dcrat | fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440

Analysis

max time kernel
28s
max time network
34s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
Size

1.5MB
MD5

3f46b4fc008b1267c97e905c89ca60bf
SHA1

05725fe5083fc1f15d61a052dc5d3bbab3e34742
SHA256

fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440
SHA512

d14ec2b39a4a3c906a3f3575a7e3667df33bcbc113eba0da98a906d94bab9f4ada71b79abfe01db28316035b1d87087518bcfd5bc45c094994b56a8efa603b9a
SSDEEP

24576:MeaMajUi+6C+mDjn7gbkFaSH7Wu4mIWGE1Sy/fBEXTHhaTEEER71RM4I13:Meaj9bHmMbkBHVdGE1Sy/ujhaIh+1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	568	schtasks.exe	30

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2496-1-0x00000000000D0000-0x000000000025E000-memory.dmp	dcrat
behavioral1/files/0x0006000000019bf6-31.dat	dcrat
behavioral1/files/0x0008000000018b64-65.dat	dcrat
behavioral1/memory/2436-87-0x0000000000BE0000-0x0000000000D6E000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe

Executes dropped EXE 1 IoCs

pid	Process
2436	spoolsv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXB8CA.tmp	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXB948.tmp	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\c2662095ba9aa8	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1988	schtasks.exe
2772	schtasks.exe
2800	schtasks.exe
2940	schtasks.exe
644	schtasks.exe
1992	schtasks.exe
3060	schtasks.exe
2816	schtasks.exe
2192	schtasks.exe
1388	schtasks.exe
2476	schtasks.exe
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
Token: SeDebugPrivilege	2436	spoolsv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 272	2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe	43
PID 2496 wrote to memory of 272	2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe	43
PID 2496 wrote to memory of 272	2496	fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe	43
PID 272 wrote to memory of 2080	272	cmd.exe	45
PID 272 wrote to memory of 2080	272	cmd.exe	45
PID 272 wrote to memory of 2080	272	cmd.exe	45
PID 272 wrote to memory of 2436	272	cmd.exe	46
PID 272 wrote to memory of 2436	272	cmd.exe	46
PID 272 wrote to memory of 2436	272	cmd.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe
"C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E969IshFWt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2080
- - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe
    "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440f" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440f" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXB948.tmp

Filesize
1.5MB

MD5
69abe05f0c575421d22713a125451907

SHA1
689e17a08e178e529237de4af4271ceee655fa97

SHA256
fb86df650a9a35807d8a07b83a9afb02017520dad007be481a64daa1aeceb4ab

SHA512
96e8bce6f2f9984a7f67554a3e4413e0145fcc658798eda5b31aed931af934a6b1e14f9cb4f0bb4044668f325b9892dac7ecd19c9ab0a1bd5c4b0262479c9acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E969IshFWt.bat

Filesize
225B

MD5
1bcb856942c3e75209755acfde382c2f

SHA1
1437812c2f8c97abc6a6278775fd86bbd1b9b3dd

SHA256
84c143a92241d5ec8f35d91a359325b924c13c78f5ee23b84e532f29037bd955

SHA512
53e510b19cfa638903436d732778faf2a285b7182d1be537be4675999e8f49f290ffc6c155efa26e5b7d80b21cab7f7b51194434cccb5f08124d63e436313fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXB1E2.tmp

Filesize
1.5MB

MD5
3f46b4fc008b1267c97e905c89ca60bf

SHA1
05725fe5083fc1f15d61a052dc5d3bbab3e34742

SHA256
fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440

SHA512
d14ec2b39a4a3c906a3f3575a7e3667df33bcbc113eba0da98a906d94bab9f4ada71b79abfe01db28316035b1d87087518bcfd5bc45c094994b56a8efa603b9a

Download Submit
memory/2436-87-0x0000000000BE0000-0x0000000000D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-13-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2496-14-0x0000000002250000-0x000000000225C000-memory.dmp

Filesize
48KB

Download
memory/2496-6-0x00000000020F0000-0x0000000002106000-memory.dmp

Filesize
88KB

Download
memory/2496-7-0x0000000001F50000-0x0000000001F60000-memory.dmp

Filesize
64KB

Download
memory/2496-8-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/2496-10-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2496-11-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/2496-12-0x0000000002230000-0x000000000223E000-memory.dmp

Filesize
56KB

Download
memory/2496-0-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/2496-5-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/2496-15-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2496-16-0x000000001A770000-0x000000001A77A000-memory.dmp

Filesize
40KB

Download
memory/2496-17-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-20-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-25-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-4-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/2496-3-0x00000000005E0000-0x00000000005FC000-memory.dmp

Filesize
112KB

Download
memory/2496-2-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-84-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-1-0x00000000000D0000-0x000000000025E000-memory.dmp

Filesize
1.6MB

Download