dcrat | de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FF3F337BA133257BF7EF80C83AF6A374.exe
Size

1.7MB
MD5

ff3f337ba133257bf7ef80c83af6a374
SHA1

6c1746e5455bba5c362db11bf5aef0adaaea6337
SHA256

de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde
SHA512

f245180c0edbcd0836abc01e6660a95d698056109151e1451b8ce17c128aea1456c5cb3b23439645ef9dcc155a11801ee0d3ac6e334b66db191da98bb404a053
SSDEEP

24576:LKoAZDIza+c3NunPWpnVuO2PJftX9fRQY16zIWJC5JUqR8lLr0I4gyid81sRO/F:LKdluO2P3N5QkWtlLr0ICNyO

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4300	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	4300	schtasks.exe	83

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	FF3F337BA133257BF7EF80C83AF6A374.exe

Executes dropped EXE 1 IoCs

pid	Process
4016	wininit.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Media\Garden\fontdrvhost.exe	FF3F337BA133257BF7EF80C83AF6A374.exe
File created	C:\Windows\Media\Garden\5b884080fd4f94	FF3F337BA133257BF7EF80C83AF6A374.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	FF3F337BA133257BF7EF80C83AF6A374.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4044	schtasks.exe
5080	schtasks.exe
4296	schtasks.exe
3076	schtasks.exe
3932	schtasks.exe
4216	schtasks.exe
4924	schtasks.exe
4712	schtasks.exe
3084	schtasks.exe
5096	schtasks.exe
2432	schtasks.exe
4872	schtasks.exe
3820	schtasks.exe
4980	schtasks.exe
5052	schtasks.exe
2544	schtasks.exe
744	schtasks.exe
2204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
2156	FF3F337BA133257BF7EF80C83AF6A374.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe
4016	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	FF3F337BA133257BF7EF80C83AF6A374.exe
Token: SeDebugPrivilege	4016	wininit.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 3440	2156	FF3F337BA133257BF7EF80C83AF6A374.exe	102
PID 2156 wrote to memory of 3440	2156	FF3F337BA133257BF7EF80C83AF6A374.exe	102
PID 3440 wrote to memory of 2240	3440	cmd.exe	104
PID 3440 wrote to memory of 2240	3440	cmd.exe	104
PID 3440 wrote to memory of 2720	3440	cmd.exe	105
PID 3440 wrote to memory of 2720	3440	cmd.exe	105
PID 3440 wrote to memory of 4016	3440	cmd.exe	111
PID 3440 wrote to memory of 4016	3440	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe
"C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M7irfc689p.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2240
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2720
- - C:\Recovery\WindowsRE\wininit.exe
    "C:\Recovery\WindowsRE\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Garden\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Media\Garden\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Garden\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FF3F337BA133257BF7EF80C83AF6A374F" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FF3F337BA133257BF7EF80C83AF6A374" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FF3F337BA133257BF7EF80C83AF6A374F" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\FF3F337BA133257BF7EF80C83AF6A374.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\M7irfc689p.bat

Filesize
209B

MD5
7c6c02ee2c365fc250e7f14e2fc2d70c

SHA1
34e93d4d61de47f44810d82912ac281d8211e0aa

SHA256
7403d9655cea7a2f1fd9ca0729b34d2abc39b83cd4c7ff277e45f89db518f378

SHA512
21fbc159a304437a8e5fcfa95b37f4f3f6ef6ad3c50bd99171ad726ec448b333a4433037915250728df6b1f109a7980bce4f983f388a907003ebe32e9da5446e

Download Submit
C:\Windows\Media\Garden\fontdrvhost.exe

Filesize
1.7MB

MD5
ff3f337ba133257bf7ef80c83af6a374

SHA1
6c1746e5455bba5c362db11bf5aef0adaaea6337

SHA256
de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde

SHA512
f245180c0edbcd0836abc01e6660a95d698056109151e1451b8ce17c128aea1456c5cb3b23439645ef9dcc155a11801ee0d3ac6e334b66db191da98bb404a053

Download Submit
memory/2156-4-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-9-0x000000001B800000-0x000000001B818000-memory.dmp

Filesize
96KB

Download
memory/2156-0-0x00007FFFE6FD3000-0x00007FFFE6FD5000-memory.dmp

Filesize
8KB

Download
memory/2156-6-0x000000001B7D0000-0x000000001B7DE000-memory.dmp

Filesize
56KB

Download
memory/2156-7-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-10-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-12-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/2156-3-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-13-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-17-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-2-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-26-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-27-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-33-0x00007FFFE6FD0000-0x00007FFFE7A91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-1-0x0000000000B10000-0x0000000000CD0000-memory.dmp

Filesize
1.8MB

Download