dcrat | de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FF3F337BA133257BF7EF80C83AF6A374.exe
Size

1.7MB
MD5

ff3f337ba133257bf7ef80c83af6a374
SHA1

6c1746e5455bba5c362db11bf5aef0adaaea6337
SHA256

de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde
SHA512

f245180c0edbcd0836abc01e6660a95d698056109151e1451b8ce17c128aea1456c5cb3b23439645ef9dcc155a11801ee0d3ac6e334b66db191da98bb404a053
SSDEEP

24576:LKoAZDIza+c3NunPWpnVuO2PJftX9fRQY16zIWJC5JUqR8lLr0I4gyid81sRO/F:LKdluO2P3N5QkWtlLr0ICNyO

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	FF3F337BA133257BF7EF80C83AF6A374.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\f3b6ecef712a24	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Program Files\Crashpad\attachments\smss.exe	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Program Files\Crashpad\attachments\69ddcba757bf72	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Program Files\ModifiableWindowsApps\smss.exe	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Program Files\Uninstall Information\Registry.exe	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Program Files\Uninstall Information\ee2ad38f3d4382	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Program Files\Common Files\spoolsv.exe	FF3F337BA133257BF7EF80C83AF6A374.exe
File opened for modification	C:\Program Files\Common Files\spoolsv.exe	FF3F337BA133257BF7EF80C83AF6A374.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\56085415360792	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Windows\Offline Web Pages\wininit.exe	FF3F337BA133257BF7EF80C83AF6A374.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4980	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	FF3F337BA133257BF7EF80C83AF6A374.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4980	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe
2704	schtasks.exe
1784	schtasks.exe
232	schtasks.exe
836	schtasks.exe
1004	schtasks.exe
3400	schtasks.exe
3284	schtasks.exe
4960	schtasks.exe
2660	schtasks.exe
2616	schtasks.exe
2340	schtasks.exe
2900	schtasks.exe
3976	schtasks.exe
3380	schtasks.exe
1284	schtasks.exe
3056	schtasks.exe
2156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
3908	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe
876	FF3F337BA133257BF7EF80C83AF6A374.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
876	FF3F337BA133257BF7EF80C83AF6A374.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	FF3F337BA133257BF7EF80C83AF6A374.exe
Token: SeDebugPrivilege	876	FF3F337BA133257BF7EF80C83AF6A374.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2472	3908	FF3F337BA133257BF7EF80C83AF6A374.exe	101
PID 3908 wrote to memory of 2472	3908	FF3F337BA133257BF7EF80C83AF6A374.exe	101
PID 2472 wrote to memory of 3484	2472	cmd.exe	103
PID 2472 wrote to memory of 3484	2472	cmd.exe	103
PID 2472 wrote to memory of 4980	2472	cmd.exe	104
PID 2472 wrote to memory of 4980	2472	cmd.exe	104
PID 2472 wrote to memory of 876	2472	cmd.exe	111
PID 2472 wrote to memory of 876	2472	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe
"C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NwZlC0Cl87.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3484
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4980
- - C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe
    "C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FF3F337BA133257BF7EF80C83AF6A374F" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FF3F337BA133257BF7EF80C83AF6A374" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FF3F337BA133257BF7EF80C83AF6A374F" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FF3F337BA133257BF7EF80C83AF6A374.exe.log

Filesize
1KB

MD5
4ef3ab577fdbd5c7dd815e496ecd5601

SHA1
8dd86865a8e5f1c4c77a21cc2b26cc31e8330ad8

SHA256
72a639b0e0027ca8e0bb9d3cbd12b56797c431a9171acaea9217aff387961964

SHA512
ffe35302cf9922fb22d681c989162a46220b949b5dcaf076eadb1ced347ff0b7a77421ce6ee06514faf9c5364e2094f5a2ec239a537c28c88d32e21262501c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwZlC0Cl87.bat

Filesize
198B

MD5
816752254ba51c1c91bfffd2ce1a2747

SHA1
dbafabc764faa93d3a0a56a92c2e1f14972f1cdf

SHA256
84328a71982f8aebf653ef6b173e58bb385e0b8753cc2ae9104b8da16e70eac5

SHA512
f8fe3222baa5b2e035ad659646ef00f2e834719ffbcb2403195cfe9a9ee44d99aab48095024188661a8a25b943a787fbe1d80a05065e8eb50b83e8afbb394b18

Download Submit
C:\Users\Public\Idle.exe

Filesize
1.7MB

MD5
ff3f337ba133257bf7ef80c83af6a374

SHA1
6c1746e5455bba5c362db11bf5aef0adaaea6337

SHA256
de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde

SHA512
f245180c0edbcd0836abc01e6660a95d698056109151e1451b8ce17c128aea1456c5cb3b23439645ef9dcc155a11801ee0d3ac6e334b66db191da98bb404a053

Download Submit
memory/876-39-0x000000001B580000-0x000000001B5EB000-memory.dmp

Filesize
428KB

Download
memory/3908-4-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-17-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-7-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-10-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-12-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/3908-13-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-9-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

Filesize
96KB

Download
memory/3908-6-0x0000000000C40000-0x0000000000C4E000-memory.dmp

Filesize
56KB

Download
memory/3908-1-0x0000000000280000-0x0000000000440000-memory.dmp

Filesize
1.8MB

Download
memory/3908-22-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-32-0x00000000025C0000-0x000000000262B000-memory.dmp

Filesize
428KB

Download
memory/3908-33-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-3-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-2-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-0-0x00007FF96A283000-0x00007FF96A285000-memory.dmp

Filesize
8KB

Download