dcrat | 7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Size

1.8MB
MD5

4f964ada28fa2dde5c75d3c3682e69c4
SHA1

481a0ddc3dfd39147abf684b60b6a0b1dfbbc341
SHA256

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945
SHA512

ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68
SSDEEP

24576:cWrCg/r+6/5OZr1A+KnhQaPNcHxIpjgqJ6t1:XrC7G5g0gq

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	116	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	116	schtasks.exe	82

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3248-1-0x00000000009F0000-0x0000000000BBA000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0013000000023cac-57.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Executes dropped EXE 1 IoCs

pid	Process
1532	updater.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCEFEC4A028B040B2AA6C285B152E449E.TMP	csc.exe
File created	\??\c:\Windows\System32\8zj1cq.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2416	schtasks.exe
4220	schtasks.exe
3684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1532	updater.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Token: SeDebugPrivilege	1532	updater.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 2688	3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	86
PID 3248 wrote to memory of 2688	3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	86
PID 2688 wrote to memory of 1556	2688	csc.exe	88
PID 2688 wrote to memory of 1556	2688	csc.exe	88
PID 3248 wrote to memory of 2468	3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	89
PID 3248 wrote to memory of 2468	3248	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	89
PID 2468 wrote to memory of 3956	2468	cmd.exe	91
PID 2468 wrote to memory of 3956	2468	cmd.exe	91
PID 2468 wrote to memory of 3564	2468	cmd.exe	92
PID 2468 wrote to memory of 3564	2468	cmd.exe	92
PID 2468 wrote to memory of 1532	2468	cmd.exe	96
PID 2468 wrote to memory of 1532	2468	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
"C:\Users\Admin\AppData\Local\Temp\7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4wdtetp\x4wdtetp.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCC6.tmp" "c:\Windows\System32\CSCEFEC4A028B040B2AA6C285B152E449E.TMP"
    3⤵
    PID:1556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QPODD9a6uy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3956
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3564
- - C:\Users\Admin\AppData\Local\updater.exe
    "C:\Users\Admin\AppData\Local\updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QPODD9a6uy.bat

Filesize
216B

MD5
9c0be6fe895662eeb0f68e70bf9fe5e7

SHA1
54bef9fb30193749ac9103c3055f02c0e8826d26

SHA256
87826894fe6a06dddedc9d6b8ca3292e942fc6982dc94fd434e84d987db5de8d

SHA512
c4cdea08cc0777630bfbdbbe8577dc0b87d13b2d97a9c0a37ef040d3cb464dc4ac42da53132bd00f091ce1594b8ca70ea8ab4de5c05ca0aacbc6ebaf76e77fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCC6.tmp

Filesize
1KB

MD5
1f62d02fb059b70cb34f303f496327c9

SHA1
81d4569ec99bcb70e8e9ce027b90d12a7fe9e5f8

SHA256
b44a827f44f8e264b7750fb909b89427faf54cc01f798e1e1d57a78760541dc0

SHA512
e57b2b8e268b4a24c206a0c63827c0f86fd184a1133d36f22a3bac57c6e21368e887b1c628a6463c5f9d27b34260fbf2aa29b0e900eeed029f190effa8b328b6

Download Submit
C:\Users\Admin\AppData\Local\updater.exe

Filesize
1.8MB

MD5
4f964ada28fa2dde5c75d3c3682e69c4

SHA1
481a0ddc3dfd39147abf684b60b6a0b1dfbbc341

SHA256
7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

SHA512
ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x4wdtetp\x4wdtetp.0.cs

Filesize
372B

MD5
d8d0e16b9cb55988967d21d48ac32231

SHA1
d9978b34306c89ca2691e52f8c688735c6f1d9dc

SHA256
8848b1b0bd9982ab0c2e30a65e9b450a9df66734a5087520e62d85538c063eb7

SHA512
33e212ffd80f5c5d27466a5a918187035d47f4a217ad6c6349eeaadc2f077fa2cc88fbea3631d742b658fbdabacc9aaccbeb57db2550ecbbea36882dd1a3fa08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x4wdtetp\x4wdtetp.cmdline

Filesize
235B

MD5
eddcd0092265b1e0aac23d3c5ae07580

SHA1
f1224c19f5650122cf9981cf5225abe34554a521

SHA256
81a21a33ad8270afd790f9534dfdec11058a1451416e01ae457dba5ec66bc21f

SHA512
31714b4075d46f4a6652970dbc45dde493fbd72ded23d5508177377a4b7fb234260a973ed83d76a4c143c295e4b62b6a10b0a41eb6f8d5b67b150d69d0c0dc1d

Download Submit
\??\c:\Windows\System32\CSCEFEC4A028B040B2AA6C285B152E449E.TMP

Filesize
1KB

MD5
d544bac668d308d2aba58ded2c13d82d

SHA1
e5dd50ef24d5c16629092f9290661a92387773b3

SHA256
84b05d56c45fd0382410fcd59e16aeef467ed0a455595dda88386dd5c87d7a02

SHA512
0826de2bc95d93dde2c540d2d768a0188481ee88f1da79f9c7d70d7ccd3c8715b8f1d62053f84d14f19e4d2b0a13e67084d970a158464e6223e340eb0733e1b0

Download Submit
memory/3248-20-0x0000000002C60000-0x0000000002C6E000-memory.dmp

Filesize
56KB

Download
memory/3248-31-0x00007FFFD25E0000-0x00007FFFD30A1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-11-0x0000000002C70000-0x0000000002C88000-memory.dmp

Filesize
96KB

Download
memory/3248-13-0x0000000002C50000-0x0000000002C5E000-memory.dmp

Filesize
56KB

Download
memory/3248-16-0x00007FFFD25E0000-0x00007FFFD30A1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-18-0x000000001B8E0000-0x000000001B8F6000-memory.dmp

Filesize
88KB

Download
memory/3248-15-0x000000001B8C0000-0x000000001B8D2000-memory.dmp

Filesize
72KB

Download
memory/3248-21-0x00007FFFD25E0000-0x00007FFFD30A1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-0-0x00007FFFD25E3000-0x00007FFFD25E5000-memory.dmp

Filesize
8KB

Download
memory/3248-23-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3248-25-0x000000001B960000-0x000000001B9BA000-memory.dmp

Filesize
360KB

Download
memory/3248-26-0x00007FFFD25E0000-0x00007FFFD30A1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-28-0x0000000002CA0000-0x0000000002CAE000-memory.dmp

Filesize
56KB

Download
memory/3248-9-0x0000000002DC0000-0x0000000002E10000-memory.dmp

Filesize
320KB

Download
memory/3248-30-0x000000001B9C0000-0x000000001BA0E000-memory.dmp

Filesize
312KB

Download
memory/3248-34-0x00007FFFD25E0000-0x00007FFFD30A1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-35-0x00007FFFD25E0000-0x00007FFFD30A1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-36-0x00007FFFD25E0000-0x00007FFFD30A1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-8-0x00007FFFD25E0000-0x00007FFFD30A1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-7-0x0000000001480000-0x000000000149C000-memory.dmp

Filesize
112KB

Download
memory/3248-6-0x0000000002C50000-0x0000000002C6C000-memory.dmp

Filesize
112KB

Download
memory/3248-4-0x0000000001470000-0x000000000147E000-memory.dmp

Filesize
56KB

Download
memory/3248-54-0x00007FFFD25E0000-0x00007FFFD30A1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-2-0x00007FFFD25E0000-0x00007FFFD30A1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-1-0x00000000009F0000-0x0000000000BBA000-memory.dmp

Filesize
1.8MB

Download