dcrat | 7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

Analysis

max time kernel
121s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kyhjasehs.exe
Size

1.8MB
MD5

4f964ada28fa2dde5c75d3c3682e69c4
SHA1

481a0ddc3dfd39147abf684b60b6a0b1dfbbc341
SHA256

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945
SHA512

ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68
SSDEEP

24576:cWrCg/r+6/5OZr1A+KnhQaPNcHxIpjgqJ6t1:XrC7G5g0gq

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	kyhjasehs.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2700	schtasks.exe	31

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2976-1-0x0000000001130000-0x00000000012FA000-memory.dmp	family_dcrat_v2
behavioral1/files/0x00160000000120dc-53.dat	family_dcrat_v2
behavioral1/memory/3032-55-0x0000000001110000-0x00000000012DA000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

pid	Process
3032	updater.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	kyhjasehs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	kyhjasehs.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCA9115697E5E94741AC4123268CB8BCA4.TMP	csc.exe
File created	\??\c:\Windows\System32\8wawgv.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2780	schtasks.exe
2744	schtasks.exe
2120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe
2976	kyhjasehs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	kyhjasehs.exe
Token: SeDebugPrivilege	3032	updater.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2252	2976	kyhjasehs.exe	35
PID 2976 wrote to memory of 2252	2976	kyhjasehs.exe	35
PID 2976 wrote to memory of 2252	2976	kyhjasehs.exe	35
PID 2252 wrote to memory of 2884	2252	csc.exe	37
PID 2252 wrote to memory of 2884	2252	csc.exe	37
PID 2252 wrote to memory of 2884	2252	csc.exe	37
PID 2976 wrote to memory of 1688	2976	kyhjasehs.exe	38
PID 2976 wrote to memory of 1688	2976	kyhjasehs.exe	38
PID 2976 wrote to memory of 1688	2976	kyhjasehs.exe	38
PID 1688 wrote to memory of 2564	1688	cmd.exe	40
PID 1688 wrote to memory of 2564	1688	cmd.exe	40
PID 1688 wrote to memory of 2564	1688	cmd.exe	40
PID 1688 wrote to memory of 2572	1688	cmd.exe	41
PID 1688 wrote to memory of 2572	1688	cmd.exe	41
PID 1688 wrote to memory of 2572	1688	cmd.exe	41
PID 1688 wrote to memory of 3032	1688	cmd.exe	42
PID 1688 wrote to memory of 3032	1688	cmd.exe	42
PID 1688 wrote to memory of 3032	1688	cmd.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\kyhjasehs.exe
"C:\Users\Admin\AppData\Local\Temp\kyhjasehs.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xhodrunv\xhodrunv.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC73.tmp" "c:\Windows\System32\CSCA9115697E5E94741AC4123268CB8BCA4.TMP"
    3⤵
    PID:2884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KKKsrRdca3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2564
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2572
- - C:\Users\Admin\AppData\Local\updater.exe
    "C:\Users\Admin\AppData\Local\updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KKKsrRdca3.bat

Filesize
216B

MD5
a716719f958a412e6a1c275d1da0ac6c

SHA1
cf2ba617020576ecc4f61684eccd9c160b3d6d40

SHA256
a49e4105ad1d676d167bb1f7075ade5cbdc0507505cdab402024eb459c127102

SHA512
d5ff765f6537a329d276f579d2946059287e2556cd5bb262a183abd1f499c1d7a2746ac2b60b2ba2291465284cc489a45d2e657e2a7499d20d7316bbea38652d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC73.tmp

Filesize
1KB

MD5
610ed92c09d444c296cd6640882865d7

SHA1
68991187b8cff3f10797b61aa107429e13747b54

SHA256
95ee0a63d90c90dc8efec9ff133f4171e0cc3a64e77c6cc442e584f3c27e6ab3

SHA512
f91923edc3bbd330927abc97c2582f00d6194108e3da084b4f4f26b8a0328af1b3478667a40801b55d6f9c3553907df24c5798eea3be9007fe5af722708ab9a3

Download Submit
C:\Users\Admin\AppData\Local\updater.exe

Filesize
1.8MB

MD5
4f964ada28fa2dde5c75d3c3682e69c4

SHA1
481a0ddc3dfd39147abf684b60b6a0b1dfbbc341

SHA256
7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

SHA512
ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xhodrunv\xhodrunv.0.cs

Filesize
372B

MD5
7680a7c2db0bc808030a3125b74c6b87

SHA1
7f59ec2ab181310872511d6ba51614593c05b2ba

SHA256
739b98b8434e645466528b8867976af0769ac33589cb824d9210abf9d913610e

SHA512
e0ae937b3af9789bfb1e3415c5488671f5cdec7126630f158a852c105a0b2a0616a402322197d9f584774b17f8e208929b78cf81aa25caae49ed001d16a986df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xhodrunv\xhodrunv.cmdline

Filesize
235B

MD5
35f298c621fb9770492e67f26b8ff598

SHA1
74e42d11cd2c7449c12c850a3886a17316ee4fc3

SHA256
d3f44c935a11b3e0337211ad4a2f5da5d3e07fa9c687e5cc1b14459a1cd39152

SHA512
74487670b3af71ce30e3651ac48597f3301a4e92426b074800ac724e4c744744a468492dbdd9f9cbbc95fba24b9a894b9be8882b53197aa72dd4d9f88484418d

Download Submit
\??\c:\Windows\System32\CSCA9115697E5E94741AC4123268CB8BCA4.TMP

Filesize
1KB

MD5
028d4cd290ab6fe13d6fecce144a32cc

SHA1
e1d9531cb2e6bc9cab285b1f19e5d627257a3394

SHA256
3f42f68eb3df49cf836fbb0019b8206af735e22f3d528e7b122fa9b2541fdde3

SHA512
2f99d37a56444831298f8efaef425e5dadec938ac459bfc0cdaf3708ef8662f12bd8d687a58fc1dd6bbdac6c806214b65a21489a24d3160c1e8575968e3caa6e

Download Submit
memory/2976-26-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-22-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/2976-15-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2976-13-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/2976-11-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/2976-16-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-18-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/2976-19-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2976-25-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2976-23-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-8-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/2976-20-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-28-0x0000000000C10000-0x0000000000C6A000-memory.dmp

Filesize
360KB

Download
memory/2976-30-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2976-32-0x0000000000C70000-0x0000000000CBE000-memory.dmp

Filesize
312KB

Download
memory/2976-9-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-7-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-6-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2976-4-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/2976-51-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-1-0x0000000001130000-0x00000000012FA000-memory.dmp

Filesize
1.8MB

Download
memory/3032-55-0x0000000001110000-0x00000000012DA000-memory.dmp

Filesize
1.8MB

Download