dcrat | 766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a

Analysis

max time kernel
139s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe
Size

987KB
MD5

8f81ac89b9f6dbccf07a86af59faa6ba
SHA1

0d97a27bacaae103f2f15637f623d3d13a568d91
SHA256

766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a
SHA512

452c04ec647dd84123ffb84f1ff37aef81057edf0c1a069113d0b1d89f2462c373301aa84355d0fafd8bb6c4b3d4b6bf580952f29189157edaea376711be16ea
SSDEEP

24576:2TbBv5rUyXVUxJMVI3SyKnUh9E1bm67+f:IBJcJMrEh9mbc

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 7 IoCs

rat

resource	yara_rule
behavioral1/files/0x000800000001878d-9.dat	family_dcrat_v2
behavioral1/memory/2592-13-0x0000000000220000-0x00000000002CE000-memory.dmp	family_dcrat_v2
behavioral1/memory/2936-35-0x0000000000B70000-0x0000000000C1E000-memory.dmp	family_dcrat_v2
behavioral1/memory/1596-44-0x0000000000C40000-0x0000000000CEE000-memory.dmp	family_dcrat_v2
behavioral1/memory/2380-53-0x0000000001190000-0x000000000123E000-memory.dmp	family_dcrat_v2
behavioral1/memory/1652-62-0x0000000001340000-0x00000000013EE000-memory.dmp	family_dcrat_v2
behavioral1/memory/108-71-0x00000000003C0000-0x000000000046E000-memory.dmp	family_dcrat_v2

Executes dropped EXE 6 IoCs

pid	Process
2592	hyperBlockCrtCommon.exe
2936	System.exe
1596	System.exe
2380	System.exe
1652	System.exe
108	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	cmd.exe
2752	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\taskhost.exe	hyperBlockCrtCommon.exe
File created	C:\Program Files\7-Zip\Lang\b75386f1303e64	hyperBlockCrtCommon.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\27d1bcfc3c54e0	hyperBlockCrtCommon.exe
File created	C:\Windows\Performance\WinSAT\DataStore\System.exe	hyperBlockCrtCommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2960	PING.EXE
568	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2960	PING.EXE
568	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2592	hyperBlockCrtCommon.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe
2936	System.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	hyperBlockCrtCommon.exe
Token: SeDebugPrivilege	2936	System.exe
Token: SeDebugPrivilege	1596	System.exe
Token: SeDebugPrivilege	2380	System.exe
Token: SeDebugPrivilege	1652	System.exe
Token: SeDebugPrivilege	108	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2724	2068	766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe	30
PID 2068 wrote to memory of 2724	2068	766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe	30
PID 2068 wrote to memory of 2724	2068	766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe	30
PID 2068 wrote to memory of 2724	2068	766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe	30
PID 2724 wrote to memory of 2752	2724	WScript.exe	31
PID 2724 wrote to memory of 2752	2724	WScript.exe	31
PID 2724 wrote to memory of 2752	2724	WScript.exe	31
PID 2724 wrote to memory of 2752	2724	WScript.exe	31
PID 2752 wrote to memory of 2592	2752	cmd.exe	33
PID 2752 wrote to memory of 2592	2752	cmd.exe	33
PID 2752 wrote to memory of 2592	2752	cmd.exe	33
PID 2752 wrote to memory of 2592	2752	cmd.exe	33
PID 2592 wrote to memory of 1824	2592	hyperBlockCrtCommon.exe	34
PID 2592 wrote to memory of 1824	2592	hyperBlockCrtCommon.exe	34
PID 2592 wrote to memory of 1824	2592	hyperBlockCrtCommon.exe	34
PID 1824 wrote to memory of 1928	1824	cmd.exe	36
PID 1824 wrote to memory of 1928	1824	cmd.exe	36
PID 1824 wrote to memory of 1928	1824	cmd.exe	36
PID 1824 wrote to memory of 1112	1824	cmd.exe	37
PID 1824 wrote to memory of 1112	1824	cmd.exe	37
PID 1824 wrote to memory of 1112	1824	cmd.exe	37
PID 1824 wrote to memory of 2936	1824	cmd.exe	38
PID 1824 wrote to memory of 2936	1824	cmd.exe	38
PID 1824 wrote to memory of 2936	1824	cmd.exe	38
PID 2936 wrote to memory of 1324	2936	System.exe	39
PID 2936 wrote to memory of 1324	2936	System.exe	39
PID 2936 wrote to memory of 1324	2936	System.exe	39
PID 1324 wrote to memory of 2556	1324	cmd.exe	41
PID 1324 wrote to memory of 2556	1324	cmd.exe	41
PID 1324 wrote to memory of 2556	1324	cmd.exe	41
PID 1324 wrote to memory of 2812	1324	cmd.exe	42
PID 1324 wrote to memory of 2812	1324	cmd.exe	42
PID 1324 wrote to memory of 2812	1324	cmd.exe	42
PID 1324 wrote to memory of 1596	1324	cmd.exe	43
PID 1324 wrote to memory of 1596	1324	cmd.exe	43
PID 1324 wrote to memory of 1596	1324	cmd.exe	43
PID 1596 wrote to memory of 1892	1596	System.exe	44
PID 1596 wrote to memory of 1892	1596	System.exe	44
PID 1596 wrote to memory of 1892	1596	System.exe	44
PID 1892 wrote to memory of 2060	1892	cmd.exe	46
PID 1892 wrote to memory of 2060	1892	cmd.exe	46
PID 1892 wrote to memory of 2060	1892	cmd.exe	46
PID 1892 wrote to memory of 2308	1892	cmd.exe	47
PID 1892 wrote to memory of 2308	1892	cmd.exe	47
PID 1892 wrote to memory of 2308	1892	cmd.exe	47
PID 1892 wrote to memory of 2380	1892	cmd.exe	49
PID 1892 wrote to memory of 2380	1892	cmd.exe	49
PID 1892 wrote to memory of 2380	1892	cmd.exe	49
PID 2380 wrote to memory of 952	2380	System.exe	50
PID 2380 wrote to memory of 952	2380	System.exe	50
PID 2380 wrote to memory of 952	2380	System.exe	50
PID 952 wrote to memory of 992	952	cmd.exe	52
PID 952 wrote to memory of 992	952	cmd.exe	52
PID 952 wrote to memory of 992	952	cmd.exe	52
PID 952 wrote to memory of 2960	952	cmd.exe	53
PID 952 wrote to memory of 2960	952	cmd.exe	53
PID 952 wrote to memory of 2960	952	cmd.exe	53
PID 952 wrote to memory of 1652	952	cmd.exe	54
PID 952 wrote to memory of 1652	952	cmd.exe	54
PID 952 wrote to memory of 1652	952	cmd.exe	54
PID 1652 wrote to memory of 376	1652	System.exe	55
PID 1652 wrote to memory of 376	1652	System.exe	55
PID 1652 wrote to memory of 376	1652	System.exe	55
PID 376 wrote to memory of 1740	376	cmd.exe	57

C:\Users\Admin\AppData\Local\Temp\766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe
"C:\Users\Admin\AppData\Local\Temp\766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Intorefnet\hyperBlockCrtCommon.exe
      "C:\Intorefnet/hyperBlockCrtCommon.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7e4ATyqxFQ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1928
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1112
      - C:\Windows\Performance\WinSAT\DataStore\System.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BSGjULhCAT.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2812
        
        C:\Windows\Performance\WinSAT\DataStore\System.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U6Y6MWxFQU.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2308
        
        C:\Windows\Performance\WinSAT\DataStore\System.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YvmOC36wL2.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960
        
        C:\Windows\Performance\WinSAT\DataStore\System.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:568
        
        C:\Windows\Performance\WinSAT\DataStore\System.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat

Filesize
84B

MD5
7fef6d8e0a11e2dec6af7a0e3b952b06

SHA1
b95534abb31712b49087005da4cdd4c92fe35edd

SHA256
6bb327123f7ec740bb03b3405c5cd790199ba132091d1ceae4f098a29c0e9592

SHA512
2c19d8ac297e3e0d790f844aedac3be3934a274ba834b66f36994ccdfd8e8c49b836d7a0df1e28de999cec7e1b5984a90199f4e08bc30d8113c4852fb9a27703

Download Submit
C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe

Filesize
206B

MD5
926c428eaa357b6ff5474252ee2821fe

SHA1
623205127383f9cc804a3af035448cc396e704e3

SHA256
80675c3ae85f284b0e291b368560cc5727d416f1f52577e6505db41b0add9bc1

SHA512
cdb460848edbc5b8053b0b5211fce7d5f5eb92b347526b3e1d98becbfe1d4f8fb277ac3c58eab64b532f57c4c3b6f5642a9fad04c22f2910eecb0633079fb4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4ATyqxFQ.bat

Filesize
226B

MD5
3e552f624905eb6bc7d3f10881d7ef09

SHA1
a89d9dcb891423c59adc1976a3a296760776c508

SHA256
66dc6567f7a0af533dd4b3b165baa52a50e5bdd8f7bab156f1adfae77e6cc9c4

SHA512
2504842391bdc5e83ae129f348e337147cd724db5d9470400da1a7643f7213656a05cf091b2bbccac8d3841f4496fdddab0f3e75ad35725958a92055e1e6d7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSGjULhCAT.bat

Filesize
226B

MD5
f1bde62a5d086e405c9722cd98ad59e3

SHA1
60768899d6e6726fba99be05a9dee2d14e122f6c

SHA256
3687d4e85006fb44f125cb7c7dc798f7b89645decbc36112b1a43f0d9d937af8

SHA512
88838f5577ea6fa7f1e2d0d7fe37d9f720c36d8673ed71c7553891c2164cfb428107eb877285764e70e9d7a8e7b12bc200b15a625de744fb4ed8129994050d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\U6Y6MWxFQU.bat

Filesize
226B

MD5
369dbb4965434522872c84436d38ef36

SHA1
340f5ce6a6e5b85ee3226e76c13a604d1a062c2d

SHA256
cb6f3c2bf18119027d6bf7b3f5c0cdca4aa3be61e44953d931267e21f0d10e4e

SHA512
b6855d0a500b1a13a51c1acedae2ebd53d3e5db8ae8a660333a8cda881d0820cad396847816d9323eed2ea640f11d4cea57857be24b54fb4c30a5d8b50425557

Download Submit
C:\Users\Admin\AppData\Local\Temp\YvmOC36wL2.bat

Filesize
178B

MD5
e388876a63437065e8ee8fbaaa43af6d

SHA1
b6507dee246b22f59f80e84b746366490f57aa95

SHA256
0219dd47ff538d8bf32c4830873a8927f160549469216e00c77ca08a6b321331

SHA512
94238b7e7976b3229cd847ea06226df2cf1d81d646b0404006882221dc01b11fadef6795cfc77c189b567c99fc77cb84eb8e4fb62a4a0b1561c22fece7be8bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat

Filesize
178B

MD5
bb5ec535454cda3ea8485e18021a24ac

SHA1
35ee527c2651dfb9ce7a0805abe7eb99f11f01dd

SHA256
dd03517a74ea6798198b75bcba932443ee6e71ea910020b43bf60cde54ea17bf

SHA512
e9bf485b387f6218fae11b53cdef2b1b27a0a9d60f063d8f6e662b52cac66f139fe3514d52b1fd6c6762f071a0b8f3bd117b19c1ba042b66043a627b7e12c423

Download Submit
\Intorefnet\hyperBlockCrtCommon.exe

Filesize
673KB

MD5
88475ffcf70bafda27644064bd214f2a

SHA1
650deb8eee1f3614ff924c2ac5dad5a2f230dce1

SHA256
f2bd4f56c501098299b88cefecfd79e763d95d801016eaaf4e2707c5ffc7c767

SHA512
c3e7c4d38d43571fd81926aecf3f0bd75f728f1e7056af02955eed96bea67efd30f295089300df809841c0565a9ea4aa793e2f5c6b93e3eb86132cccc267376f

Download Submit
memory/108-71-0x00000000003C0000-0x000000000046E000-memory.dmp

Filesize
696KB

Download
memory/1596-44-0x0000000000C40000-0x0000000000CEE000-memory.dmp

Filesize
696KB

Download
memory/1652-62-0x0000000001340000-0x00000000013EE000-memory.dmp

Filesize
696KB

Download
memory/2380-53-0x0000000001190000-0x000000000123E000-memory.dmp

Filesize
696KB

Download
memory/2592-17-0x0000000000670000-0x0000000000688000-memory.dmp

Filesize
96KB

Download
memory/2592-15-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2592-13-0x0000000000220000-0x00000000002CE000-memory.dmp

Filesize
696KB

Download
memory/2936-35-0x0000000000B70000-0x0000000000C1E000-memory.dmp

Filesize
696KB

Download