361f66f19f1cbbb659a
SSDEEP

6144:tSveb1jQZD0wmWozuZW5DwwzqLhh13QEGQnh9lTRXvtkpAbj7KvaP5fsz61+:tom1Mh0AZYtzE3TvnhhXFU0j5M61+

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

odrsfgawd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\""	odrsfgawd.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	2868	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2868	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2868	schtasks.exe

DCRat payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral26/memory/1920-0-0x0000000000A70000-0x0000000000AFA000-memory.dmp	family_dcrat_v2
C:\Users\Admin\AppData\Local\staticfile.exe	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

odrsfgawd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	odrsfgawd.exe

Executes dropped EXE 1 IoCs

Processes:

staticfile.exe

pid process

4284 staticfile.exe

pid	process
4284	staticfile.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

odrsfgawd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\staticfile = "\"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\""	odrsfgawd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\staticfile = "\"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\""	odrsfgawd.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC37DA9ADBF1D745D1B29811E72178283.TMP	csc.exe
File created	\??\c:\Windows\System32\s_kgxh.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

1476 PING.EXE
Modifies registry class 1 IoCs

Processes:

odrsfgawd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings odrsfgawd.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1476 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3196 schtasks.exe
3520 schtasks.exe
896 schtasks.exe

pid	process
1476	PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	odrsfgawd.exe

pid	process
1476	PING.EXE

pid	process
3196	schtasks.exe
3520	schtasks.exe
896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

odrsfgawd.exestaticfile.exe

pid	process
1920	odrsfgawd.exe
1920	odrsfgawd.exe
1920	odrsfgawd.exe
1920	odrsfgawd.exe
1920	odrsfgawd.exe
1920	odrsfgawd.exe
1920	odrsfgawd.exe
1920	odrsfgawd.exe
1920	odrsfgawd.exe
1920	odrsfgawd.exe
1920	odrsfgawd.exe
1920	odrsfgawd.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe
4284	staticfile.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

odrsfgawd.exestaticfile.exe

description pid process

Token: SeDebugPrivilege 1920 odrsfgawd.exe
Token: SeDebugPrivilege 4284 staticfile.exe

description	pid	process
Token: SeDebugPrivilege	1920	odrsfgawd.exe
Token: SeDebugPrivilege	4284	staticfile.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

odrsfgawd.execsc.execmd.exe

description	pid	process	target process
PID 1920 wrote to memory of 3568	1920	odrsfgawd.exe	csc.exe
PID 1920 wrote to memory of 3568	1920	odrsfgawd.exe	csc.exe
PID 3568 wrote to memory of 3468	3568	csc.exe	cvtres.exe
PID 3568 wrote to memory of 3468	3568	csc.exe	cvtres.exe
PID 1920 wrote to memory of 3100	1920	odrsfgawd.exe	cmd.exe
PID 1920 wrote to memory of 3100	1920	odrsfgawd.exe	cmd.exe
PID 3100 wrote to memory of 5112	3100	cmd.exe	chcp.com
PID 3100 wrote to memory of 5112	3100	cmd.exe	chcp.com
PID 3100 wrote to memory of 1476	3100	cmd.exe	PING.EXE
PID 3100 wrote to memory of 1476	3100	cmd.exe	PING.EXE
PID 3100 wrote to memory of 4284	3100	cmd.exe	staticfile.exe
PID 3100 wrote to memory of 4284	3100	cmd.exe	staticfile.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\start-main\odrsfgawd.exe
"C:\Users\Admin\AppData\Local\Temp\start-main\odrsfgawd.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\knspwv05\knspwv05.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC39.tmp" "c:\Windows\System32\CSC37DA9ADBF1D745D1B29811E72178283.TMP"
3⤵
PID:3468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JgS7PZGuqI.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:5112

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1476

C:\Users\Admin\AppData\Local\staticfile.exe
"C:\Users\Admin\AppData\Local\staticfile.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "staticfiles" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "staticfile" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "staticfiles" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JgS7PZGuqI.bat

Filesize
171B

MD5
cb7bf0bc260ea947008cb459e8abb2ea

SHA1
4645f05ef97e75fde1e093924bfad14c819d7ae5

SHA256
b6de8673751e46458c8e750ed1d87e293a9b7a3095480c20142237ba83757ef4

SHA512
2b8a26b15e09ac41b432c913bab54f84f18c5889e009b6bf5c86d5518dc9cbceb3ac22c7f8b49a29468adf760db4c34a03e2a39f3b33cc806da9b8dbd7806765

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC39.tmp

Filesize
1KB

MD5
55a83f8c997973d4231172cbda6acc4c

SHA1
b72ead8bec4ec7c835d94ad450beed061eb1985d

SHA256
33e2d105d024f60e74f229c67dc088bdb2258164ab28685bbb8ee67860189748

SHA512
2407ae6676b78bdf52fb3b85234bd7f0a911e73a1711ae16cde4b96b6c503cea97b22c7e43c98c9063c0508b87be5839de544f1cff567291f4e77968dc38acc4

Download Submit
C:\Users\Admin\AppData\Local\staticfile.exe

Filesize
526KB

MD5
29f1c1d7a651b39f96ec5cef9cd4071d

SHA1
ce27d36c953fe12c733c920ca9aee4199ee4dbb7

SHA256
bdf890b78dc6fd33cec86be7fe593714ae1b713f0644402819cabd5bba5f1bbd

SHA512
24149490810f23f2b08fde9e7ab4c8702784bf26d5b72c76b0eab9dce5881fb3412faa6ec1f7c5e183a015fe4e7a3dc332d94782fbd21361f66f19f1cbbb659a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\knspwv05\knspwv05.0.cs

Filesize
375B

MD5
ffffa19ce1cc39b87d5713ac34aeeb6e

SHA1
429b4625aae45e52e3bed7e8ddcaba8189f34553

SHA256
0891750ea889ac41d3afd52c14cd8a90ddac2defebf49aa7e07a488e4dc6bc77

SHA512
2673a04bff5e8a09622982ecfc2f384a102da0fb90084d888564c3dfe5da96efe43dd688ea25b1374566a0ddccdf49d972649af98a87f1916f095d1794d7fe68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\knspwv05\knspwv05.cmdline

Filesize
235B

MD5
5c9f5d1d993507b20db6b18b67644c89

SHA1
3fecb77f04b5664832357e2d73b22bb11f75b5a6

SHA256
562d7c95d077f55a238b3bb89b0d6e634a46b9dd5d55134f715178302fc42dda

SHA512
d51e66fa62ce3381c7694a05bc70c6db0ac3ed5d230d49aec2e44af1056f51b2c1e7746de4a3471527326db53a657dceb7335447b27a17b71bbaef9e0443847b

Download Submit
\??\c:\Windows\System32\CSC37DA9ADBF1D745D1B29811E72178283.TMP

Filesize
1KB

MD5
634e281a00b7b9f516c3048badfa1530

SHA1
af6369715ce2fe9b99609e470d4f66698880a35a

SHA256
0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8

SHA512
1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

Download Submit
memory/1920-8-0x00007FFB5B7C0000-0x00007FFB5C281000-memory.dmp

Filesize
10.8MB

Download
memory/1920-1-0x00007FFB5B7C3000-0x00007FFB5B7C5000-memory.dmp

Filesize
8KB

Download
memory/1920-7-0x00007FFB5B7C0000-0x00007FFB5C281000-memory.dmp

Filesize
10.8MB

Download
memory/1920-4-0x00000000011A0000-0x00000000011AE000-memory.dmp

Filesize
56KB

Download
memory/1920-2-0x00007FFB5B7C0000-0x00007FFB5C281000-memory.dmp

Filesize
10.8MB

Download
memory/1920-27-0x00007FFB5B7C0000-0x00007FFB5C281000-memory.dmp

Filesize
10.8MB

Download
memory/1920-0-0x0000000000A70000-0x0000000000AFA000-memory.dmp

Filesize
552KB

Download