dcrat | 7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe
Size

3.8MB
MD5

c9e9ee7477dd04ce2017fc1402f5461c
SHA1

22154f137d253bfe5e135859c9a26778a64391fc
SHA256

7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a
SHA512

67339aea037be21b8f043d0ff84bbb6013de59bd435a9945837a983001d44a804ae864fbf68695d52829681634d4a903debc5ebbb8b8e6f7770ee6ab923616b8
SSDEEP

98304:ytU7z9qNUzrsxu3CFZZK8USGlV8ajG1SN6QSi:y0zgQyFavJlQ1ScQf

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	BridgeproviderComponentFontcrt.exe

Executes dropped EXE 2 IoCs

pid	Process
4532	BridgeproviderComponentFontcrt.exe
3592	TextInputHost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\66fc9ff0ee96c2	BridgeproviderComponentFontcrt.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe	BridgeproviderComponentFontcrt.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ebf1f9fa8afd6d	BridgeproviderComponentFontcrt.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\sihost.exe	BridgeproviderComponentFontcrt.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\66fc9ff0ee96c2	BridgeproviderComponentFontcrt.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\sihost.exe	BridgeproviderComponentFontcrt.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	BridgeproviderComponentFontcrt.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe
4532	BridgeproviderComponentFontcrt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	BridgeproviderComponentFontcrt.exe
Token: SeDebugPrivilege	3592	TextInputHost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2848	2284	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	83
PID 2284 wrote to memory of 2848	2284	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	83
PID 2284 wrote to memory of 2848	2284	7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe	83
PID 2848 wrote to memory of 2556	2848	WScript.exe	97
PID 2848 wrote to memory of 2556	2848	WScript.exe	97
PID 2848 wrote to memory of 2556	2848	WScript.exe	97
PID 2556 wrote to memory of 4532	2556	cmd.exe	99
PID 2556 wrote to memory of 4532	2556	cmd.exe	99
PID 4532 wrote to memory of 3000	4532	BridgeproviderComponentFontcrt.exe	101
PID 4532 wrote to memory of 3000	4532	BridgeproviderComponentFontcrt.exe	101
PID 3000 wrote to memory of 2432	3000	cmd.exe	104
PID 3000 wrote to memory of 2432	3000	cmd.exe	104
PID 3000 wrote to memory of 4972	3000	cmd.exe	105
PID 3000 wrote to memory of 4972	3000	cmd.exe	105
PID 3000 wrote to memory of 3592	3000	cmd.exe	108
PID 3000 wrote to memory of 3592	3000	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe
"C:\Users\Admin\AppData\Local\Temp\7a2a16cd9673a747cce1246193609d566e610beead345dbc838e5ebda15a318a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mscomContaineragent\1ggcrtMDOIpDj6NMU6zi0PNdec8GZE6fRcycTIRnqa8yg5np31k.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\mscomContaineragent\K4TsmH6x0L8c7gsd2xa978PfuccU.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\mscomContaineragent\BridgeproviderComponentFontcrt.exe
      "C:\mscomContaineragent/BridgeproviderComponentFontcrt.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ggl00lYGF.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2432
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4972
      - C:\Users\Default User\TextInputHost.exe
        
        "C:\Users\Default User\TextInputHost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5Ggl00lYGF.bat

Filesize
215B

MD5
a46da38b7384faff2c0b07ac7f90ff4b

SHA1
00969b5ef7b7013cc29047e1211633e2c583e19b

SHA256
8accd7e490b40cae7f85c5e3a4a7955a078bd87a12b50b6903ad817e9c41032c

SHA512
6982ea0777a6ca15f889a014303c86ac037c08b5dfa5f0f1698273632e0ea67c76934dd54cd7c42e6fea519c7249ed648495bfe82bf67cef201161501574547f

Download Submit
C:\mscomContaineragent\1ggcrtMDOIpDj6NMU6zi0PNdec8GZE6fRcycTIRnqa8yg5np31k.vbe

Filesize
226B

MD5
b2082877b156a0ca794cffb107e5ecc7

SHA1
4bb42e5b58e22dcfca31a5472b7b37c8e65aa10e

SHA256
ae25630353f248e39628b3907ac7c04963d8845b91b89407220a43c937b9940e

SHA512
921d0d0a86fddedddc808d0857d93865f945c8223bf383488b448d4c8a16458115f4cba79458200b869e7509a4b479884b5737a43dbe7ac4e5d78c6122a37e29

Download Submit
C:\mscomContaineragent\BridgeproviderComponentFontcrt.exe

Filesize
3.5MB

MD5
929a6474e168c22b27c44a6c5bafb212

SHA1
5dc664e00f4cee7846f32452c7d0dbbca928b827

SHA256
5526fe46db69e08ceee75db8b8890f584dd44416586e13f57c57995407e74430

SHA512
0edd7b848d664fa99c16ea4b549460eca75c43602c73eef07efa8169b68451e1b68cd7c1c3dce3bab12adda555184d1e24e13b7961f6f08fbbb42b1b84e55dfe

Download Submit
C:\mscomContaineragent\K4TsmH6x0L8c7gsd2xa978PfuccU.bat

Filesize
96B

MD5
35ba19fb2b11c866b8d4773346a37893

SHA1
615381c6049330cf8f95ca448aa2392975e6fd7a

SHA256
a346464ac38f295ad906b30b7580d3327ae07177d9adf69d526d1cca86a12d74

SHA512
dbd66630d9c40c0cb4aa366c9dc2f2b414eb4de06a703ff1c597d71aa30bdc17070ebca68d560833c87463f1324e2e384f25ed1ea4ea18ce0fee4a0c18286365

Download Submit
memory/3592-103-0x000000001D0C0000-0x000000001D0C8000-memory.dmp

Filesize
32KB

Download
memory/3592-102-0x000000001D250000-0x000000001D2BB000-memory.dmp

Filesize
428KB

Download
memory/4532-36-0x000000001D4B0000-0x000000001D4C6000-memory.dmp

Filesize
88KB

Download
memory/4532-41-0x000000001D410000-0x000000001D41E000-memory.dmp

Filesize
56KB

Download
memory/4532-20-0x000000001D440000-0x000000001D490000-memory.dmp

Filesize
320KB

Download
memory/4532-22-0x0000000001B80000-0x0000000001B90000-memory.dmp

Filesize
64KB

Download
memory/4532-24-0x000000001BFE0000-0x000000001BFF8000-memory.dmp

Filesize
96KB

Download
memory/4532-26-0x0000000003480000-0x0000000003490000-memory.dmp

Filesize
64KB

Download
memory/4532-28-0x0000000003490000-0x00000000034A0000-memory.dmp

Filesize
64KB

Download
memory/4532-30-0x000000001D3F0000-0x000000001D3FE000-memory.dmp

Filesize
56KB

Download
memory/4532-32-0x000000001D420000-0x000000001D432000-memory.dmp

Filesize
72KB

Download
memory/4532-34-0x000000001D400000-0x000000001D410000-memory.dmp

Filesize
64KB

Download
memory/4532-17-0x0000000001B70000-0x0000000001B7E000-memory.dmp

Filesize
56KB

Download
memory/4532-38-0x000000001D4D0000-0x000000001D4E2000-memory.dmp

Filesize
72KB

Download
memory/4532-39-0x000000001DA20000-0x000000001DF48000-memory.dmp

Filesize
5.2MB

Download
memory/4532-19-0x000000001BFC0000-0x000000001BFDC000-memory.dmp

Filesize
112KB

Download
memory/4532-43-0x000000001D490000-0x000000001D4A0000-memory.dmp

Filesize
64KB

Download
memory/4532-45-0x000000001D4A0000-0x000000001D4B0000-memory.dmp

Filesize
64KB

Download
memory/4532-47-0x000000001D550000-0x000000001D5AA000-memory.dmp

Filesize
360KB

Download
memory/4532-49-0x000000001D4F0000-0x000000001D4FE000-memory.dmp

Filesize
56KB

Download
memory/4532-51-0x000000001D500000-0x000000001D510000-memory.dmp

Filesize
64KB

Download
memory/4532-53-0x000000001D510000-0x000000001D51E000-memory.dmp

Filesize
56KB

Download
memory/4532-55-0x000000001D5B0000-0x000000001D5C8000-memory.dmp

Filesize
96KB

Download
memory/4532-57-0x000000001D520000-0x000000001D52C000-memory.dmp

Filesize
48KB

Download
memory/4532-59-0x000000001D620000-0x000000001D66E000-memory.dmp

Filesize
312KB

Download
memory/4532-15-0x000000001C010000-0x000000001C036000-memory.dmp

Filesize
152KB

Download
memory/4532-13-0x0000000000EF0000-0x000000000127E000-memory.dmp

Filesize
3.6MB

Download
memory/4532-12-0x00007FFBBCA63000-0x00007FFBBCA65000-memory.dmp

Filesize
8KB

Download