dcrat | 59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72eb

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe
Size

602KB
MD5

d069ab75e9b28f7bdd02e0f3d0cc5ab0
SHA1

9c6eb8752783f808903b7fbac3fd47bc96554c84
SHA256

59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72eb
SHA512

765392440ff7c836652d4a963038af2a350a61b33375167c9f9c76793e79b37e2adc3af847dd4ac72c7950f590daa17e93b3ac57f17d9d809e988d5e406ca42a
SSDEEP

12288:Dy906ssfA446ETlvQ10HZWoDRxoVVz6Noc9cAPcJkUwH:Dy3ssfA2caeZxoVhGgkn

Score

10^/10

dcrat luminosity discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat 2 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""		59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe
		4528	schtasks.exe

Dcrat family
dcrat

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""		59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe
		4528	schtasks.exe

Luminosity family
luminosity

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3860	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3532	68282014.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "\"C:\\Program Files (x86)\\Client\\client.exe\" -a /a"	68282014.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68282014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3860	powershell.exe
3860	powershell.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe
3532	68282014.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	3532	68282014.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3532	68282014.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4828	3576	59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe	83
PID 3576 wrote to memory of 4828	3576	59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe	83
PID 3576 wrote to memory of 4504	3576	59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe	85
PID 3576 wrote to memory of 4504	3576	59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe	85
PID 4504 wrote to memory of 3860	4504	cmd.exe	87
PID 4504 wrote to memory of 3860	4504	cmd.exe	87
PID 3860 wrote to memory of 3532	3860	powershell.exe	89
PID 3860 wrote to memory of 3532	3860	powershell.exe	89
PID 3860 wrote to memory of 3532	3860	powershell.exe	89
PID 3532 wrote to memory of 4528	3532	68282014.exe	99
PID 3532 wrote to memory of 4528	3532	68282014.exe	99
PID 3532 wrote to memory of 4528	3532	68282014.exe	99

C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe
"C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe"
1⤵
- DcRat
- Luminosity
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c echo.
  2⤵
  PID:4828
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c exec.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe
      "C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
        5⤵
        DcRat
        Luminosity
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe

Filesize
586KB

MD5
981a6297ee4c59b81dcf9b482c7cc475

SHA1
9c822ad8e6b94702d1a7df13346dafab7d2a331f

SHA256
51551aa5a6310cf993733df09696c8d05e532d5d9e79a243d469ef855a4eeae4

SHA512
8d3615d544f4342d21d51b089107a7c7480da88cefe1019ae152c18807b54d6af7161772886df31309361f47b63596586ae9976dbe7420fc6c1eedc90fffbd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
781KB

MD5
c22f01d9e3f9f075b6efda752f805b3b

SHA1
fd89725060a0ffc6b5af2123ecaa49c31636e6d1

SHA256
f08acf718371e1412b70ec7480a4444d09152e979edb1c79510df49694015be9

SHA512
07b9709f5b5099050aaa0019d340abd112c0cc6ff8207468925e06e024ceaa783ef1f631e9ea661a39e62392e3840e7dcc317361886a53ad1b7d65cea4e646ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

Filesize
95B

MD5
368e0f2c003376d3bdae1c71dd85ec70

SHA1
e5fa7b58cad7f5df6e3a7c2abeec16365ae17827

SHA256
84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9

SHA512
e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uaqc5ffx.d04.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3532-29-0x0000000074A32000-0x0000000074A33000-memory.dmp

Filesize
4KB

Download
memory/3532-30-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3532-32-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3532-35-0x0000000074A32000-0x0000000074A33000-memory.dmp

Filesize
4KB

Download
memory/3532-36-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3860-18-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3860-19-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3860-8-0x000002089D530000-0x000002089D552000-memory.dmp

Filesize
136KB

Download
memory/3860-7-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

Filesize
8KB

Download
memory/3860-31-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download