dcrat | bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48B90C11912E9C7147D86C55D1E2CC94.exe
Size

2.4MB
MD5

48b90c11912e9c7147d86c55d1e2cc94
SHA1

ffc71fb727607913aa176c85f75972f1ac6fda7c
SHA256

bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7
SHA512

175b7358de82827ca29ecef204fa2451ba44e3e3fc373f65bc40d2d888d43a5d0bc778a78f714e47369b8d9a5b37faa4106e912bb53b13791714d1c7773431f8
SSDEEP

24576:WCihq6FXaYuCw7sULqPyZwSxIshnWIjm7vZAjX+ez87TkQPI1QOmYNnNQ671:VihHsYIlwSx9WkiLekTk1FN

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2004-0-0x0000000000A80000-0x0000000000CF6000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0007000000023cbb-63.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	48B90C11912E9C7147D86C55D1E2CC94.exe

Executes dropped EXE 1 IoCs

pid	Process
4580	lsass.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\it-IT\lsass.exe	48B90C11912E9C7147D86C55D1E2CC94.exe
File created	C:\Windows\PolicyDefinitions\it-IT\6203df4a6bafc7	48B90C11912E9C7147D86C55D1E2CC94.exe
File created	C:\Windows\servicing\InboxFodMetadataCache\48B90C11912E9C7147D86C55D1E2CC94.exe	48B90C11912E9C7147D86C55D1E2CC94.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3732	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	48B90C11912E9C7147D86C55D1E2CC94.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3732	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe
2004	48B90C11912E9C7147D86C55D1E2CC94.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4580	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	48B90C11912E9C7147D86C55D1E2CC94.exe
Token: SeDebugPrivilege	4580	lsass.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3144	2004	48B90C11912E9C7147D86C55D1E2CC94.exe	83
PID 2004 wrote to memory of 3144	2004	48B90C11912E9C7147D86C55D1E2CC94.exe	83
PID 3144 wrote to memory of 4052	3144	cmd.exe	85
PID 3144 wrote to memory of 4052	3144	cmd.exe	85
PID 3144 wrote to memory of 3732	3144	cmd.exe	86
PID 3144 wrote to memory of 3732	3144	cmd.exe	86
PID 3144 wrote to memory of 4580	3144	cmd.exe	96
PID 3144 wrote to memory of 4580	3144	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\48B90C11912E9C7147D86C55D1E2CC94.exe
"C:\Users\Admin\AppData\Local\Temp\48B90C11912E9C7147D86C55D1E2CC94.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5TFU6x2H8i.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4052
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3732
- - C:\Windows\PolicyDefinitions\it-IT\lsass.exe
    "C:\Windows\PolicyDefinitions\it-IT\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
2.4MB

MD5
48b90c11912e9c7147d86c55d1e2cc94

SHA1
ffc71fb727607913aa176c85f75972f1ac6fda7c

SHA256
bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7

SHA512
175b7358de82827ca29ecef204fa2451ba44e3e3fc373f65bc40d2d888d43a5d0bc778a78f714e47369b8d9a5b37faa4106e912bb53b13791714d1c7773431f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5TFU6x2H8i.bat

Filesize
172B

MD5
9a8cb6533b090b011562fa86bb689229

SHA1
a41516d4b55e08a6cb0fe6cee760af328b3fc2e7

SHA256
fddf54af15daac888851b4f6536457d66435a6d5f46d305365aebd76762439ed

SHA512
4a4097b7e98c78518cad96c8891fe4dd676fabe5eaef6f491be7cf1f2920b548c95ed7cc5f3d1d3a093520c5742436992b5d20dd0b055b54b647982e6d794c6a

Download Submit
memory/2004-29-0x000000001BA30000-0x000000001BA46000-memory.dmp

Filesize
88KB

Download
memory/2004-7-0x00000000013A0000-0x00000000013AE000-memory.dmp

Filesize
56KB

Download
memory/2004-5-0x00007FFDC0AB0000-0x00007FFDC1571000-memory.dmp

Filesize
10.8MB

Download
memory/2004-31-0x000000001BA50000-0x000000001BA62000-memory.dmp

Filesize
72KB

Download
memory/2004-9-0x0000000001630000-0x000000000164C000-memory.dmp

Filesize
112KB

Download
memory/2004-32-0x00007FFDC0AB0000-0x00007FFDC1571000-memory.dmp

Filesize
10.8MB

Download
memory/2004-13-0x00007FFDC0AB0000-0x00007FFDC1571000-memory.dmp

Filesize
10.8MB

Download
memory/2004-10-0x0000000002E60000-0x0000000002EB0000-memory.dmp

Filesize
320KB

Download
memory/2004-15-0x0000000002E10000-0x0000000002E28000-memory.dmp

Filesize
96KB

Download
memory/2004-17-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/2004-20-0x00007FFDC0AB0000-0x00007FFDC1571000-memory.dmp

Filesize
10.8MB

Download
memory/2004-19-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/2004-22-0x0000000001410000-0x000000000141E000-memory.dmp

Filesize
56KB

Download
memory/2004-24-0x0000000002EB0000-0x0000000002EC2000-memory.dmp

Filesize
72KB

Download
memory/2004-26-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/2004-27-0x00007FFDC0AB0000-0x00007FFDC1571000-memory.dmp

Filesize
10.8MB

Download
memory/2004-1-0x00007FFDC0AB3000-0x00007FFDC0AB5000-memory.dmp

Filesize
8KB

Download
memory/2004-4-0x00000000013C0000-0x00000000013E6000-memory.dmp

Filesize
152KB

Download
memory/2004-12-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/2004-33-0x00007FFDC0AB0000-0x00007FFDC1571000-memory.dmp

Filesize
10.8MB

Download
memory/2004-36-0x0000000002E30000-0x0000000002E3E000-memory.dmp

Filesize
56KB

Download
memory/2004-34-0x000000001BFA0000-0x000000001C4C8000-memory.dmp

Filesize
5.2MB

Download
memory/2004-38-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/2004-40-0x0000000002E50000-0x0000000002E60000-memory.dmp

Filesize
64KB

Download
memory/2004-42-0x000000001BAD0000-0x000000001BB2A000-memory.dmp

Filesize
360KB

Download
memory/2004-44-0x0000000002FE0000-0x0000000002FEE000-memory.dmp

Filesize
56KB

Download
memory/2004-46-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/2004-48-0x000000001BA70000-0x000000001BA7E000-memory.dmp

Filesize
56KB

Download
memory/2004-50-0x000000001BAA0000-0x000000001BAB8000-memory.dmp

Filesize
96KB

Download
memory/2004-52-0x000000001BA80000-0x000000001BA8C000-memory.dmp

Filesize
48KB

Download
memory/2004-54-0x000000001BB80000-0x000000001BBCE000-memory.dmp

Filesize
312KB

Download
memory/2004-2-0x00007FFDC0AB0000-0x00007FFDC1571000-memory.dmp

Filesize
10.8MB

Download
memory/2004-70-0x00007FFDC0AB0000-0x00007FFDC1571000-memory.dmp

Filesize
10.8MB

Download
memory/2004-0-0x0000000000A80000-0x0000000000CF6000-memory.dmp

Filesize
2.5MB

Download
memory/4580-97-0x000000001E840000-0x000000001E9E9000-memory.dmp

Filesize
1.7MB

Download