Overview

overview

10

Static

static

3

DCRatBuild.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    551s
  • max time network
    597s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07-12-2024 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.9MB

  • MD5

    1ee8448fea979c3ecbd21141a0ea84ef

  • SHA1

    f19958c4e816d94b10d7787ce693251d7c93a16f

  • SHA256

    bb7131d57c39a57b3e35acc18093a76c932a889c592fe2843eb4065ec8b646f0

  • SHA512

    941c038b15068362aec2efb174a324d88566fc7013c2659fbbee4e3f41073b9a50772b45e93a144e178c110b065369d7140fbf5c299221d301c9216066ac5ba7

  • SSDEEP

    24576:2TbBv5rUyXVKhCwi/IrsiTqwhFplFG8P1eI8qzvJ0C0wjZ1xjzj9fIXVIgeTryO2:IBJMVXFG89X8qzhfN1xD9QXVIgeTr7iN

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Containerbroker\lKOMtCPL4q4SacgMeC7cXhP8ahbvPWguTV.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Containerbroker\BhHu3cOSeq1FnFNHV6w5d9GBhXYpDdXk5OtvWMmGHkL6BT20n5qn40Hh.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Containerbroker\portsurrogate.exe
          "C:\Containerbroker/portsurrogate.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1068
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gLerBnat3T.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3524
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:4616
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2156
              • C:\Containerbroker\portsurrogate.exe
                "C:\Containerbroker\portsurrogate.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4232
                • C:\Windows\system32\mspaint.exe
                  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\голый.jpg"
                  7⤵
                  • Drops file in Windows directory
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:1764
                • C:\Users\Admin\AppData\Local\Catch me.exe
                  "C:\Users\Admin\AppData\Local\Catch me.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3924
                • C:\Windows\System32\shutdown.exe
                  "C:\Windows\System32\shutdown.exe"
                  7⤵
                    PID:3020
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
        1⤵
          PID:5092

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Containerbroker\BhHu3cOSeq1FnFNHV6w5d9GBhXYpDdXk5OtvWMmGHkL6BT20n5qn40Hh.bat
          Filesize

          98B

          MD5

          fd5e33ad0c2bf4e91f2a7deded611b86

          SHA1

          90d7127257f68dc76fd9747c9898a7c2ba5a0cfc

          SHA256

          afaa21d706fdc3d86d851861deb016c3de2e865bdea8e0be9ae67e6b1f10420b

          SHA512

          e849701be2703330c32cbaf0bd5fe02a8eb13b763563a6b262a2e327baf5b8424811a70e6df47395f5cafdba1f710a3d32bf724cd7bd720b8d9b0303250c609e

          Download Submit

        • C:\Containerbroker\lKOMtCPL4q4SacgMeC7cXhP8ahbvPWguTV.vbe
          Filesize

          250B

          MD5

          a87ac73f766078fed72e240a824940e5

          SHA1

          79877cdebf53a7c1ef9b361e9656ec4c364f206e

          SHA256

          a5d1d9718f09b6d13105d5a1a561512609762f4b9d204efaf7e0cfe466871469

          SHA512

          4f7f92c41b31a8bcc89b2fafee9efa46ea65ae6da6c74379eb3be98f060dcb2a3237687e1083d79df78e669cb28431cfdcdb7f0189bff169e43b222a230dd220

          Download Submit

        • C:\Containerbroker\portsurrogate.exe
          Filesize

          1.6MB

          MD5

          041176338487edefef14877b1e2050d5

          SHA1

          945f5005db47d433fbdabb599ca2790710f0a056

          SHA256

          e1b7ce41ce5f12fb9466fcb9cf687e82883547d6f2c21480fcb7408b9e315fdb

          SHA512

          292f43151ce11b81f096127a9c7d131f423f96f5b31fa54a72c1e4800180837cdf369a7480ed397a18be2fc6803face50ffee172c07ef0a8f9b82793f8b40145

          Download Submit

        • C:\Users\Admin\AppData\Local\Catch me.exe
          Filesize

          24KB

          MD5

          4df86625da5b0dddbfea4ef5359224fa

          SHA1

          6903529cd2982db69e3feca486ac2386b10ed6b8

          SHA256

          419ab7aa44c1071066c94e861d508bc7c3751a2e1a495a0369304ac350d5fac7

          SHA512

          0ab04bb00b8f06fda2f7227661411e4f05553cbc36032c4be8841db6b8e8274efd5348eb4175d9811ba0b244fcd493a7c63d9776920c0164364fe54524ffa8f7

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\portsurrogate.exe.log
          Filesize

          1KB

          MD5

          d122c86f83bcdee42ff6f17de46ad0bd

          SHA1

          ba64c5e17a98b2df6d6855d7a88c4f397e355ff7

          SHA256

          1a58a1467e73d956c2ab19ddade6f8fb33feca2cda5a719ff457091a5e0a733d

          SHA512

          943716fa00a8deaec14ea5e1fbb82882e8aff5eeae28d82b6fdffc44a821c47d30cd31dec01e7c2c746d8b4582b392f35d24dba732ef06a51dc738308c012455

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\gLerBnat3T.bat
          Filesize

          164B

          MD5

          3d41fe3b8ce6b7b73e50fb4a5626ac2b

          SHA1

          5e37986e382c7fe9f598c1ec85ad08a9e8cfc688

          SHA256

          7a92572962bc9800cc2388fd98062f1fd89357bcb9b3a1e042c8799674b78d8c

          SHA512

          ac2164b2060fda737961bd2c364c8c3b1e56b99fe408d013c399cc02acc45a69c04104434f5945f86b2dcb55febceb2befbb99bec4848d7b6c07fdb23d69da10

          Download Submit

        • C:\Users\Admin\AppData\Local\голый.jpg
          Filesize

          30KB

          MD5

          396d6a420daa8e11f9a2dfbc9223daf1

          SHA1

          f28bc6a3513a6b4f6346424d625aa17e5025de6e

          SHA256

          df6eb59da66d46faae55dd4d6373c97326b10f214bf231db78e4715109068e6b

          SHA512

          b1ab5ffaac35356daa0d9ad3fa01030e60d2276225af25d6a183dc1b0526c87a37c4a671fea3d634111bc83bf823db94130b2ea1de6e52a08b1f6a84fd72c58b

          Download Submit

        • memory/1068-15-0x00007FFF5D4F3000-0x00007FFF5D4F5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1068-16-0x0000000000520000-0x00000000006B8000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4232-37-0x000000001CA10000-0x000000001CA1E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4232-39-0x0000000002A00000-0x0000000002A12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4232-42-0x00000000029F0000-0x0000000002A00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4232-35-0x000000001D0E0000-0x000000001D13A000-memory.dmp

          Filesize

          360KB

          Download