dcrat | 9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd

Analysis

max time kernel
144s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe
Size

1.2MB
MD5

d1dac6e0cf79a43434f1ac4c84b9ef4d
SHA1

35a0db7e5548b32fa4a44eb897beb9fbbdcc7962
SHA256

9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd
SHA512

43c1df1b5ea8d477977577e5a2a683e0c6621db649709a1447c783540e2e019053d288898fc255c2c27dedc20df595176a3b5a70c58a6a994f9b83192cc8989f
SSDEEP

24576:9sayvYwy9cCAiDSeqgpkcqK0QrmU9cPVbGI61T7Kamt:WayQfSeXqK5Z9gsI6dud

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1452	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1452	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1452	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	1452	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1452	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1452	schtasks.exe	35

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/3032-25-0x0000000000400000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/files/0x002f000000018bd7-26.dat	dcrat
behavioral1/memory/2296-29-0x0000000000320000-0x00000000003DA000-memory.dmp	dcrat
behavioral1/memory/2044-46-0x0000000000EE0000-0x0000000000F9A000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

2wTfITfS5j.exeiDNccpxzCP.exewinlogon.exe

pid	Process
2964	2wTfITfS5j.exe
2296	iDNccpxzCP.exe
2044	winlogon.exe

Loads dropped DLL 2 IoCs

Processes:

D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe

pid	Process
3032	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe
3032	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

Processes:

iDNccpxzCP.exe

description	ioc	Process
File created	C:\Windows\System32\winrm\0410\winlogon.exe	iDNccpxzCP.exe
File opened for modification	C:\Windows\System32\winrm\0410\winlogon.exe	iDNccpxzCP.exe
File created	C:\Windows\System32\winrm\0410\cc11b995f2a76d	iDNccpxzCP.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe

description	pid	Process	procid_target
PID 2152 set thread context of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2556	2152	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

D1DAC6E0CF79A43434F1AC4C84B9EF4D.exeD1DAC6E0CF79A43434F1AC4C84B9EF4D.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1804	schtasks.exe
1540	schtasks.exe
2560	schtasks.exe
2244	schtasks.exe
1904	schtasks.exe
2328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

iDNccpxzCP.exewinlogon.exe

pid	Process
2296	iDNccpxzCP.exe
2296	iDNccpxzCP.exe
2296	iDNccpxzCP.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe
2044	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid	Process
2044	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

iDNccpxzCP.exewinlogon.exe

description	pid	Process
Token: SeDebugPrivilege	2296	iDNccpxzCP.exe
Token: SeDebugPrivilege	2044	winlogon.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

D1DAC6E0CF79A43434F1AC4C84B9EF4D.exeD1DAC6E0CF79A43434F1AC4C84B9EF4D.exeiDNccpxzCP.execmd.exe

description	pid	Process	procid_target
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 3032	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	31
PID 2152 wrote to memory of 2556	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	32
PID 2152 wrote to memory of 2556	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	32
PID 2152 wrote to memory of 2556	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	32
PID 2152 wrote to memory of 2556	2152	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	32
PID 3032 wrote to memory of 2296	3032	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	34
PID 3032 wrote to memory of 2296	3032	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	34
PID 3032 wrote to memory of 2296	3032	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	34
PID 3032 wrote to memory of 2296	3032	D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe	34
PID 2296 wrote to memory of 2236	2296	iDNccpxzCP.exe	42
PID 2296 wrote to memory of 2236	2296	iDNccpxzCP.exe	42
PID 2296 wrote to memory of 2236	2296	iDNccpxzCP.exe	42
PID 2236 wrote to memory of 2416	2236	cmd.exe	44
PID 2236 wrote to memory of 2416	2236	cmd.exe	44
PID 2236 wrote to memory of 2416	2236	cmd.exe	44
PID 2236 wrote to memory of 2044	2236	cmd.exe	45
PID 2236 wrote to memory of 2044	2236	cmd.exe	45
PID 2236 wrote to memory of 2044	2236	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe
"C:\Users\Admin\AppData\Local\Temp\D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe
  "C:\Users\Admin\AppData\Local\Temp\D1DAC6E0CF79A43434F1AC4C84B9EF4D.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Roaming\2wTfITfS5j.exe
    "C:\Users\Admin\AppData\Roaming\2wTfITfS5j.exe"
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Users\Admin\AppData\Roaming\iDNccpxzCP.exe
    "C:\Users\Admin\AppData\Roaming\iDNccpxzCP.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GlVXQjRSgc.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2416
    - - C:\Windows\System32\winrm\0410\winlogon.exe
        
        "C:\Windows\System32\winrm\0410\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 68
  2⤵
  - Program crash
  PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\winrm\0410\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\winrm\0410\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\winrm\0410\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iDNccpxzCPi" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\iDNccpxzCP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iDNccpxzCP" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\iDNccpxzCP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iDNccpxzCPi" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\iDNccpxzCP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GlVXQjRSgc.bat

Filesize
208B

MD5
73a47b81ac1dacba5bf6ed06c88c74a7

SHA1
3d83228d1903e10645366858baa3a2cf647b2ea9

SHA256
6e56413a2ccf71d3a5ead1b09d4d1e442b8cc2f9fcb127f2806b7ceeb54b7fe4

SHA512
4cb3f3ea5d4d049b1a2a6e4291b69f4da7cd631a863adc048ce822be9eebf9a20d3febcef4c92a705829dac0fa137813be4b3f2fcb044dba0409cf44d82aeab0

Download Submit
C:\Users\Admin\AppData\Roaming\2wTfITfS5j.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
C:\Users\Admin\AppData\Roaming\iDNccpxzCP.exe

Filesize
716KB

MD5
2ea728129d813b8a99509cc009968d2e

SHA1
4705bf7c666dceb4db384cb487d796557583d107

SHA256
384773df6081637cd1d36872cace14b1df5e5d59cb9bed47512b0618185ca8fd

SHA512
9a67df09a331602e6a9176bbc6277cf7908085e768b9da2e13f6ba99934020d46823073d8e19b6cb2dd19ee0c75407a67c5095fb33068679a7ab5d760764db39

Download Submit
memory/2044-46-0x0000000000EE0000-0x0000000000F9A000-memory.dmp

Filesize
744KB

Download
memory/2152-0-0x0000000001083000-0x0000000001085000-memory.dmp

Filesize
8KB

Download
memory/2296-28-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/2296-43-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-33-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/2296-32-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/2296-31-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/2296-30-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-29-0x0000000000320000-0x00000000003DA000-memory.dmp

Filesize
744KB

Download
memory/3032-5-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-12-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-1-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-2-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-3-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-25-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-4-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-6-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3032-13-0x0000000000F60000-0x000000000108B000-memory.dmp

Filesize
1.2MB

Download
memory/3032-9-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-11-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download