dcrat | 7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kyhjasehs.exe
Size

1.8MB
MD5

4f964ada28fa2dde5c75d3c3682e69c4
SHA1

481a0ddc3dfd39147abf684b60b6a0b1dfbbc341
SHA256

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945
SHA512

ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68
SSDEEP

24576:cWrCg/r+6/5OZr1A+KnhQaPNcHxIpjgqJ6t1:XrC7G5g0gq

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	kyhjasehs.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	1320	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	1320	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1320	schtasks.exe	82

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3152-1-0x0000000000D50000-0x0000000000F1A000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0009000000023c9b-56.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	kyhjasehs.exe

Executes dropped EXE 1 IoCs

pid	Process
3144	updater.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	kyhjasehs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	kyhjasehs.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC5FA4CC3E6CA3418280B5F8D1238C5937.TMP	csc.exe
File created	\??\c:\Windows\System32\ljh0xx.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	kyhjasehs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4804	schtasks.exe
3476	schtasks.exe
2856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe
3152	kyhjasehs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3144	updater.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	kyhjasehs.exe
Token: SeDebugPrivilege	3144	updater.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 4180	3152	kyhjasehs.exe	86
PID 3152 wrote to memory of 4180	3152	kyhjasehs.exe	86
PID 4180 wrote to memory of 2840	4180	csc.exe	88
PID 4180 wrote to memory of 2840	4180	csc.exe	88
PID 3152 wrote to memory of 3572	3152	kyhjasehs.exe	89
PID 3152 wrote to memory of 3572	3152	kyhjasehs.exe	89
PID 3572 wrote to memory of 2440	3572	cmd.exe	91
PID 3572 wrote to memory of 2440	3572	cmd.exe	91
PID 3572 wrote to memory of 2172	3572	cmd.exe	92
PID 3572 wrote to memory of 2172	3572	cmd.exe	92
PID 3572 wrote to memory of 3144	3572	cmd.exe	93
PID 3572 wrote to memory of 3144	3572	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\kyhjasehs.exe
"C:\Users\Admin\AppData\Local\Temp\kyhjasehs.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lbxpr5j2\lbxpr5j2.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB12.tmp" "c:\Windows\System32\CSC5FA4CC3E6CA3418280B5F8D1238C5937.TMP"
    3⤵
    PID:2840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IB96Syu3ap.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2440
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2172
- - C:\Users\Admin\AppData\Local\updater.exe
    "C:\Users\Admin\AppData\Local\updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IB96Syu3ap.bat

Filesize
216B

MD5
e2d5db61e767143b2d2d5d7078d4fba8

SHA1
6dea85e8468749f659af5854cc3a9b7f025621f0

SHA256
f216a9d9f00c875c82671b126202bd1db8bdb26a5c4e536387deaa82fa7ea081

SHA512
40d4aafe8516b869cee3b59138bc1023fcd8ee74b29a6960009495a17d425348e1da3a380623b1d1d681f7ccbb8025057a4cfe2703e759e74eb36742b1b2af0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB12.tmp

Filesize
1KB

MD5
221be298aaf2caaff8297766a5e763b6

SHA1
e883728b8455018bfd98aff25d3c2b71042e027f

SHA256
f332c99c4cfb02f17f2d2d874c7403e9c2f6f6cfaeffd0ceef2d8042cd73d10e

SHA512
5f926eee789e4e0b4984e33ffa4384197be94ec91601501871d9878a9b93b48dd2b2ada161c22f6297f704fa32bae9a10beba5fdaede8ff8df10ba95cd49e7f2

Download Submit
C:\Users\Admin\AppData\Local\updater.exe

Filesize
1.8MB

MD5
4f964ada28fa2dde5c75d3c3682e69c4

SHA1
481a0ddc3dfd39147abf684b60b6a0b1dfbbc341

SHA256
7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

SHA512
ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lbxpr5j2\lbxpr5j2.0.cs

Filesize
372B

MD5
ea9c610e7f722c65aced40586dfceec3

SHA1
b87002b5b5035c81b158e7bbca0b28549275d292

SHA256
79f0855c40daa3741a2f3e5b83856c78f27de675a73e4f73906b160f06d81980

SHA512
01374815dca48c396e5b17eb25d9535e510a204678aeb019d34190ba0713989a9dd0581b6322ab43a6dcb480a2d16898490a6a320e82ba773d3e56a738786adc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lbxpr5j2\lbxpr5j2.cmdline

Filesize
235B

MD5
6f0104f4099b3aed49a4903091824e4e

SHA1
6663b2b07ecb022684582fec5b852f5bcfeee20d

SHA256
1f6aea3387dd6c62af0225a296f426df99445243b3e1b97f9ad26ec03559c829

SHA512
0e1564af1a2d5ef6ab27fb0a8d30108b4629bfefeb25c5468952a7c44ec534144d20b08f6fceaceb1eda2c0d04f292340dc3e4e019ec282823c8f89850c34a57

Download Submit
\??\c:\Windows\System32\CSC5FA4CC3E6CA3418280B5F8D1238C5937.TMP

Filesize
1KB

MD5
2fd2b90e7053b01e6af25701a467eb1f

SHA1
68801a13cebba82c24f67a9d7c886fcefcf01a51

SHA256
12b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527

SHA512
081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af

Download Submit
memory/3144-96-0x000000001CCA0000-0x000000001CDF6000-memory.dmp

Filesize
1.3MB

Download
memory/3152-22-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3152-30-0x000000001BD10000-0x000000001BD5E000-memory.dmp

Filesize
312KB

Download
memory/3152-13-0x0000000002F90000-0x0000000002F9E000-memory.dmp

Filesize
56KB

Download
memory/3152-15-0x000000001BA60000-0x000000001BA72000-memory.dmp

Filesize
72KB

Download
memory/3152-17-0x000000001BC30000-0x000000001BC46000-memory.dmp

Filesize
88KB

Download
memory/3152-19-0x0000000002FD0000-0x0000000002FDE000-memory.dmp

Filesize
56KB

Download
memory/3152-20-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

Filesize
10.8MB

Download
memory/3152-0-0x00007FFEE9E93000-0x00007FFEE9E95000-memory.dmp

Filesize
8KB

Download
memory/3152-24-0x000000001BCB0000-0x000000001BD0A000-memory.dmp

Filesize
360KB

Download
memory/3152-25-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

Filesize
10.8MB

Download
memory/3152-27-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

Filesize
56KB

Download
memory/3152-8-0x0000000002FB0000-0x0000000002FCC000-memory.dmp

Filesize
112KB

Download
memory/3152-31-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

Filesize
10.8MB

Download
memory/3152-28-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

Filesize
10.8MB

Download
memory/3152-32-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

Filesize
10.8MB

Download
memory/3152-11-0x0000000002FF0000-0x0000000003008000-memory.dmp

Filesize
96KB

Download
memory/3152-9-0x000000001BBE0000-0x000000001BC30000-memory.dmp

Filesize
320KB

Download
memory/3152-7-0x0000000002FD0000-0x0000000002FEC000-memory.dmp

Filesize
112KB

Download
memory/3152-5-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

Filesize
10.8MB

Download
memory/3152-52-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

Filesize
10.8MB

Download
memory/3152-53-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

Filesize
10.8MB

Download
memory/3152-4-0x0000000002F80000-0x0000000002F8E000-memory.dmp

Filesize
56KB

Download
memory/3152-2-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

Filesize
10.8MB

Download
memory/3152-1-0x0000000000D50000-0x0000000000F1A000-memory.dmp

Filesize
1.8MB

Download