Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 01:30
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
DCRatBuild.exe
Resource
win10v2004-20241007-en
General
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
MD5
a92e55e04cc2026f53c97bdf0e91f6ba
-
SHA1
a31af958d3f885e0f55465acc214bdb0d56e672f
-
SHA256
f395305daac1c6e8fd577b85bc9132b5358c9e4c4b818b61f76d50d2477a3906
-
SHA512
441ca291ccc66f16b5252d65c23fb9f0a57f242ca35f196f41175e2c4d3adc436b026111b79fb4c77db9dbe6370e837133c1d02e571730831293e0a1ffeb95a9
-
SSDEEP
24576:U2G/nvxW3Ww0t43eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7d:UbA3042rejxtDydhcQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3920 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 4620 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 4620 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x0007000000023c90-9.dat dcrat behavioral2/memory/2976-13-0x0000000000820000-0x00000000008F6000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation portperf.exe -
Executes dropped EXE 2 IoCs
pid Process 2976 portperf.exe 1224 fontdrvhost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ipinfo.io 21 ipinfo.io -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\bin\5b884080fd4f94 portperf.exe File created C:\Program Files\Windows Mail\RuntimeBroker.exe portperf.exe File created C:\Program Files\Windows Mail\9e8d7a4ca61bd9 portperf.exe File created C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe portperf.exe File created C:\Program Files (x86)\Windows Defender\es-ES\5940a34987c991 portperf.exe File created C:\Program Files\Java\jdk-1.8\bin\fontdrvhost.exe portperf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DCRatBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DCRatBuild.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1616 schtasks.exe 4004 schtasks.exe 2036 schtasks.exe 3920 schtasks.exe 3484 schtasks.exe 4328 schtasks.exe 3960 schtasks.exe 2840 schtasks.exe 1880 schtasks.exe 3128 schtasks.exe 2560 schtasks.exe 3836 schtasks.exe 4460 schtasks.exe 2540 schtasks.exe 3924 schtasks.exe 1468 schtasks.exe 3200 schtasks.exe 1956 schtasks.exe 2888 schtasks.exe 312 schtasks.exe 1928 schtasks.exe 2692 schtasks.exe 1028 schtasks.exe 852 schtasks.exe 4420 schtasks.exe 3744 schtasks.exe 4324 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2976 portperf.exe 1224 fontdrvhost.exe 1224 fontdrvhost.exe 1224 fontdrvhost.exe 1224 fontdrvhost.exe 1224 fontdrvhost.exe 1224 fontdrvhost.exe 1224 fontdrvhost.exe 1224 fontdrvhost.exe 1224 fontdrvhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1224 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2976 portperf.exe Token: SeDebugPrivilege 1224 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3124 wrote to memory of 4592 3124 DCRatBuild.exe 82 PID 3124 wrote to memory of 4592 3124 DCRatBuild.exe 82 PID 3124 wrote to memory of 4592 3124 DCRatBuild.exe 82 PID 4592 wrote to memory of 2628 4592 WScript.exe 87 PID 4592 wrote to memory of 2628 4592 WScript.exe 87 PID 4592 wrote to memory of 2628 4592 WScript.exe 87 PID 2628 wrote to memory of 2976 2628 cmd.exe 89 PID 2628 wrote to memory of 2976 2628 cmd.exe 89 PID 2976 wrote to memory of 1224 2976 portperf.exe 117 PID 2976 wrote to memory of 1224 2976 portperf.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ChainBlocksurrogateagentFont\qVwtNBtq7doCC7qZCII8cJUJd.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\ChainBlocksurrogateagentFont\portperf.exe"C:\ChainBlocksurrogateagentFont\portperf.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Default\fontdrvhost.exe"C:\Users\Default\fontdrvhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk-1.8\bin\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\bin\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk-1.8\bin\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD5b3e0630669e9f81b3e57048e6af1e015
SHA1650473dc5a9144a544fb53af84ef4fc8e0a72320
SHA25601543751a00db2bbbaaf366aa712303363c484c1f9970ae04857f6703473a5e2
SHA512ac7e7fdf1fb92273a08e030d9f4b407faa4b759c85932a7a2463df92f83f5bb7b596b9d8b2e0acea1a20305903f4e425e7a82edf4f12c9ca60c56f67bca1236f
-
Filesize
829KB
MD5a054982f7e12c1f491eccd25d9c1b5d7
SHA1b3c78b1c7c8a95486db06e39f56910d0f3e90996
SHA2564b6302643800dafe4629960e243ba26663f8510c42f4eaf656b1cc510406e408
SHA512d57be5af22f21e7c20d330f5714ddcf1936152e3d9bd2254c1a2c83f420bfe183ae204c871b1ce2d8f5361a1661afbe39a9b5bec12fb00195a8c0b967977a925
-
Filesize
46B
MD500afe3a3fcc7952dfadc97502a3aecac
SHA16b7e7835cd437e437c91ad91255efe5c8f24c0f4
SHA2565f60a9046ff7978e0518ad160509409a8818dbea53faa79c5d93364dd8d70f95
SHA5129af6ecb3ff68382c633e640d29e86d17597faa2ab712f75697bdf98596c6b17146991ec88fd94df8c65a8fa6ae60e763a66747cf0be4ae37d60beb1e8ff87cc3