dcrat | 619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

Analysis

max time kernel
34s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GameInputSvc.exe
Size

1.8MB
MD5

42b89874d3138f40f32285be945f2ceb
SHA1

1766b4c4a040ba19afc4318e9b2eab775fee88d7
SHA256

619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
SHA512

df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
SSDEEP

49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	4732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4732	schtasks.exe	85

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GameInputSvc.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	GameInputSvc.exe

Executes dropped EXE 1 IoCs

Processes:

sysmon.exe

pid	Process
3780	sysmon.exe

Drops file in Program Files directory 3 IoCs

Processes:

GameInputSvc.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	GameInputSvc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	GameInputSvc.exe
File created	C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9	GameInputSvc.exe

Drops file in Windows directory 2 IoCs

Processes:

GameInputSvc.exe

description	ioc	Process
File created	C:\Windows\Logs\MoSetup\OfficeClickToRun.exe	GameInputSvc.exe
File created	C:\Windows\Logs\MoSetup\e6c9b481da804f	GameInputSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

GameInputSvc.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	GameInputSvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
4904	schtasks.exe
4712	schtasks.exe
1408	schtasks.exe
2104	schtasks.exe
4336	schtasks.exe
2264	schtasks.exe
3412	schtasks.exe
4484	schtasks.exe
2352	schtasks.exe
3112	schtasks.exe
2232	schtasks.exe
2876	schtasks.exe
3556	schtasks.exe
696	schtasks.exe
2116	schtasks.exe
3960	schtasks.exe
2740	schtasks.exe
3216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GameInputSvc.exesysmon.exe

pid	Process
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
5112	GameInputSvc.exe
3780	sysmon.exe
3780	sysmon.exe
3780	sysmon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GameInputSvc.exesysmon.exe

description	pid	Process
Token: SeDebugPrivilege	5112	GameInputSvc.exe
Token: SeDebugPrivilege	3780	sysmon.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

GameInputSvc.execmd.exe

description	pid	Process	procid_target
PID 5112 wrote to memory of 2172	5112	GameInputSvc.exe	105
PID 5112 wrote to memory of 2172	5112	GameInputSvc.exe	105
PID 2172 wrote to memory of 2756	2172	cmd.exe	107
PID 2172 wrote to memory of 2756	2172	cmd.exe	107
PID 2172 wrote to memory of 4668	2172	cmd.exe	108
PID 2172 wrote to memory of 4668	2172	cmd.exe	108
PID 2172 wrote to memory of 3780	2172	cmd.exe	116
PID 2172 wrote to memory of 3780	2172	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\GameInputSvc.exe
"C:\Users\Admin\AppData\Local\Temp\GameInputSvc.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FKB1hEolRH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2756
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4668
- - C:\Recovery\WindowsRE\sysmon.exe
    "C:\Recovery\WindowsRE\sysmon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\MoSetup\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Logs\MoSetup\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\MoSetup\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "GameInputSvcG" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\GameInputSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "GameInputSvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\GameInputSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "GameInputSvcG" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\GameInputSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sysmon.exe

Filesize
1.8MB

MD5
42b89874d3138f40f32285be945f2ceb

SHA1
1766b4c4a040ba19afc4318e9b2eab775fee88d7

SHA256
619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

SHA512
df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKB1hEolRH.bat

Filesize
208B

MD5
32ed126e0450de97f462b280a7b8050b

SHA1
40871524d6d9ece7c10e33658977e7a007f428bc

SHA256
6807601d7733172fca03c57a1554b3bf3b8bbe7b0db4f08ca708637796437406

SHA512
54a40da691c9d7a58567beeca8bd64a3eb90190dcec7e3de488f5b2618d8b15d5cc1d5d65b815ded2c1d729d3b8a3af11a3a1c5aedc9d5c53f025df2bf17a92c

Download Submit
memory/5112-8-0x000000001B410000-0x000000001B42C000-memory.dmp

Filesize
112KB

Download
memory/5112-2-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-5-0x0000000002AC0000-0x0000000002ACE000-memory.dmp

Filesize
56KB

Download
memory/5112-6-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-11-0x000000001B430000-0x000000001B448000-memory.dmp

Filesize
96KB

Download
memory/5112-9-0x000000001B4D0000-0x000000001B520000-memory.dmp

Filesize
320KB

Download
memory/5112-0-0x00007FFE304F3000-0x00007FFE304F5000-memory.dmp

Filesize
8KB

Download
memory/5112-3-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-23-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-24-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-25-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-26-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-32-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-1-0x0000000000700000-0x00000000008D2000-memory.dmp

Filesize
1.8MB

Download