dcrat | de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde

Analysis

max time kernel
119s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FF3F337BA133257BF7EF80C83AF6A374.exe
Size

1.7MB
MD5

ff3f337ba133257bf7ef80c83af6a374
SHA1

6c1746e5455bba5c362db11bf5aef0adaaea6337
SHA256

de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde
SHA512

f245180c0edbcd0836abc01e6660a95d698056109151e1451b8ce17c128aea1456c5cb3b23439645ef9dcc155a11801ee0d3ac6e334b66db191da98bb404a053
SSDEEP

24576:LKoAZDIza+c3NunPWpnVuO2PJftX9fRQY16zIWJC5JUqR8lLr0I4gyid81sRO/F:LKdluO2P3N5QkWtlLr0ICNyO

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2820	schtasks.exe	30

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\de-DE\27d1bcfc3c54e0	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\WmiPrvSE.exe	FF3F337BA133257BF7EF80C83AF6A374.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\WmiPrvSE.exe	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\24dbde2999530e	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\System.exe	FF3F337BA133257BF7EF80C83AF6A374.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe
2632	schtasks.exe
2792	schtasks.exe
908	schtasks.exe
1692	schtasks.exe
2624	schtasks.exe
556	schtasks.exe
3048	schtasks.exe
944	schtasks.exe
584	schtasks.exe
2880	schtasks.exe
2972	schtasks.exe
2656	schtasks.exe
1008	schtasks.exe
1552	schtasks.exe
2988	schtasks.exe
3004	schtasks.exe
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
1300	FF3F337BA133257BF7EF80C83AF6A374.exe
2132	FF3F337BA133257BF7EF80C83AF6A374.exe
2132	FF3F337BA133257BF7EF80C83AF6A374.exe
2132	FF3F337BA133257BF7EF80C83AF6A374.exe
2132	FF3F337BA133257BF7EF80C83AF6A374.exe
2132	FF3F337BA133257BF7EF80C83AF6A374.exe
2132	FF3F337BA133257BF7EF80C83AF6A374.exe
2132	FF3F337BA133257BF7EF80C83AF6A374.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	FF3F337BA133257BF7EF80C83AF6A374.exe
Token: SeDebugPrivilege	2132	FF3F337BA133257BF7EF80C83AF6A374.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 3056	1300	FF3F337BA133257BF7EF80C83AF6A374.exe	49
PID 1300 wrote to memory of 3056	1300	FF3F337BA133257BF7EF80C83AF6A374.exe	49
PID 1300 wrote to memory of 3056	1300	FF3F337BA133257BF7EF80C83AF6A374.exe	49
PID 3056 wrote to memory of 608	3056	cmd.exe	51
PID 3056 wrote to memory of 608	3056	cmd.exe	51
PID 3056 wrote to memory of 608	3056	cmd.exe	51
PID 3056 wrote to memory of 1664	3056	cmd.exe	52
PID 3056 wrote to memory of 1664	3056	cmd.exe	52
PID 3056 wrote to memory of 1664	3056	cmd.exe	52
PID 3056 wrote to memory of 2132	3056	cmd.exe	54
PID 3056 wrote to memory of 2132	3056	cmd.exe	54
PID 3056 wrote to memory of 2132	3056	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe
"C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biK9R8vS54.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:608
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1664
- - C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe
    "C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FF3F337BA133257BF7EF80C83AF6A374F" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FF3F337BA133257BF7EF80C83AF6A374" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FF3F337BA133257BF7EF80C83AF6A374F" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\de-DE\System.exe

Filesize
1.7MB

MD5
ff3f337ba133257bf7ef80c83af6a374

SHA1
6c1746e5455bba5c362db11bf5aef0adaaea6337

SHA256
de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde

SHA512
f245180c0edbcd0836abc01e6660a95d698056109151e1451b8ce17c128aea1456c5cb3b23439645ef9dcc155a11801ee0d3ac6e334b66db191da98bb404a053

Download Submit
C:\Users\Admin\AppData\Local\Temp\biK9R8vS54.bat

Filesize
246B

MD5
bb0bc62f34f792274ea08e6eb2df4927

SHA1
6b641bd183a8ffdc3d8530f9072024e9daedb1d5

SHA256
d02263ab1a4ecdde7f6ea5de43c76f4b53ef8342d607854c42340faf5a735faf

SHA512
754e7adce98add77d7fb61c011f9a74136d79ebcf23049243173276d63807fa41661b173d6eda765b48aec0833e756811f8bdc0850686921f304bf71128309df

Download Submit
memory/1300-11-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1300-13-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1300-4-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1300-6-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/1300-8-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/1300-10-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1300-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/1300-3-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1300-16-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1300-2-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1300-25-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1300-30-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1300-1-0x00000000013B0000-0x0000000001570000-memory.dmp

Filesize
1.8MB

Download
memory/2132-32-0x0000000000350000-0x0000000000510000-memory.dmp

Filesize
1.8MB

Download