dcrat | bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7

Analysis

max time kernel
119s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
Size

2.4MB
MD5

48b90c11912e9c7147d86c55d1e2cc94
SHA1

ffc71fb727607913aa176c85f75972f1ac6fda7c
SHA256

bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7
SHA512

175b7358de82827ca29ecef204fa2451ba44e3e3fc373f65bc40d2d888d43a5d0bc778a78f714e47369b8d9a5b37faa4106e912bb53b13791714d1c7773431f8
SSDEEP

24576:WCihq6FXaYuCw7sULqPyZwSxIshnWIjm7vZAjX+ez87TkQPI1QOmYNnNQ671:VihHsYIlwSx9WkiLekTk1FN

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2280-1-0x0000000001280000-0x00000000014F6000-memory.dmp	family_dcrat_v2
behavioral1/files/0x00080000000174c3-62.dat	family_dcrat_v2
behavioral1/memory/2116-72-0x00000000013E0000-0x0000000001656000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

pid	Process
2116	WMIADAP.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\6203df4a6bafc7	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1964	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1964	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
Token: SeDebugPrivilege	2116	WMIADAP.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2120	2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe	31
PID 2280 wrote to memory of 2120	2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe	31
PID 2280 wrote to memory of 2120	2280	bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe	31
PID 2120 wrote to memory of 1636	2120	cmd.exe	33
PID 2120 wrote to memory of 1636	2120	cmd.exe	33
PID 2120 wrote to memory of 1636	2120	cmd.exe	33
PID 2120 wrote to memory of 1964	2120	cmd.exe	34
PID 2120 wrote to memory of 1964	2120	cmd.exe	34
PID 2120 wrote to memory of 1964	2120	cmd.exe	34
PID 2120 wrote to memory of 2116	2120	cmd.exe	35
PID 2120 wrote to memory of 2116	2120	cmd.exe	35
PID 2120 wrote to memory of 2116	2120	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe
"C:\Users\Admin\AppData\Local\Temp\bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J1wc3Qd5BY.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1636
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1964
- - C:\Users\Public\Pictures\Sample Pictures\WMIADAP.exe
    "C:\Users\Public\Pictures\Sample Pictures\WMIADAP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe

Filesize
2.4MB

MD5
48b90c11912e9c7147d86c55d1e2cc94

SHA1
ffc71fb727607913aa176c85f75972f1ac6fda7c

SHA256
bb0f507a87420a0597cdc40917ea1ba9c9576d3e750db3f9b66802b19550c9e7

SHA512
175b7358de82827ca29ecef204fa2451ba44e3e3fc373f65bc40d2d888d43a5d0bc778a78f714e47369b8d9a5b37faa4106e912bb53b13791714d1c7773431f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\J1wc3Qd5BY.bat

Filesize
180B

MD5
652a86657d4ecb7becb83208b108cda7

SHA1
108fae9fb77908ed23bc2f72aff36fa5eec7d695

SHA256
14b7b295e9fabeee75109c8d90c0cf4c68b190beb721f2fbaf87a26e1b590b02

SHA512
5198fbb7aae7be2c75ca5acb8957cf1bda3df15b164627f942e43276b0261a3d2c76a1f1d06f50b20784e60ab2d99f0f346222f4b3d2c2238a1003fe281cc5f2

Download Submit
memory/2116-72-0x00000000013E0000-0x0000000001656000-memory.dmp

Filesize
2.5MB

Download
memory/2280-30-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-16-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-7-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2280-32-0x0000000000A80000-0x0000000000A8E000-memory.dmp

Filesize
56KB

Download
memory/2280-11-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2280-13-0x0000000000A50000-0x0000000000A68000-memory.dmp

Filesize
96KB

Download
memory/2280-15-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2280-34-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/2280-18-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/2280-20-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/2280-22-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2280-23-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-25-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2280-36-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2280-29-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/2280-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/2280-9-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2280-5-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-27-0x0000000000B60000-0x0000000000B76000-memory.dmp

Filesize
88KB

Download
memory/2280-38-0x000000001A960000-0x000000001A9BA000-memory.dmp

Filesize
360KB

Download
memory/2280-40-0x0000000000B50000-0x0000000000B5E000-memory.dmp

Filesize
56KB

Download
memory/2280-41-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-43-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/2280-45-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/2280-47-0x0000000000C70000-0x0000000000C88000-memory.dmp

Filesize
96KB

Download
memory/2280-52-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-51-0x000000001AD90000-0x000000001ADDE000-memory.dmp

Filesize
312KB

Download
memory/2280-49-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2280-53-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-4-0x0000000000A00000-0x0000000000A26000-memory.dmp

Filesize
152KB

Download
memory/2280-68-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-1-0x0000000001280000-0x00000000014F6000-memory.dmp

Filesize
2.5MB

Download