dcrat | 7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

Analysis

max time kernel
118s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Size

1.8MB
MD5

4f964ada28fa2dde5c75d3c3682e69c4
SHA1

481a0ddc3dfd39147abf684b60b6a0b1dfbbc341
SHA256

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945
SHA512

ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68
SSDEEP

24576:cWrCg/r+6/5OZr1A+KnhQaPNcHxIpjgqJ6t1:XrC7G5g0gq

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2500	schtasks.exe	30

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/3064-1-0x0000000000110000-0x00000000002DA000-memory.dmp	family_dcrat_v2
behavioral1/files/0x00510000000120f4-54.dat	family_dcrat_v2
behavioral1/memory/1068-55-0x0000000000920000-0x0000000000AEA000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

pid	Process
1068	updater.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC5C2B7135CA4B401D9027B07CCCCB4EB.TMP	csc.exe
File created	\??\c:\Windows\System32\_f1q_j.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2964	schtasks.exe
2832	schtasks.exe
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Token: SeDebugPrivilege	1068	updater.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2836	3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	34
PID 3064 wrote to memory of 2836	3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	34
PID 3064 wrote to memory of 2836	3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	34
PID 2836 wrote to memory of 2984	2836	csc.exe	36
PID 2836 wrote to memory of 2984	2836	csc.exe	36
PID 2836 wrote to memory of 2984	2836	csc.exe	36
PID 3064 wrote to memory of 2816	3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	37
PID 3064 wrote to memory of 2816	3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	37
PID 3064 wrote to memory of 2816	3064	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	37
PID 2816 wrote to memory of 2700	2816	cmd.exe	39
PID 2816 wrote to memory of 2700	2816	cmd.exe	39
PID 2816 wrote to memory of 2700	2816	cmd.exe	39
PID 2816 wrote to memory of 2720	2816	cmd.exe	40
PID 2816 wrote to memory of 2720	2816	cmd.exe	40
PID 2816 wrote to memory of 2720	2816	cmd.exe	40
PID 2816 wrote to memory of 1068	2816	cmd.exe	42
PID 2816 wrote to memory of 1068	2816	cmd.exe	42
PID 2816 wrote to memory of 1068	2816	cmd.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
"C:\Users\Admin\AppData\Local\Temp\7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hns5laec\hns5laec.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC311.tmp" "c:\Windows\System32\CSC5C2B7135CA4B401D9027B07CCCCB4EB.TMP"
    3⤵
    PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uvMahFfpeO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2700
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2720
- - C:\Users\Admin\AppData\Local\updater.exe
    "C:\Users\Admin\AppData\Local\updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC311.tmp

Filesize
1KB

MD5
bd42d53962ea320cfe37ee8bd0c5f824

SHA1
f7912ad2970b935114d4a443665e708d6f6a0ef9

SHA256
accc738b85e727e24f6e2daef07cb6137cb2a138667baa9fa930fe2ac194591f

SHA512
f90fae3c8c4f07acf5170ddfc0df850bdb6c2d43214a3e8da3e5d43677ae902605bc07188b9b3f9f7a324fdbdecb876ccf2ba36fb067be746ca909849df576bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvMahFfpeO.bat

Filesize
216B

MD5
37980492e2935c1d0f7dcd7f805d4e71

SHA1
49f5be0ea907475ee092a072ed78a72cefb9a94e

SHA256
0ac46facd7aefffe3bb7bdf3312f32da631eed2c4e4cddbf89efbb5d2f264309

SHA512
0206b6bc8381aee28df10dca876b97227d577e7e14287ba96a4cb6614b8c92a3bd625ea1a43db4780f970ac3c088225c58a73af19b0dce4d9106a22fbc850891

Download Submit
C:\Users\Admin\AppData\Local\updater.exe

Filesize
1.8MB

MD5
4f964ada28fa2dde5c75d3c3682e69c4

SHA1
481a0ddc3dfd39147abf684b60b6a0b1dfbbc341

SHA256
7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

SHA512
ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hns5laec\hns5laec.0.cs

Filesize
372B

MD5
79c763424742ce6d91e774683ce71eb9

SHA1
7790950bc16f52fe841112b0eadf525865f53260

SHA256
0ef02d395939903deb409511ee7dea7309316c853c5c24eeea1ce6eb4e612a50

SHA512
e82f7ed5642ca44f3191b857ad798ac6083e9c981bf610df6ed1df87edc01f3e11d5cb41446e01d3b1bc2b53953263992fde5849182c5b6c7fd35d6278b218e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hns5laec\hns5laec.cmdline

Filesize
235B

MD5
49578e54be37bcfafc6253788cf25517

SHA1
a28b6e9193a89f92b14deabea23ee54a44685759

SHA256
feb3f0d029cda39a13ab7ff3f58b05826a97510c8ad384283d464ed91b53c418

SHA512
ab0923a8f4b32aca245b2f58304f7819dc40abb5cd752458f88cfca2ff413e5e4b0e12cd2b91d14e78565fce771d8caa5cb8ad3290a35fdf45d398aaf0b688b0

Download Submit
\??\c:\Windows\System32\CSC5C2B7135CA4B401D9027B07CCCCB4EB.TMP

Filesize
1KB

MD5
fccbcfaf29fdccaabada579f7aaf3ae7

SHA1
f9b179b6aab6b96908d89b35aab3f503478a956d

SHA256
e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02

SHA512
ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10

Download Submit
memory/1068-55-0x0000000000920000-0x0000000000AEA000-memory.dmp

Filesize
1.8MB

Download
memory/3064-22-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-29-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-14-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/3064-16-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/3064-17-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-19-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/3064-21-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/3064-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/3064-24-0x00000000023C0000-0x000000000241A000-memory.dmp

Filesize
360KB

Download
memory/3064-26-0x0000000000800000-0x000000000080E000-memory.dmp

Filesize
56KB

Download
memory/3064-28-0x0000000002420000-0x000000000246E000-memory.dmp

Filesize
312KB

Download
memory/3064-12-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/3064-30-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-33-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-34-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-10-0x0000000000420000-0x0000000000438000-memory.dmp

Filesize
96KB

Download
memory/3064-8-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-7-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/3064-6-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/3064-52-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-4-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/3064-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-1-0x0000000000110000-0x00000000002DA000-memory.dmp

Filesize
1.8MB

Download