dcrat | c68964901508a7967bb32907bab8e273717e01d0c3195318a0fb6b0032157632

Analysis

max time kernel
23s
max time network
26s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-12-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nnneeeewww.exe
Size

5.2MB
MD5

360bb48ef6acca7233580b6cb8b6a3a9
SHA1

baf21bee8e1ec86b4e0b99a19ff869d3be8de292
SHA256

c68964901508a7967bb32907bab8e273717e01d0c3195318a0fb6b0032157632
SHA512

0380b0d64c18c42123838bf40aa75c8145a9a7b44bb3578d5e8e86870fee8ff70da5f07edbd13ceb8060388b5d94a39cd12df927a138115e4c9cf2ea45da9d48
SSDEEP

98304:B7ITYiOxf286tRJkCNFoPqkk9RbXUyH5/B1YIe39eyJOkyYjufmS:BkTQx/6XKyFmq7RjH5//YIeoyJOkysul

Score

10^/10

dcrat discovery infostealer rat upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x001900000002ab2c-26.dat	dcrat
behavioral2/memory/2008-28-0x0000018EAFBE0000-0x0000018EAFC42000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
4120	jaQVQp40C9Rgjj5Fe8OA.exe
2008	crtperf.exe
2028	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5000-0-0x0000000000F00000-0x0000000000FA2000-memory.dmp	upx
behavioral2/memory/5000-11-0x0000000000F00000-0x0000000000FA2000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_165093\55b276f4edf653fe07efe8f1ecc32d3d195abd16	crtperf.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	crtperf.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	crtperf.exe
File created	C:\Program Files\Microsoft Office\Office16\csrss.exe	crtperf.exe
File created	C:\Program Files\Microsoft Office\Office16\886983d96e3d3e31032c679b2d4ea91b6c05afef	crtperf.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_165093\StartMenuExperienceHost.exe	crtperf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\spoolsv.exe	crtperf.exe
File created	C:\Windows\ja-JP\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	crtperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nnneeeewww.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaQVQp40C9Rgjj5Fe8OA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	jaQVQp40C9Rgjj5Fe8OA.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	nnneeeewww.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3096	schtasks.exe
1356	schtasks.exe
3480	schtasks.exe
4308	schtasks.exe
1532	schtasks.exe
2816	schtasks.exe
2456	schtasks.exe
988	schtasks.exe
4732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2008	crtperf.exe
2028	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	crtperf.exe
Token: SeDebugPrivilege	2028	cmd.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 1240	5000	nnneeeewww.exe	77
PID 5000 wrote to memory of 1240	5000	nnneeeewww.exe	77
PID 5000 wrote to memory of 1240	5000	nnneeeewww.exe	77
PID 1240 wrote to memory of 3536	1240	WScript.exe	78
PID 1240 wrote to memory of 3536	1240	WScript.exe	78
PID 1240 wrote to memory of 3536	1240	WScript.exe	78
PID 3536 wrote to memory of 4120	3536	cmd.exe	80
PID 3536 wrote to memory of 4120	3536	cmd.exe	80
PID 3536 wrote to memory of 4120	3536	cmd.exe	80
PID 4120 wrote to memory of 876	4120	jaQVQp40C9Rgjj5Fe8OA.exe	81
PID 4120 wrote to memory of 876	4120	jaQVQp40C9Rgjj5Fe8OA.exe	81
PID 4120 wrote to memory of 876	4120	jaQVQp40C9Rgjj5Fe8OA.exe	81
PID 876 wrote to memory of 2436	876	WScript.exe	82
PID 876 wrote to memory of 2436	876	WScript.exe	82
PID 876 wrote to memory of 2436	876	WScript.exe	82
PID 2436 wrote to memory of 2008	2436	cmd.exe	84
PID 2436 wrote to memory of 2008	2436	cmd.exe	84
PID 2008 wrote to memory of 988	2008	crtperf.exe	86
PID 2008 wrote to memory of 988	2008	crtperf.exe	86
PID 2008 wrote to memory of 4732	2008	crtperf.exe	88
PID 2008 wrote to memory of 4732	2008	crtperf.exe	88
PID 2008 wrote to memory of 3096	2008	crtperf.exe	90
PID 2008 wrote to memory of 3096	2008	crtperf.exe	90
PID 2008 wrote to memory of 1356	2008	crtperf.exe	92
PID 2008 wrote to memory of 1356	2008	crtperf.exe	92
PID 2008 wrote to memory of 3480	2008	crtperf.exe	94
PID 2008 wrote to memory of 3480	2008	crtperf.exe	94
PID 2008 wrote to memory of 4308	2008	crtperf.exe	96
PID 2008 wrote to memory of 4308	2008	crtperf.exe	96
PID 2008 wrote to memory of 1532	2008	crtperf.exe	98
PID 2008 wrote to memory of 1532	2008	crtperf.exe	98
PID 2008 wrote to memory of 2816	2008	crtperf.exe	100
PID 2008 wrote to memory of 2816	2008	crtperf.exe	100
PID 2008 wrote to memory of 2456	2008	crtperf.exe	102
PID 2008 wrote to memory of 2456	2008	crtperf.exe	102
PID 2008 wrote to memory of 2028	2008	crtperf.exe	104
PID 2008 wrote to memory of 2028	2008	crtperf.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\nnneeeewww.exe
"C:\Users\Admin\AppData\Local\Temp\nnneeeewww.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\commoncrt\NfKUs624zaQXoSl3DJsuBH6b5WLpx9.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\commoncrt\pAdEW6pPvjofnCUEH20v1GuR6eanGF.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\commoncrt\jaQVQp40C9Rgjj5Fe8OA.exe
      jaQVQp40C9Rgjj5Fe8OA.exe -p73efbcbe560b284fb9498be6d6b28e842ea7f493
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\commoncrt\s6g1o5IBA9i15QiqUf4KpALskuHZAv.vbe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\commoncrt\hDIsoexVqHKUCKmxG6mzKgOgUlXLNX.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\commoncrt\crtperf.exe
        
        "C:\commoncrt\crtperf.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ProgramData\regid.1991-06.com.microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4732
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_165093\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\PerfLogs\dwm.exe'" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3480
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4308
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Documents and Settings\OfficeClickToRun.exe'" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ja-JP\spoolsv.exe'" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\commoncrt\cmd.exe'" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2456
        
        C:\commoncrt\cmd.exe
        
        "C:\commoncrt\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\commoncrt\NfKUs624zaQXoSl3DJsuBH6b5WLpx9.vbe

Filesize
145B

MD5
804866ce16200d32a1019893b53d32d7

SHA1
fa77f544aaf9cfbab2ba762a1d30432217abf71d

SHA256
a6ed52f5e59d0af7380c5ed81255615b4106c024130769d7a36c523093baeda4

SHA512
8c2c9f2b91e2fbae6400725264cf1b269cd8d6f79876fcf2e0524514217e113efdea3887ea53f48d0f196d23774e8f39cf229da9f0b90f6785a76c1050599510

Download Submit
C:\commoncrt\crtperf.exe

Filesize
364KB

MD5
438a5ba9f82c913cf3d1d1b92779c0eb

SHA1
d9261f194ac5ae67e4363f555413fc1f6be7bdba

SHA256
659c43df149031ed0949fededae6bd2a6160c575165961a3cb9c4d568e953ce3

SHA512
710f1b4aba364ec4a75bf453360dbd41a644584a911376a45bf26c0b08cd52f69e1dfb6801a18d7ff3e8cf996f64330f941298fdfae9a18a67eb1a4c7393e7a3

Download Submit
C:\commoncrt\hDIsoexVqHKUCKmxG6mzKgOgUlXLNX.bat

Filesize
26B

MD5
e573d5582c49ff522d91609451481e6d

SHA1
640824dadcede6d72ff999dbddb13e21f8d1d8e7

SHA256
f82859f7c17ef4fb6639cb5427e434e6b87c92e419bc9c4548c0e7d637a0d670

SHA512
43c41a28474660848d1b470ab7caf10a206b8a8502d4daa8221401d3883a465c72828398237209665fa203aff886d37aa321ea54c4a332689e6bb533a6fdc949

Download Submit
C:\commoncrt\jaQVQp40C9Rgjj5Fe8OA.exe

Filesize
670KB

MD5
06461bc3be1e5138def7ddb7ea68e958

SHA1
a234c9952d34a0db30102404d0e08e62ae2c21cf

SHA256
449aaa3f15d5eae3c77b03e8118b6183a7b6b163a13ab93e8ec98adde297caed

SHA512
6059479859b979b69ab4bd01bf9fb6c1a00331c54a66cb43d3f35a8a099b65dff1ed01158bd4e6c76bd45f9b9db3d0cd495dd5d09cd60f8c22b706541d69d955

Download Submit
C:\commoncrt\pAdEW6pPvjofnCUEH20v1GuR6eanGF.bat

Filesize
563B

MD5
a8df6c84fe7ba033e7013f5827f3b6fe

SHA1
3cb090124280d8eb205d7d262337e145993eba30

SHA256
b5e68b5b417fe7062b49107fa8b1d908075a8def5dc764f71820cad9c232a121

SHA512
326d725ac5744efd1a63e8bcb829c332d4bc0ea158aeac10cfcbd9de0934bd5d313ef35ea66ae59cc8832f482e4376d0b21ac5afb766f226611aa3a4d469131a

Download Submit
C:\commoncrt\s6g1o5IBA9i15QiqUf4KpALskuHZAv.vbe

Filesize
221B

MD5
11be5f2ee4abaccbf4ffa714494b86cc

SHA1
07f6fa377258c7404efdd7793c1b1637a69d3eeb

SHA256
a7e27661c96469ff37738b10bd4a639f0242050fe94a0efa4775b8bdb079a6b9

SHA512
51fd36c016df8739cdb522f3ffc2be387b8286f751b2381bef084bc99995a10b3342fd356525db76445b70bff82275c1bff9aabcfeef5f0ce15088c757efae7c

Download Submit
memory/2008-28-0x0000018EAFBE0000-0x0000018EAFC42000-memory.dmp

Filesize
392KB

Download
memory/5000-0-0x0000000000F00000-0x0000000000FA2000-memory.dmp

Filesize
648KB

Download
memory/5000-11-0x0000000000F00000-0x0000000000FA2000-memory.dmp

Filesize
648KB

Download