dcrat | 7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe
Size

3.8MB
MD5

c9e9ee7477dd04ce2017fc1402f5461c
SHA1

22154f137d253bfe5e135859c9a26778a64391fc
SHA256

7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a
SHA512

67339aea037be21b8f043d0ff84bbb6013de59bd435a9945837a983001d44a804ae864fbf68695d52829681634d4a903debc5ebbb8b8e6f7770ee6ab923616b8
SSDEEP

98304:ytU7z9qNUzrsxu3CFZZK8USGlV8ajG1SN6QSi:y0zgQyFavJlQ1ScQf

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 2 IoCs

pid	Process
2828	BridgeproviderComponentFontcrt.exe
844	BridgeproviderComponentFontcrt.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	cmd.exe
2900	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\explorer.exe	BridgeproviderComponentFontcrt.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\7a0fd90576e088	BridgeproviderComponentFontcrt.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe	BridgeproviderComponentFontcrt.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\7a0fd90576e088	BridgeproviderComponentFontcrt.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\lsass.exe	BridgeproviderComponentFontcrt.exe
File created	C:\Windows\fr-FR\6203df4a6bafc7	BridgeproviderComponentFontcrt.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
356	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
356	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe
2828	BridgeproviderComponentFontcrt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	BridgeproviderComponentFontcrt.exe
Token: SeDebugPrivilege	844	BridgeproviderComponentFontcrt.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2100	2404	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	30
PID 2404 wrote to memory of 2100	2404	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	30
PID 2404 wrote to memory of 2100	2404	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	30
PID 2404 wrote to memory of 2100	2404	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	30
PID 2100 wrote to memory of 2900	2100	WScript.exe	32
PID 2100 wrote to memory of 2900	2100	WScript.exe	32
PID 2100 wrote to memory of 2900	2100	WScript.exe	32
PID 2100 wrote to memory of 2900	2100	WScript.exe	32
PID 2900 wrote to memory of 2828	2900	cmd.exe	34
PID 2900 wrote to memory of 2828	2900	cmd.exe	34
PID 2900 wrote to memory of 2828	2900	cmd.exe	34
PID 2900 wrote to memory of 2828	2900	cmd.exe	34
PID 2828 wrote to memory of 2612	2828	BridgeproviderComponentFontcrt.exe	35
PID 2828 wrote to memory of 2612	2828	BridgeproviderComponentFontcrt.exe	35
PID 2828 wrote to memory of 2612	2828	BridgeproviderComponentFontcrt.exe	35
PID 2612 wrote to memory of 2024	2612	cmd.exe	37
PID 2612 wrote to memory of 2024	2612	cmd.exe	37
PID 2612 wrote to memory of 2024	2612	cmd.exe	37
PID 2612 wrote to memory of 356	2612	cmd.exe	38
PID 2612 wrote to memory of 356	2612	cmd.exe	38
PID 2612 wrote to memory of 356	2612	cmd.exe	38
PID 2612 wrote to memory of 844	2612	cmd.exe	39
PID 2612 wrote to memory of 844	2612	cmd.exe	39
PID 2612 wrote to memory of 844	2612	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe
"C:\Users\Admin\AppData\Local\Temp\7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mscomContaineragent\1ggcrtMDOIpDj6NMU6zi0PNdec8GZE6fRcycTIRnqa8yg5np31k.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\mscomContaineragent\K4TsmH6x0L8c7gsd2xa978PfuccU.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\mscomContaineragent\BridgeproviderComponentFontcrt.exe
      "C:\mscomContaineragent/BridgeproviderComponentFontcrt.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kxbhpLAEFv.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2024
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:356
      - C:\mscomContaineragent\BridgeproviderComponentFontcrt.exe
        
        "C:\mscomContaineragent\BridgeproviderComponentFontcrt.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kxbhpLAEFv.bat

Filesize
185B

MD5
292e04d6f29145db61118da4c27eed5d

SHA1
766615e7684d62941b3a0c6f06fc41a85cb71636

SHA256
2c02902c83b594f1dfa9aa4bcf705b688b09046a9b922c0250a63de866e8ed56

SHA512
818d9cda9592c69eb0813a3fa152a67d72efe49a54707967dd49137ed472c38aa6db8792793d462c5df6cae36939bd2022511334e0e3fd3c7b8bcf155960fe1c

Download Submit
C:\mscomContaineragent\1ggcrtMDOIpDj6NMU6zi0PNdec8GZE6fRcycTIRnqa8yg5np31k.vbe

Filesize
226B

MD5
b2082877b156a0ca794cffb107e5ecc7

SHA1
4bb42e5b58e22dcfca31a5472b7b37c8e65aa10e

SHA256
ae25630353f248e39628b3907ac7c04963d8845b91b89407220a43c937b9940e

SHA512
921d0d0a86fddedddc808d0857d93865f945c8223bf383488b448d4c8a16458115f4cba79458200b869e7509a4b479884b5737a43dbe7ac4e5d78c6122a37e29

Download Submit
C:\mscomContaineragent\K4TsmH6x0L8c7gsd2xa978PfuccU.bat

Filesize
96B

MD5
35ba19fb2b11c866b8d4773346a37893

SHA1
615381c6049330cf8f95ca448aa2392975e6fd7a

SHA256
a346464ac38f295ad906b30b7580d3327ae07177d9adf69d526d1cca86a12d74

SHA512
dbd66630d9c40c0cb4aa366c9dc2f2b414eb4de06a703ff1c597d71aa30bdc17070ebca68d560833c87463f1324e2e384f25ed1ea4ea18ce0fee4a0c18286365

Download Submit
\mscomContaineragent\BridgeproviderComponentFontcrt.exe

Filesize
3.5MB

MD5
929a6474e168c22b27c44a6c5bafb212

SHA1
5dc664e00f4cee7846f32452c7d0dbbca928b827

SHA256
5526fe46db69e08ceee75db8b8890f584dd44416586e13f57c57995407e74430

SHA512
0edd7b848d664fa99c16ea4b549460eca75c43602c73eef07efa8169b68451e1b68cd7c1c3dce3bab12adda555184d1e24e13b7961f6f08fbbb42b1b84e55dfe

Download Submit
memory/844-75-0x0000000000AB0000-0x0000000000E3E000-memory.dmp

Filesize
3.6MB

Download
memory/2828-35-0x000000001A910000-0x000000001A926000-memory.dmp

Filesize
88KB

Download
memory/2828-39-0x0000000000A70000-0x0000000000A7E000-memory.dmp

Filesize
56KB

Download
memory/2828-21-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2828-23-0x00000000008B0000-0x00000000008C8000-memory.dmp

Filesize
96KB

Download
memory/2828-25-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2828-27-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/2828-29-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download
memory/2828-31-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/2828-33-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/2828-17-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2828-37-0x000000001AAB0000-0x000000001AAC2000-memory.dmp

Filesize
72KB

Download
memory/2828-19-0x0000000000890000-0x00000000008AC000-memory.dmp

Filesize
112KB

Download
memory/2828-41-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/2828-43-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2828-45-0x000000001B2C0000-0x000000001B31A000-memory.dmp

Filesize
360KB

Download
memory/2828-47-0x0000000002480000-0x000000000248E000-memory.dmp

Filesize
56KB

Download
memory/2828-49-0x000000001AAD0000-0x000000001AAE0000-memory.dmp

Filesize
64KB

Download
memory/2828-51-0x000000001AAE0000-0x000000001AAEE000-memory.dmp

Filesize
56KB

Download
memory/2828-53-0x000000001AB10000-0x000000001AB28000-memory.dmp

Filesize
96KB

Download
memory/2828-55-0x000000001AAF0000-0x000000001AAFC000-memory.dmp

Filesize
48KB

Download
memory/2828-57-0x000000001B370000-0x000000001B3BE000-memory.dmp

Filesize
312KB

Download
memory/2828-15-0x0000000000860000-0x0000000000886000-memory.dmp

Filesize
152KB

Download
memory/2828-13-0x0000000000320000-0x00000000006AE000-memory.dmp

Filesize
3.6MB

Download