dcrat | de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde

Analysis

max time kernel
121s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
Size

1.7MB
MD5

ff3f337ba133257bf7ef80c83af6a374
SHA1

6c1746e5455bba5c362db11bf5aef0adaaea6337
SHA256

de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde
SHA512

f245180c0edbcd0836abc01e6660a95d698056109151e1451b8ce17c128aea1456c5cb3b23439645ef9dcc155a11801ee0d3ac6e334b66db191da98bb404a053
SSDEEP

24576:LKoAZDIza+c3NunPWpnVuO2PJftX9fRQY16zIWJC5JUqR8lLr0I4gyid81sRO/F:LKdluO2P3N5QkWtlLr0ICNyO

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2864	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
2204	System.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\WmiPrvSE.exe	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\24dbde2999530e	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2484	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2484	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1612	schtasks.exe
1992	schtasks.exe
2832	schtasks.exe
1448	schtasks.exe
2672	schtasks.exe
1200	schtasks.exe
2972	schtasks.exe
3052	schtasks.exe
2060	schtasks.exe
664	schtasks.exe
832	schtasks.exe
2688	schtasks.exe
2504	schtasks.exe
1676	schtasks.exe
2900	schtasks.exe
2704	schtasks.exe
2636	schtasks.exe
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe
2204	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
Token: SeDebugPrivilege	2204	System.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2936	2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe	49
PID 2404 wrote to memory of 2936	2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe	49
PID 2404 wrote to memory of 2936	2404	de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe	49
PID 2936 wrote to memory of 3044	2936	cmd.exe	51
PID 2936 wrote to memory of 3044	2936	cmd.exe	51
PID 2936 wrote to memory of 3044	2936	cmd.exe	51
PID 2936 wrote to memory of 2484	2936	cmd.exe	52
PID 2936 wrote to memory of 2484	2936	cmd.exe	52
PID 2936 wrote to memory of 2484	2936	cmd.exe	52
PID 2936 wrote to memory of 2204	2936	cmd.exe	54
PID 2936 wrote to memory of 2204	2936	cmd.exe	54
PID 2936 wrote to memory of 2204	2936	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe
"C:\Users\Admin\AppData\Local\Temp\de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eq0uzXDTD2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3044
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2484
- - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe
    "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cded" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cded" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe

Filesize
1.7MB

MD5
ff3f337ba133257bf7ef80c83af6a374

SHA1
6c1746e5455bba5c362db11bf5aef0adaaea6337

SHA256
de22374f782e1898ae2c015f41159b7485122a65ef26b0850e3c0609d41f2cde

SHA512
f245180c0edbcd0836abc01e6660a95d698056109151e1451b8ce17c128aea1456c5cb3b23439645ef9dcc155a11801ee0d3ac6e334b66db191da98bb404a053

Download Submit
C:\Users\Admin\AppData\Local\Temp\eq0uzXDTD2.bat

Filesize
187B

MD5
7c0f6f6f571feba187612036851b6be8

SHA1
6bb1c77cba7eec0251340f603cfa5293134cf49a

SHA256
338c820034529267a9d71e331b51a1ac6c885d0b7ed3aac7a2a20008a27faaaf

SHA512
fe3b94b9b18bd33e7422c4080b3a6f7c2de7590a9ec720b1db61c23c1452dfa379367d8231164e88ff545e75d94b068139648aee8926c4bc477ee437448c1ed0

Download Submit
memory/2204-34-0x0000000000CE0000-0x0000000000EA0000-memory.dmp

Filesize
1.8MB

Download
memory/2404-11-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2404-4-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-6-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2404-7-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-9-0x0000000000390000-0x00000000003A8000-memory.dmp

Filesize
96KB

Download
memory/2404-0-0x000007FEF6523000-0x000007FEF6524000-memory.dmp

Filesize
4KB

Download
memory/2404-12-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-3-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-24-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-25-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-2-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-31-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-1-0x00000000008A0000-0x0000000000A60000-memory.dmp

Filesize
1.8MB

Download